By Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services

If you boil security down, it can be defined as the controls we use to protect assets from threats.  However, it has become more than that. The tools and tactics revolving around threats have changed.  It may sound a  touch naïve, but the more I address today’s security issues and risks that are keeping people up at night, the more I see security being more about fraud.

The increasing number and availability of highly effective, easy-to-use tools, combined with the organization of threat services obtainable to virtually everyone, broadens the threat spectrum significantly.  The expansion of threat potential and applicability is causing the landscape to change rapidly.

This new threat environment, combined with the increasingly complex nature of business’s use of entangled technology, is making it more difficult to identify traditional attacks.  Therefore, how we provide security control is morphing into a model of fraud detection as opposed to security event detection.

Security is the establishment of controls relative to threats.  We focus on minimizing vulnerabilities and creating a defensive model that can provide visibility into the environment, helping us to respond to events.  In short, this tactic is based on “beyond the normal” spectrum of what is expected.  Conversely, fraud, at least in this context, is the potential harm normal and accepted activities can have on the business.

For example, security includes the controls a bank has put in place to protect exposure and theft of my credit card.  When those security controls fail, the bank and I are exposed to fraud – e.g., a hacker steals my credit card data and uses it to make a seemingly authorized purchase, which could go completely undetected.

Fraud detection is when I use my credit card to purchase gas at a local station, but within five minutes, my credit card is used to purchase an item 400 miles away.  Clearly, something is wrong.

With the above definitions, security is directed at the unknown, endless sea of threats to protect information attempting to clearly differentiate “us” from “them.”   When security fails, differentiation is blurred and “they” become “us,” and the enemy is among us, looking and acting like us.  The result — a massive increase in fraud-like conditions, even as traditional threats increase.

In the next article in this series, I’ll elaborate more on the threats that are out there and begin to tie this into the importance of fraud in security.