Tip

What is enough security?

Every company answers this question differently, depending on its security mindset. This mindset, usually dictated by the board and the CEO, governs the company's fundamental approach to IT risk: How much are we at risk? What type of risk? What do we do about it?

Every CEO pays lip service to security. But when it's time to transform words into deeds, CEOs fall into one of four evolutionary stages of security enlightenment.

Stage 1: Security is a necessary evil. "I pay for IT security because I have to. The government is forcing security regulations down my throat, and I'll spend what's necessary to comply, but not a penny more. My board and shareholders demand financial results. I'm not about to invest a ton of money in security when there's a thousand other revenue opportunities to pursue."

Stage 2: Security is air conditioning. "Security is a basic necessity, like electricity or climate control. When the occasional heat wave hits, you crank up the AC. When you get nailed by a virus, you clean up and move on. In both cases, you're adjusting existing knobs, not adding new ones. AC isn't a business enabler; neither is security. Quantify the ROI of security? That's silly. You don't try to quantify the ROI of air conditioning, do you?"

Stage 3: Security is insurance. "There's risk in everything we do. That's what business is all about. I don't pay a lot of attention to all the muckety-muck about hackers and viruses. The Internet is just

    Requires Free Membership to View

another risk vector, and we treat it like we treat all risk. We pay for internal security controls when there's a demonstrable threat to our business interests. Nobody can predict every possible bad outcome, so we concentrate on recovery instead of spending money on preventing theoretical failures. No matter what happens, we're confident we can quickly return to normal operations."

Stage 4: Security is quality. "You can't buy quality. It's not a product. It's a mindset and a never-ending process. To succeed, quality must permeate every aspect of our business. It's not just the responsibility of the executive and management team; every employee must have a tenacious commitment to it.

"Quality is intangible, but it's not ethereal. It's difficult to quantify, but its results are absolutely measurable. How much does quality cost? Nothing. It's free when everyone is committed to it."

Substitute the word "security" for every instance of "quality" above, and you're left with the definitive mission statement for security's role in the enterprise.

Notice what happens when you evolve from one stage to the next. Security becomes less reactive and more proactive; less programmatic (spend $X on encryption product A to protect database B to comply with regulation C) and more cultural.

As with quality, the benefit of security is difficult to quantify because the measure of its success is the absence of failure. As with quality, security doesn't become important until the company recognizes that it's more effective to address problems before rather than after an incident. Remember the Firestone/Ford SUV tire fiasco a couple years ago?

No, it's not easy to evolve from one stage to the next. But the first act of enlightenment is simply being aware that the next stage exists. So, the next time your manager asks, "Why is security important?" you know what to say.

"Because security is like quality."

About the author
Andrew Briney, CISSP, is editor-in-chief of Information Security magazine and editorial director of the TechTarget Security Media Group.

Note: This column originally appeared in the June issue of Information Security.

This was first published in June 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.