Security. A business problem

Frank Hayes argues the case for security to become a business problem

Security is a people problem. OK, you already knew that. But recently the SANS Institute finally recognized it too, in its list of the top 20 Internet security risks of 2007. Topping the chart of new, hard-to-defend-against risks were vulnerabilities in custom Web applications and (drum roll, please) "gullible, busy, accommodating computer users, including executives, IT staff and others with privileged access."

According to the SANS report, cybercrooks are still running their automated attack programs, looking for security holes in unpatched and misconfigured software (average time until an attack after a new system is attached to the Internet: five minutes).

But IT shops are now much better at blocking those attacks with technology. So attackers are getting more specific. They're launching tightly targeted phishing attacks against specific users as a way to get at corporate and personal information, including customer credit card data and individual online banking passwords.

In other words, they're not just going after vulnerable software. They're aggressively aiming at vulnerable people, too.

It's great news that SANS is publicly recognizing security as a people problem.

Not such great news is what SANS recommends we do about it. Option 1: Launch our own test attacks against users, and cut off Internet access for those who fail the test. Option 2: Dramatically beef up our monitoring and forensics systems, so we can constantly search for intrusions.

Those are classic security responses. The first one is wrongheaded, and both of them are naive.

What's wrong with staging our own phishing attacks? Nothing, really. But cutting off users who fail the test? That turns us into the enemy of our users. Instead of encouraging them to be vigilant against outside attackers, it will guarantee that IT gets zero trust, zero cooperation and zero help from users.

And that animosity won't stop with the security group. The IT people who take the brunt of it will be those on the help desk and development teams and anyone else who deals directly with users.

Worst of all, it won't work. How long will a top sales guy remain without Internet access after he fails the test? No time at all. When it's between business and security, the choice will go to business every time. There will be no consequences. And IT's great new security program will be a fiasco.

What about beefing up our monitoring and forensics? Sure, that's a great idea -- it won't antagonize users and is certain to improve our chances against attackers. Just one question: How will we pay for expensive new security systems that generate no revenue and might not be needed?

Answer: We won't. We'll never get budget approval for a proposal so focused on security and -- apparently -- so naive about business reality.

Understanding that security is a people problem is important. But it's not enough -- just as seeing security as a technology problem wasn't enough.

We have to take the next step and make the case for security as a business problem.

As long as security is seen as just a cost -- or, worse, as the enemy of business -- we'll never have CEO support for critical security initiatives.

We have to frame security as a business enabler, not a business crippler. We have to sell real benefits: safer customers, more reliable systems, executives whose bank accounts aren't emptied.

Then we can get the budgets for beefed-up monitoring. And the cooperation of business-side managers to keep employees in line.

And most of all, confidence from top-level management that we really are looking out for the business.

Security is a business problem. You know that. Now let's go to work on getting the rest of the business to recognize it too.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Frank Hayes

Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?