If we were able to accurately predict with significant certainty, what events were going to happen over the course of a year, how often they would occur and exactly what the cost to the business was going to be be, then security budgets would be both easy to calculate and easily justified. Sadly, there is a significant amount of uncertainty which can lead to an attitude of "we'll worry about it when it happens".
One of my favourite analogies is to consider security like the brakes on a car. A number of people use this example to demonstrate why security should be integrated into any solution from the beginning and why it should not simply be an optional extra tacked on at the end. It can also be used to address attitudes to security and the importance of a well-prepared and executed risk management and security plan to justify security investment. I like to take this example and expand it to compare security investment in business to safety investment in motor racing... In this case, motor racing and more specifically, Forumla One.
The immediate reaction is that the brakes on a car are the things that slow it down and bring it to a stop, which can be the perception of security from a business. However, the brakes are the elements that allow a car to travel fast as the driver knows that the brakes are there when they need them. How fast would a Formula One driver really want to go down the straight if they knew that there were no brakes available as the corner approaches? The brakes enable the car to go fast in the knowledge that when the driver needs to slow down for a corner or to avoid a hazard, that they can do so easily. Lap times are therefore far quicker with brakes than if they were to attempt a lap without them.
That doesn't of course mean that Formula One cars won't ever crash, we know that still happens. The brakes aren't the silver bullet to remove all problems and some might see Security as needing to be just this. The brakes help to ensure that in most circumstances in the event of an incident that the impact (in more than one sense of the word) is reduced and recovery is quicker. Brakes on the car are only one of the protection mechanisms in place. The design of the car, the drivers clothing and all the many monitoring capabilities that the team has to assure the heath of the car are all controls to protect the driver.
The driver is not the only asset that needs protecting, the team's reputation also needs to be considered. Who will want to drive for or sponsor a racing team if it's cars have a really bad safety record? This isn't just about winning races and beating competitors, it's about protecting assets. A key point to make here is that the justification of spend to reduce risk, needs to be assessed on all assets, including people and reputation, not just IT and data.
This analogy could go on for quite a while and become even more multi-faceted, but I'll reign it in here in an attempt to get to the point. Formula One teams spend a lot of money on safety to ensure that their drivers are protected, the money they spend is offset against the ability the car and driver have to drive fast and win a race, collecting prize money and more sponsorship deals. Knowing which safety measures to implement will be based on a risk assessment of the likelihood and impact of events that might impact their ability to win races. By analysing previous incidents, performance of their and other teams and by continually monitoring the state and health of their cars when racing, they can make smart investments, win races and increase revenue.
This is the same for any business. To be successful, they need to look at what what the assets are they need to protect, including data, information systems, infrastructure, buildings, people and the reputation of the organisation. They then need to ensure that they understand the threats to those assets, the probability of that threat causing an incident and the impact it will have to the business - any information on past incidents within their own company or to other companies will aid this assessment and should also be used ongoing to gauge the effectiveness of any implemented controls. The required security investment must be made to clearly meet the output of this assessment in the form of defined controls, technical or procedural, that will reduce the chance of an incident occurring, reduce the impact of an incident if it occurs and allow the business to recover as quickly as possible.
Any Formula One team that makes Safety an afterthought will have the same problems as any business that makes Security an afterthought.
Photo: Pete Keen
No comments:
Post a Comment