security planning, incidents, indicators, metrics, panda security, rosi, justification
HOME
PAGE
MEMBER RESOURCES
ABOUT US
FORUMS
PARTNERS
PRODUCTS & SERVICES
FREE RESOURCES
LOGIN
HERE
JOIN
NOW!
You are not logged in. Access is limited. Login or see membership information. • Streetwise Security Zone Community

To see the list of all blogs, including Scott Wright's Security Views Blog and the Streetwise Security Zone Podcast click HERE. You also can subscribe via an RSS reader, or check the "Watch This" box in the left column to receive news by email of new articles.


Watch this Blog Notify me by e-mail any time a new post is made to this blog.

Scott Wright's editorials on a variety of security issues for non-technical business managers and home computer users. Please feel free to comment and help spread the word that managers need to think about their information security risks.

November 2010 Posts

Archives
  Scott Wright's Security Views
Blog Entry

Isn’t it smarter to use indicators rather than incidents as cues to invest in security?

Thursday, November 18th 2010 @ 7:34 AM (not yet rated)    post viewed 2810 times

The way I look at it – just like borrowing money, or taking your car into the shop – the best time to invest in security is when you don’t need it. But the good news is that investing in security can be much cheaper if you consider planning ahead as an investment.

Waiting Too Long Can Be Expensive

Why is it that we always wait until we badly need something before we try to acquire it? Sometimes, it’s unavoidable. But when significant indicators are telling us that risks are increasing, we tend to wait until all signs are pointing in one direction before taking action. By that time, everyone is moving in that direction, which means that by the law of supply and demand, it will probably be more expensive to get there if we wait until everyone else has the same idea. Or, the vehicle will grind to a halt before you can get to the mechanic's shop - a gamble I hate to lose...

From another point of view, when the economy starts to show signs of weakness, it might be a good time to invest in getting some credit, even if it’s not clear you will need it. As my accountant says, “The worst time to ask for money from a bank is when you really need it.”

When to Start Looking at Technology Risks

When you can see increasingly risky trends such as growth in remote access and teleworking from outside the office, or increased use of social media sites from within the office network, that is probably a good time to take some kind of action with respect to security. While these can be important activities for increasing short term productivity or customer touch points – which means management will not hesitate to support them – the uncontrolled use of these technologies can be very risky in predictable ways if they aren’t implemented with some view to security.

Of course, there can be a certain amount of paralysis as indicators emerge. When indicators conflict it’s hard to get consensus because the way forward or the right safeguards are not clear. But that doesn’t mean you shouldn’t dedicate some time and effort to understanding the problem, and how it could impact your business operations.

I’m not saying you need to implement safeguards for every risk that appears in the news. But by the time the media starts talking about a specific technology risk, Fred in Marketing has probably already started using it without consulting anyone. Experienced IT managers can smell risks to their networks from quite a distance. So, listening to them can be a good indicator to management. Think of them as your inner conscience that knows there’s a problem, but doesn’t always know how to express the consequences in business terms that management can understand without some discussion.

If you leave the security planning discussion until the incidents are forcing you to think about them on a regular basis, not only will it be expensive to change people’s behaviors, but the IT group will already be too busy putting out the fires to evaluate long term strategic options.

What Do You Think?

Would your business be more productive if it could accurately assess emerging technology risks ahead of time? Or do you have a happy rhythm of using incidents such as virus infections or data breaches as the evidence you need to convince management to take action? [FYI - according to a study by Panda Security, which we discussed in the Social Media Security Podcast, 33% of Small and Medium Sized Businesses have had malware infections that were attributed to the use of social networks.]

If your organization is looking for innovative, cost-effective security awareness tools or training, please call or email me at the coordinates below; or CLICK HERE to learn more about Streetwise Security Awareness solutions.

Scott Wright

The Streetwise Security Coach

Join the Streetwise Security Zone at:
http://www.streetwise-security-zone.com/join.html

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec

To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.

 

Site Meter

 rate this post: very bad poor average good fantastic!
Comments

Copyright 2012. Security Perspectives Inc. All Rights Reserved.