We have all seen them, teenagers who are growing and growing fast. So fast they have awkward moments absent in their early years and likely to subside in the short term as their bones and muscles catch up with each other. The body is improving during this time, maturing into what it will be: bones and muscles working harmoniously together to perform a series of purposes.

IT Security is a teenager. For years, it has been a fairly successful venture. Companies strive to keep unscrupulous people out and the number of products provided by the market has been plentiful. Industries with a heightened sense of awareness have seen regulatory agencies provide oversight and guidance. All of this effort and spending relate ultimately to one asset: information. HIPAA (Healthcare) directs us to establish an “accurate inventory of where they stored patient data.” GLBA (Finance) requires an “inventory of information assets, including data”. PCI DSS (Credit Card), DFARS (Defense), and FERPA (Education) follow suit.

People responsible for securing sensitive data need to know where it is, what needs to be available, who can see it and how to ensure it is trustworthy.

Our industry has even provided the organizational employee structure around data security with positions such as the Chief Information Officer, the Information Security Officer, the Information Technology Manager and the Information Systems Auditor. Every year, we initiate an information systems risk assessment and update our information security policies and programs. We even buy costly insurance against the risk of data breaches.

Even our education and certification activities recognize the universe centers on information with the Certified Information Systems Auditor (CISA), the Certified Information Systems Security Professional (CISSP), and the Certified in Risk and Information Systems Control (CRISC), to name a few.

With well over a decade of tremendous attention, spending, and innovation, what is occurring? We lose more information each year than the previous year and we spend more money on controls for the pleasure of having the opportunity to practice our incident response plans.

The cold truth in the work of IT Security is that we are teenagers, struggling to find the grace and balance in our steps and athleticism because we are not focused on the goal of our pursuits: protecting our information. We aren’t even accurately identifying it. We are identifying around where we think it is.

It is a universal truth that you cannot protect what you do not know. And in the world of IT Security, we need to be reintroduced to our growing bodies to ensure the preservation and safeguarding of our information.