Ted Demopoulos    Demopoulos Associates
keynote speeches
Security, IT, Business Consulting
securITy newsletter
Articles

Why do many organizations lack adequate security?

Although security breaches cause over U.S. 15 billion dollars of damage worldwide annually, many organizations implement security solutions that are inadequate. Very often these organizations ARE spending "enough" money on security, but spending it in the wrong places or otherwise inappropriately. Oftentimes they don't remotely understand how much money, including "hidden dollars," they are spending. There are several reasons for this:

Failure to understand the business needs for security
In spite of efforts to implement some sort of security measures, many companies find that the solutions they implement are simply inadequate.  This occurs for two principle reasons: they do not understand what security risks are associated with their business strategies, and they do not have a systematic way to intelligently secure their entire enterprise. Throwing money at security issues almost never works - a systematic plan is required, which starts with a Risk Analysis.

Lack of Risk Analysis
Many organizations have never conducted a Risk Analysis and have little or no idea of the costs associated with an electronic break-in or other security breach. They have not quantified the value of their electronic data and do not understand the extent to which damage can be done should a break-in occur. They do not understand how expensive the loss of access to key IT resources can be. They often have not considered how intangibles can be impacted, for example a companies reputation. If your website is down for three hours, will you lose $10,000, $100,000, $1,000,000 or more? How about your internal Customer Relationship Management solution? What about your Inventory Management software - will you even be able to ship products, or take orders?

What about your organization's reputation?
Extortionists regularly target organization's reputations, and extortion is a major growth area in cybercrime. After an organization's information assets have been compromised, for example customer lists with credit card information stolen, the organization is contacted by a "security consultant." They have found certain security holes and can fix them for $X. These thinly veiled extortion attempts are very common. How much would it be worth to keep your information secure, your customer goodwill intact, and your companies new troubles off the front page of the newspaper?? But the damage is already done - and paying extortionists doesn't make them go away, at least for long (hint: call the authorities - the FBI if you're in the USA). If you don't know how valuable your resources are, it is impossible to determine how to adequately protect them.

Security misperceptions
Many executives still believe that security problems are solved by technology or products alone, for example by installing a “box” such as a firewall or intrusion detection device. Many decision makers remember when not too long ago they were told (often times literally) “a firewall will solve all your security problems.” They remember when not long ago they were told, “you also need an Intrusion Detection System – it will solve all your security problems” and perhaps “what you really need is Virus Protection.” They are understandably reticent when it comes to spending on security, especially since many don’t understand the business value.

Technologies or products alone are not a security solution, but only part of a security solution. Security is a process. It includes technologies/products, policies, and procedures.

Security Policy is documentation that describes how an organization manages, protects and enforces its security infrastructure. It defines appropriate behavior and typically has several parts.  Examples include firewall policy, password policy, acceptable use policies, etc. A security policy provides a foundation for all your subsequent actions, and it allows you to establish procedures. For example a virus protection policy might state that virus protection software needs to be updated daily, and the related procedure will explain how it is updated.
Having a security policy in place does not guarantee that intrusions or loss of information will be eliminated. Effective Security policies must include being vigilant and constantly updating technologies as well as procedures to deal with new threats. And it is important to realize that nothing usable is 100% secure. Even Fort Knox could theoretically be robbed, although the likelihood is extremely small.

A separation of Security and Networking Solutions
A very big problem many organizations have is that they have separated their security organization from their networking organization. The two groups have very different goals and agendas and often clash. A network group’s goal is providing network access, while a security group’s goal is to provide an appropriate level of security for the organization, which often involves restricting network access. In many organizations, the network and security personnel are not harmonized and do not work well together – sometimes they are outwardly hostile towards each other (in a recent IT Assessment project, the term "hate" was often used). Satisfying the goals of each group can be challenging if they are not synchronized. And trying to implement an appropriate security solution can be essentially impossible.

Failure to understand that many “hidden” dollars are already spent on security
Effort spent fighting viruses, worms, re-imaging workstations, etc., IS time and money spent on security. And it very likely may be spent more effectively elsewhere – spent proactively instead of reactively. For example avoiding a worm infestation, instead of cleaning up after a worm infestation. Far too often I hear "we don't have any more money in the budget for security." Oh yah?? And do you have money budgeted for the next worm or virus that hits you?

© Copyright 2002-2010, Demopoulos Associates