What is security?

So what is security anyhow?

Security is not about awareness.

A lot of folks talk about the people factor and how investing in security awareness training is key for data protection.

I think that investing in formal security awareness training, internal advertising campaigns and all kinds of fancy booklets and cards for employees is a waste of time and money.  I prefer a  CEO that says “here are my 4 rules” and tells his staff to abide by them, who tell their direct reports to abide by them until it trickles down to the people at the front desk.  Making common sense security part of the performance review is more effective than posters and HR training.

Security from this perspective, is indeed an exercise in leadership. Unfortunately, in  many organizations, the management board sees themselves as exempt from the information security rules that they demand from their middle managers and employees. It might be a general manager bringing his new  notebook into the office, jacking into the corporate LAN and then attaching a wireless USB dongle effectively bridging the corporate network to the Internet with a capital I, not understanding and not really caring about the vulnerability he just created.

Security is not an enterprise GRC system

If you take a look at the big enterprise GRC systems from companies like Oracle – you see an emphasis placed on MANAGING THE GRC PROCESSES – document management and signature loops for ISO certification, SOX audits etc. I suppose this makes the auditors and CRO and Oracle salesperson happy but it has nothing to do with making secure software. In my world – most hackers attack  software, not audit compliance processes and GRC documentation. In other words – managing  GRC processes is a non-value add for security.

Security doesn’t improves your bottom line
Have you ever asked yourself why security is so hard to sell?

There are two reasons.

1) Security is  complex stuff and it’s hard to sell stuff people dont understand.

2). Security is about mitigating the impact of an event that might not happen, not about making the business operation more effective.

Note a curious trait of human behavior  (formalized in prospect theory – developed by Daniel Kahneman and Amos Tversky in 1979), that people (including managers who buy security) are risk-averse over prospects involving gains, but risk-loving over prospects involving losses.

In other words – a CEO would rather take the risk of a data breach (which might be high impact, but low probability) than invest in DLP technology that he does not understand. Managers are not stupid – they know what needs to be done to make more money or survive in a downturn. If it’s making payroll or getting a machine that makes widgets faster for less money – you can be sure the CEO will sign off on making payroll and buying the machine before she invests in that important DLP system.

Since almost no companies actually maintain security metrics and cost of their assets and security portfolio in order to track Value at Risk versus security portfolio over time – a  hypothesis of return on security investment cannot be proven. Indeed – the converse is true – judging by the behavior of most companies – they do not believe that security saves them money

So what is security?

It’s like brakes on your car. You would not get into a car without brakes or with faulty brakes. But brakes are a safety feature,  not a vehicle function that improves miles per gallon. It’s clear that a driver who has a lighter foot on the brakes will get better mileage, and continuing the analogy, perhaps spending less money on security technology and more on security professionals will get you better return on security investment.

Challenge your assumptions about what makes for effective security in your organization.  Is enterprise security really about multiple networks and multiple firewalls with thousands of rules? Perhaps a simpler firewall configuration in a consolidated enterprise network is more secure and cheaper to operate?

Related Posts Plugin for WordPress, Blogger...
Tell your friends and colleagues about us. Thanks!
Share this

4 thoughts on “What is security?

  1. Interesting stuff. Unfortunately, some folks wouldn’t think twice and drive without breaks. I agree with you completely that compliance does not equal security (many people don’t know this). On the other hand, the business is not in business to be secure but rather to make money. As security professionals, we need not forget that to make money risks must be taken. To be secure, risks must be mitigated. Would I prefer that business leaders take security more seriously? Of course I would. I believe that the black-listing approach has run its course and white-listing should take its place. I also think passwords are no longer viable in today’s day and age. Security is a management issue, sorry to say this, but last time I checked, some of them were human. I also find it hard to believe that a CEO faced with a data breach that would cause the loss of millions, would prefer incurring the loss as opposed to being secure.

    1. Jason,

      I agree. What is happening is that the security technologies (like the exploits) are getting more and more complex and more difficult for customers to understand let alone adopt in a cost-effective way. I think DLP is a case in point – since the market space is small, the vendors pegged high price tags and tried to make up for product gaps with professional services. Some vendors like Verdasys take a page out of the enterprise play book and call their offering Enterprise Information Protection – the obvious fallacy being that ERP (Enterprise Resource planning) is core to revenue and EIP is a cost that may mitigate a future threat.

      If a CEO knew for sure that he was going to get attacked by a data breach from a particular vector – I’m sure he would invest in countermeasures. But the CEO is not sure he will get hit and he doesn’t really know what kind of damage might incur – so he prefers a future risk over a current cost.

  2. While I agree that posters and crazy rambling meetings with HR do little to improve security, you almost contradict yourself with “I prefer a CEO that says “here are my 4 rules” and tells his staff to abide by them, who tell their direct reports to abide by them until it trickles down to the people at the front desk. Making common sense security part of the performance review”. Isn’t that a form of security awareness training? Let’s not forget, “common sense” security” to the average user is having a firewall and AV running.
    Keeping in mind, exploits can happen even when security measures are in place.

    In a real world business example, you take every precaution to mitigate the risk without causing too much an adverse affect on business. You remove every point of failure you can from the end user ( prox cards and readers that lock a desktop when the user steps away, for example), but because you need to assume some risk to perform business function, you add the less reliable, but still necessary, end user awareness.

    1. Thanks for the great input – you are correct that the message is a bit unclear in the post, as if common sense security contradicts or supplants security awareness training, of course it doesn’t.

      I am advocating that security be part of the business culture, not a bolt-on component like installing an anti-virus on a Windows PC or running a security awareness training program that peters out over time and turns into something for the employees but not for the upper management. Protecting company digital assets should be a core value in a company’s culture just like values of innovation, meritocracy and customer service. I would rather see a company mission statement say something like “we commit to the security of our customer data” along side of mantras like “our customer comes first….”

Leave a Reply

Your email address will not be published. Required fields are marked *