So what is security anyhow?
Security is not about awareness.
A lot of folks talk about the people factor and how investing in security awareness training is key for data protection.
I think that investing in formal security awareness training, internal advertising campaigns and all kinds of fancy booklets and cards for employees is a waste of time and money. I prefer a CEO that says “here are my 4 rules” and tells his staff to abide by them, who tell their direct reports to abide by them until it trickles down to the people at the front desk. Making common sense security part of the performance review is more effective than posters and HR training.
Security from this perspective, is indeed an exercise in leadership. Unfortunately, in many organizations, the management board sees themselves as exempt from the information security rules that they demand from their middle managers and employees. It might be a general manager bringing his new notebook into the office, jacking into the corporate LAN and then attaching a wireless USB dongle effectively bridging the corporate network to the Internet with a capital I, not understanding and not really caring about the vulnerability he just created.
Security is not an enterprise GRC system
If you take a look at the big enterprise GRC systems from companies like Oracle – you see an emphasis placed on MANAGING THE GRC PROCESSES – document management and signature loops for ISO certification, SOX audits etc. I suppose this makes the auditors and CRO and Oracle salesperson happy but it has nothing to do with making secure software. In my world – most hackers attack software, not audit compliance processes and GRC documentation. In other words – managing GRC processes is a non-value add for security.
Security doesn’t improves your bottom line
Have you ever asked yourself why security is so hard to sell?
There are two reasons.
1) Security is complex stuff and it’s hard to sell stuff people dont understand.
2). Security is about mitigating the impact of an event that might not happen, not about making the business operation more effective.
Note a curious trait of human behavior (formalized in prospect theory – developed by Daniel Kahneman and Amos Tversky in 1979), that people (including managers who buy security) are risk-averse over prospects involving gains, but risk-loving over prospects involving losses.
In other words – a CEO would rather take the risk of a data breach (which might be high impact, but low probability) than invest in DLP technology that he does not understand. Managers are not stupid – they know what needs to be done to make more money or survive in a downturn. If it’s making payroll or getting a machine that makes widgets faster for less money – you can be sure the CEO will sign off on making payroll and buying the machine before she invests in that important DLP system.
Since almost no companies actually maintain security metrics and cost of their assets and security portfolio in order to track Value at Risk versus security portfolio over time – a hypothesis of return on security investment cannot be proven. Indeed – the converse is true – judging by the behavior of most companies – they do not believe that security saves them money
So what is security?
It’s like brakes on your car. You would not get into a car without brakes or with faulty brakes. But brakes are a safety feature, not a vehicle function that improves miles per gallon. It’s clear that a driver who has a lighter foot on the brakes will get better mileage, and continuing the analogy, perhaps spending less money on security technology and more on security professionals will get you better return on security investment.
Challenge your assumptions about what makes for effective security in your organization. Is enterprise security really about multiple networks and multiple firewalls with thousands of rules? Perhaps a simpler firewall configuration in a consolidated enterprise network is more secure and cheaper to operate?