What is enough security?

Every company answers this question differently, depending on its security mindset. This mindset, usually dictated by the board and the CEO, governs the company's fundamental approach to IT risk: How much are we at risk? What type of risk? What do we do about it?

Every CEO pays lip service to security. But when it's time to transform words into deeds, CEOs fall into one of four evolutionary stages of security enlightenment.

Stage 1: Security is a necessary evil. "I pay for IT security because I have to. The government is forcing security regulations down my throat, and I'll spend what's necessary to comply, but not a penny more. My board and shareholders demand financial results. I'm not about to invest a ton of money in security when there's a thousand other revenue opportunities to pursue."

Stage 2: Security is air conditioning. "Security is a basic necessity, like electricity or climate control. When the occasional heat wave hits, you crank up the AC. When you get nailed by a virus, you clean up and move on. In both cases, you're adjusting existing knobs, not adding new ones. AC isn't a business enabler; neither is security. Quantify the ROI of security? That's silly. You don't try to quantify the ROI of air conditioning, do you?"

Stage 3: Security is insurance. "There's risk in everything we do. That's what business is all about. I don't pay a lot of attention to all the muckety-muck about hackers and viruses. The Internet is just another risk vector, and we treat it like we treat all risk. We pay for internal security controls when there's a demonstrable threat to our business interests. Nobody can predict every possible bad outcome, so we concentrate on recovery instead of spending money on preventing theoretical failures. No matter what happens, we're confident we can quickly return to normal operations."

Stage 4: Security is quality. "You can't buy quality. It's not a product. It's a mindset and a never-ending process. To succeed, quality must permeate every aspect of our business. It's not just the responsibility of the executive and management team; every employee must have a tenacious commitment to it.

"Quality is intangible, but it's not ethereal. It's difficult to quantify, but its results are absolutely measurable. How much does quality cost? Nothing. It's free when everyone is committed to it."

Substitute the word "security" for every instance of "quality" above, and you're left with the definitive mission statement for security's role in the enterprise.

Notice what happens when you evolve from one stage to the next. Security becomes less reactive and more proactive; less programmatic (spend $X on encryption product A to protect database B to comply with regulation C) and more cultural.

As with quality, the benefit of security is difficult to quantify because the measure of its success is the absence of failure. As with quality, security doesn't become important until the company recognizes that it's more effective to address problems before rather than after an incident. Remember the Firestone/Ford SUV tire fiasco a couple years ago?

No, it's not easy to evolve from one stage to the next. But the first act of enlightenment is simply being aware that the next stage exists. So, the next time your manager asks, "Why is security important?" you know what to say.

"Because security is like quality."

About the author
Andrew Briney, CISSP, is editor-in-chief of Information Security magazine and editorial director of the TechTarget Security Media Group.

Note: This column originally appeared in the June issue of Information Security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Guest Commentary Google hacking exposes a world of security flaws Eliminating the threat of spam email attacks Outsourcing IT services: Is it worth the security risk? How permanent is your storage solution? Honeypots can strengthen reconnaissance and lower intrusion noise Freedom of speech or lack of professional responsibility? This year compliance, next year control Senior security member explains his position on Abagnale Computer Security Institute's leader responds to Abagnale flap Spokesman or poster child? Risk Assessment and Analysis Data risks take shine off Google Chrome PCI is about eliminating data, not securing it, former QSA says. What role does information security play in enterprise fraud-prevention activities? Security visualization helps make log files work Unified communications trigger data leakage dangers, survey finds CIO role could shift toward data quality, says IBM group Security data lapses hamper researchers Panel: IT governance, risk and compliance program helps reduce expenses Like MLB scouts, IT security pros are turning to metrics Google shares struggle to manage security complexities RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary risk analysis  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.