Can we have enough security? …

Can we have enough security? …

Of course we can,

How much is enough? …

That is the million dollar question!

This came up in a lecture I was helping to run last week. The opinions the students had on this were interesting. Some thought you need to spend as much as you can on security, while others thought you need to stop at some point.

Understanding how much security is enough, and to have nothing more or nothing less is important in enterprise environments. Why? because we are running a business, and security is an expense. In a business, whether we like it or not, is always about profits and managing your expenses. Does that mean security is not important? Absolutely not, it simply means security, among many other things, is one more tool that exists to support the business. So ultimately it should add value to the business and help the business thrive. What you should understand is that business does not exist to ensure security, it is always the other way around. Security exists to ensure business continuity, or in simple terms, to help the business keep going.

So how do you know how much security is enough security? that depends on what you are trying to protect. Imagine you have a gold bracelet worth of $50K. You get to know your neighbour’s house got robbed, and everything was taken except for the things they had put in their safe. You decide to buy a safe for yourself to make sure your bracelet is protected. Why? because the threat is real, if your neighbour got robbed, then it is likely that you can robbed too. If the seller gives you options to buy a safe at $300K, $20K and $15K, what should you do? You would first eliminate the option at $300K. Why? because you don’t want to spend more than what your bracelet is worth to protect it. Then you would evaluate the options at 20K and 15K. 20K option gives you a safe that would send an sms to your phone when someone is trying to open it.10K option is just as good as the 20K option minus the notification feature. You would then evaluate how important an SMS notification is for you and would probably for the 20K one because for 5K you are getting a feature that is worth having. If someone buys a $300K safe to protect a 20K bracelet, that just does not make sense. It does not matter if the 300K safe is the world’s best safe, that cannot be broken by any thief on earth, and is made of materials that withstands floods, fires and bombs! why? because it is not worth what you are trying to protect.

However, in a business what you need to understand is measuring the value of what you are trying to protect is not as simple as getting your bracelet valued at a jewellery shop. There are tangible values as well as intangible values. We call what you are trying to protect as the ‘assets’ of your business. The time and effort you put into understanding your assets and assigning a business value to them is just as important as the time and effort you put into implementing your security program to protect them. You need to understand what matters to you. Your reputation, the value of the data you hold, the value of the infrastructure and above all the value of the lives of your customers and employees. Once you identify these assets, order them according to the value they represent within your business, you need to identify and measure the threats faced by each asset category. Your employees and customers can be at risk if your buildings are not secure. Your buildings and infrastructure can be at risk from natural disasters. Your data is at risk if a hacker decides to hack your information systems. Once you have identified the threats and you look at how likely those threats are to occur in your business. For example, if you are operating at a dessert, even though a flood is a likely threat to any building, the likelihood of you facing that threat is almost zero. If you are a small book store with just one branch, the likelihood of a foreign government supported hacker hacking into your systems is very low. Once you have identified your assets, looked at the real threats you could face, and the likelihood of the threats occurring, you order them from the highest to the lowest, and you start investing on security measures to protect you from the threats accordingly. If you are in a dessert you first invest on protecting you from sand storms, and then from dust and then from water cuts.

In information security we are always trying to protect data, which is pretty hard to value. It depends on the nature of the information you have, the nature of your business and also the nature of threats you face. If you are running a consultation company that provides security measures to clients, you cannot risk losing even the teeniest tinniest bit of data. why? it affects your reputation! you cannot expect your clients to trust you when you lose your own information to a hacker. If you are a bank, you cannot risk losing your customer’s personal data. You would value them above your own company data. If you are government though, you would value your intelligence information above all. What this means is that the value of information is subjective. And the nature of threats you face is subjective. No every organisation can invest millions on their security programs, because they are running a business and they are implementing security to help their business to run.