How do you know when you have "enough" security? Every company answers this question differently, depending on its security mindset. This mindset, usually dictated by the board and the CEO, governs the company's fundamental approach to IT risk: How much are we at risk? What type of risk? What do we do about it?
Every CEO pays lip service to security. But when it's time to transform words into deeds, CEOs fall into one of four evolutionary stages of security enlightenment.
Stage 1: Security is a necessary evil. "I pay for IT security because I have to. The government is forcing security regulations down my throat, and I'll spend what's necessary to comply, but not a penny more. My board and shareholders demand financial results. I'm not about to invest a ton of money in security when there's a thousand other revenue opportunities to pursue."
Stage 2: Security is air conditioning. "Security is a basic necessity, like electricity or climate control. When the occasional heat wave hits, you crank up the AC. When you get nailed by a virus, you clean up and move on. In both cases, you're adjusting existing knobs, not adding new ones. "AC isn't a business enabler; neither is security. Quantify the ROI of security? That's silly. You don't try to quantify the ROI of air conditioning, do you?"
Stage 3: Security is insurance. "There's risk in everything we do. That's what business is all about. I don't pay a lot of attention to all the muckety-muck about hackers and viruses. The Internet is just another risk vector, and we treat it like we treat all risk. We pay for internal security controls when there's a demonstrable threat to our business interests. Nobody can predict every possible bad outcome, so we concentrate on recovery instead of spending money on preventing theoretical failures. No matter what happens, we're confident we can quickly return to normal operations."
Stage 4: Security is quality. "You can't buy quality. It's not a product. It's a mindset and a never-ending process. To succeed, quality must permeate every aspect of our business. It's not just the responsibility of the executive and management team; every employee must have a tenacious commitment to it.
"Quality is intangible, but it's not ethereal. It's difficult to quantify, but its results are absolutely measurable.
"How much does quality cost? Nothing. It's free when everyone is committed to it."
Substitute the word "security" for every instance of "quality" above, and you're left with the definitive mission statement for security's role in the enterprise.
Notice what happens when you evolve from one stage to the next. Security becomes less reactive and more proactive; less programmatic (spend $X on encryption product A to protect database B to comply with regulation C) and more cultural.
As with quality, the benefit of security is difficult to quantify because the measure of its success is the absence of failure. As with quality, security doesn't become important until the company recognizes that it's more effective to address problems before rather than after an incident. Remember the Firestone/Ford SUV tire fiasco a couple years ago?
No, it's not easy to evolve from one stage to the next. But the first act of enlightenment is simply being aware that the next stage exists. So, the next time your manager asks, "Why is security important?" you know what to say.
"Because security is like quality."
About the author:
Andrew Briney, CISSP, is the editor-in-chief of Information Security and editorial director of the TechTarget Security Media Group.