The significance of securing as a critical component of information security: An Australian narrative

As information security is called upon to operate in increasingly unstable spaces, the role of the information security practitioner becomes ever more complex. Successful information security practice depends on tactics and strategies that situate the need for protection within organisational goals. These tactics and strategies have become progressively important as organisations are disrupted by digital technology. The locus of control is unpredictably distributed across groups within an organisation. Finding consensus about the need for security thus becomes challenging. Information security controls are an important part of the control structure but increasingly they are negotiated controls, making the process of securing as important as the security mechanisms themselves. We employ broader political and social theories of security, most notably Smith (2005), to analyse data from nine semi-structured interviews of Australian information security practitioners. Our findings delineate the interlinking concepts of securing and security. Security is straightforward. It is a state of being secure. Securing, on the other hand, is complex. It is a consensus-seeking, value-engagement process that enables the attainment of security. Through this analysis, we identify processes and techniques of securing tacitly employed by the participants. Central to effective securing practice is a participant's ability to, 'get the security message right.' The message is used to create an agreed value consensus across conflict-ridden environments. We contend that securing is often undervalued and not recognised as a distinct theoretical part of the discipline of information security. However, given the complexity and uncertainty of information security practice, we argue that securing needs to be considered as a critical component of being secure. (C) 2019 Elsevier Ltd. All rights reserved.