By Stacy G. Layton
You're the chief of security for a medieval castle. How would you best defend that castle? A crocodile-filled moat? A fire-breathing dragon? Boiling-oil on the parapets?
There are many options given the myriad potential threats. To keep it simple, you offer three options:
A. A simple lock on the front gate: Cheap and potentially effective because the castle next door is bigger and gaudier.
B. Life-size warrior statues in suits of armor: Cost effective and dangerous looking from afar, which 'might' dissuade approaching invaders
C. Real soldiers with swords and armor patrolling the perimeter: Expensive, human-capital intensive, and certainly capable of engaging many existing threats, but will they actually protect you from a force of invaders in the future?
Now replace "castle" with "business". How much are companies willing to spend on information security and what are the threats? The most prominent targets (e.g. credit card companies, banks, government agencies) are employing the IT security equivalent of sword-wielding armor-wearing knights—expensive and vigilant protection against relentless attacks. Entities with fewer resources in other sectors naively hope the hackers go after bigger, shinier targets.
The problem is that virtually every entity is interconnected—large/small, public/private. And the motivations for cyber attacks range from simple anti-establishment mischief, to theft, industrial espionage, and in some cases even government sponsored politically motivated assaults. So essentially, everyone and everything is a potential target.
The best defense is often the most expensive option. Academic economists might muse as to acceptable risk levels, versus prevention/cleanup costs. Security and risk mitigation consulting firms confront the realities of this conundrum on a daily basis.
Convincing a client it requires maximum protection can be difficult, particularly when there is a significant cost difference between the consultant's recommended solution, and the client's desire for adequate controls. The situation becomes more complex when some of the most sophisticated solution-providers become victims of attacks as well. And despite these very real threats, some clients and consultants question the others' motivations, which perpetuate the "buyer-beware" undercurrent of mistrust.
Trust between the protector and the protected matter; but the more practical issue: how do you value effective security?
After-the-fact damage control projects can be quantified to an extent. However, consulting on security for the hypothetical attack creates myriad—and exceedingly costly—solutions. Like many other aspects of IT, security cannot be looked at in a vacuum. Any investment must be justified by clients.
Modern-day CIOs have often been tasked with doing more with less. They also must manage the equilibrium between cost and protection in a world where the threat is constantly evolving, and the people working on and within the environment created by the technical solution can be the key to its success or the architects of its failure. Major data thefts have been reported by attacks against corporate firewalls, peer-to-peer file sharing software or even "spear fishing" scams.
Mandated from the top, integrating a firm's employees with both a security system and security culture is a critical aspect of keeping data and corporate reputations secure.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.