What is enough security?

Every company answers this question differently, depending on its security mindset. This mindset, usually dictated by the board and the CEO, governs the company's fundamental approach to IT risk: How much are we at risk? What type of risk? What do we do about it?

Every CEO pays lip service to security. But when it's time to transform words into deeds, CEOs fall into one of four evolutionary stages of security enlightenment.

Stage 1: Security is a necessary evil. "I pay for IT security because I have to. The government is forcing security regulations down my throat, and I'll spend what's necessary to comply, but not a penny more. My board and shareholders demand financial results. I'm not about to invest a ton of money in security when there's a thousand other revenue opportunities to pursue."

Stage 2: Security is air conditioning. "Security is a basic necessity, like electricity or climate control. When the occasional heat wave hits, you crank up the AC. When you get nailed by a virus, you clean up and move on. In both cases, you're adjusting existing knobs, not adding new ones. AC isn't a business enabler; neither is security. Quantify the ROI of security? That's silly. You don't try to quantify the ROI of air conditioning, do you?"

Stage 3: Security is insurance. "There's risk in everything we do. That's what business is all about. I don't pay a lot of attention to all the muckety-muck about hackers and viruses. The Internet is just another risk vector, and we treat it like we treat all risk. We pay for internal security controls when there's a demonstrable threat to our business interests. Nobody can predict every possible bad outcome, so we concentrate on recovery instead of spending money on preventing theoretical failures. No matter what happens, we're confident we can quickly return to normal operations."

Stage 4: Security is quality. "You can't buy quality. It's not a product. It's a mindset and a never-ending process. To succeed, quality must permeate every aspect of our business. It's not just the responsibility of the executive and management team; every employee must have a tenacious commitment to it.

"Quality is intangible, but it's not ethereal. It's difficult to quantify, but its results are absolutely measurable. How much does quality cost? Nothing. It's free when everyone is committed to it."

Substitute the word "security" for every instance of "quality" above, and you're left with the definitive mission statement for security's role in the enterprise.

Notice what happens when you evolve from one stage to the next. Security becomes less reactive and more proactive; less programmatic (spend $X on encryption product A to protect database B to comply with regulation C) and more cultural.

As with quality, the benefit of security is difficult to quantify because the measure of its success is the absence of failure. As with quality, security doesn't become important until the company recognizes that it's more effective to address problems before rather than after an incident. Remember the Firestone/Ford SUV tire fiasco a couple years ago?

No, it's not easy to evolve from one stage to the next. But the first act of enlightenment is simply being aware that the next stage exists. So, the next time your manager asks, "Why is security important?" you know what to say.

"Because security is like quality."

About the author
Andrew Briney, CISSP, is editor-in-chief of Information Security magazine and editorial director of the TechTarget Security Media Group.

Note: This column originally appeared in the June issue of Information Security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Enterprise Risk Management: Metrics and Assessments,   Information Security Management,   Guest Commentary,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Enterprise Risk Management: Metrics and Assessments How to justify information security spending on cloud computing Layoffs prompt insider threat fears, cybersecurity survey finds How to avoid Internet liability lawsuits Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way Bernie Rominski: Communicate Effectively with Management about Risk Best Policy and Risk Management Products Monitoring program data and internal controls for risk management Risk management strategy for an information technology solution provider Align your data protection efforts with GRC The basics of enterprise GRC project management Enterprise Risk Management: Metrics and Assessments Research Guest Commentary Google hacking exposes a world of security flaws Eliminating the threat of spam email attacks Outsourcing IT services: Is it worth the security risk? How permanent is your storage solution? Honeypots can strengthen reconnaissance and lower intrusion noise Freedom of speech or lack of professional responsibility? This year compliance, next year control Senior security member explains his position on Abagnale Computer Security Institute's leader responds to Abagnale flap Spokesman or poster child? RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.