Isnít it smarter to use indicators rather than incidents as cues to invest in security?Thursday, November 18th 2010 @ 7:34 AM (not yet rated)
The way I look at it – just like borrowing money, or taking your car into the shop – the best time to invest in security is when you don’t need it. But the good news is that investing in security can be much cheaper if you consider planning ahead as an investment.
Waiting Too Long Can Be Expensive
Why is it that we always wait until we badly need something before we try to acquire it? Sometimes, it’s unavoidable. But when significant indicators are telling us that risks are increasing, we tend to wait until all signs are pointing in one direction before taking action. By that time, everyone is moving in that direction, which means that by the law of supply and demand, it will probably be more expensive to get there if we wait until everyone else has the same idea. Or, the vehicle will grind to a halt before you can get to the mechanic's shop - a gamble I hate to lose...
From another point of view, when the economy starts to show signs of weakness, it might be a good time to invest in getting some credit, even if it’s not clear you will need it. As my accountant says, “The worst time to ask for money from a bank is when you really need it.”
When to Start Looking at Technology Risks
When you can see increasingly risky trends such as growth in remote access and teleworking from outside the office, or increased use of social media sites from within the office network, that is probably a good time to take some kind of action with respect to security. While these can be important activities for increasing short term productivity or customer touch points – which means management will not hesitate to support them – the uncontrolled use of these technologies can be very risky in predictable ways if they aren’t implemented with some view to security.
Of course, there can be a certain amount of paralysis as indicators emerge. When indicators conflict it’s hard to get consensus because the way forward or the right safeguards are not clear. But that doesn’t mean you shouldn’t dedicate some time and effort to understanding the problem, and how it could impact your business operations.
I’m not saying you need to implement safeguards for every risk that appears in the news. But by the time the media starts talking about a specific technology risk, Fred in Marketing has probably already started using it without consulting anyone. Experienced IT managers can smell risks to their networks from quite a distance. So, listening to them can be a good indicator to management. Think of them as your inner conscience that knows there’s a problem, but doesn’t always know how to express the consequences in business terms that management can understand without some discussion.
If you leave the security planning discussion until the incidents are forcing you to think about them on a regular basis, not only will it be expensive to change people’s behaviors, but the IT group will already be too busy putting out the fires to evaluate long term strategic options.
What Do You Think?
Would your business be more productive if it could accurately assess emerging technology risks ahead of time? Or do you have a happy rhythm of using incidents such as virus infections or data breaches as the evidence you need to convince management to take action? [FYI - according to a study by Panda Security, which we discussed in the Social Media Security Podcast, 33% of Small and Medium Sized Businesses have had malware infections that were attributed to the use of social networks.]