Skip to main content

Information Security: Why Bother?

I have heard this sentiment, perhaps not put quite as bluntly as that, on several occasions over the last few years when working with clients and engineers on security related projects. My role would have been to help embed a particular piece of security software or introduce a piece of consultancy or business process which would help improve the organisations security posture.

The question, often raised as a bargaining tool, is often focused on the, ‘well I understand what you propose and I know it will increase the security of scenario X, but why should I do it?’. In honesty, it is a good question. Organisations have finite budgets which will cover all of IT and related services, and it is a fair objective, to have to show and prove, either via tangible or intangible RoI, that a piece of software or consultancy will have a beneficial impact on the organisation as a whole.

Justification and SRoI

Return on Investments, or Security Return on Investments are clearly a useful tool for proving that a particular security related project will have a benefit to an organisation. An organisation will probably already know that this value will break even very quickly, before even starting to look at service and software providers to help implement such a project. During the business case and feasibility study phase, a basic high level SRoI could generally be used to see if initiating the project is actually worthwhile.

The main drivers for many security related initiatives have often been related to external factors. I refer to these factors as external, as I am referring to factors that are generally reactionary or not originating from the overall strategy of the business. These factors could include things like compliance requirements, responses to previous security attacks or data breaches. If these factors didn’t exist, would those security projects and budgets be allocated?

Security as a default

Unfortunately, the answer may be no, hence the thoughts prompted by this article title. Security is often not seen as essential to the business strategy either via from a delivery, efficiency or cost savings perspective. It is something the organisation often feels they have to do. “If we don’t sort the access control process out, we’ll get fined”. “If we get hacked again, and lose more customer records, our reputation will be unrecoverable”. Sound familiar?

Security as a default option is probably some way off the agenda for many enterprise IT strategists. The fail-safe option is costly, complex and evolving. The generation of the CISO role, is a great step forward in providing security level awareness to the overall business strategy. Whilst currently that role is really focused on completing the ‘must’ have security practices, over time this may evolve to allow security to become a default option. Default within the software development lifecycle, new business processes, and employee attitudes and so on.

The key to making this happen will take a careful balance of showing the tangible and non-tangible benefits of having a better security posture, without restricting business or employee agility.


Popular posts from this blog

2020: Machine Learning, Post Quantum Crypto & Zero Trust

Welcome to a digital identity project in 2020! You'll be expected to have a plan for post-quantum cryptography.  Your network will be littered with "zero trust" buzz words, that will make you suspect everyone, everything and every transaction.  Add to that, “machines” will be learning everything, from how you like your coffee, through to every network, authentication and authorisation decision. OK, are you ready?

Machine Learning I'm not going to do an entire blog on machine learning (ML) and artificial intelligence (AI).  Firstly I'm not qualified enough on the topic and secondly I want to focus on the security implications.  Needless to say, within 3 years, most organisations will have relatively experienced teams who are handling big data capture from an and identity, access management and network perspective.

That data will be being fed into ML platforms, either on-premise, or via cloud services.  Leveraging either structured or unstructured learning, data fr…

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:

Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?

Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…