Computerworld - When people talk about implementing security programs, I doubt they know what that means or what they need. I believe that they hope to secure their company’s computers, and maybe they have the foresight to think about protecting information in a broader context. They allot their budgets to the required antivirus software, firewall management, required security assessments and maybe even some advanced tools like security incident management tools. With any remaining budget, they look for other technologies to implement.
While I believe that antivirus software, firewalls and the like are necessary components of security programs, I don’t think people know why they're necessary. Security managers buy and implement these technologies to address likely attacks, but they can’t explain their benefits in business terms. The damages caused by viruses are so self-evident that nobody argues about the funding required to buy the antivirus software or subscriptions. In contrast, since security programs are developed to address situations in which potential losses are not as clear, information security managers have difficulty justifying the required funding.
When information security managers understand the real reason that security programs exist, they can implement cost-effective programs that address organizational needs and garner appropriate funding. The real reason a security program exists is to manage risk. And that's why most current security programs are next to useless.
To manage risk, you must first define it. While there are many risk formulas, the one that I have found to be most effective is the following quasi-mathematical construction:
Risk = ((Threat * Vulnerability) / Countermeasure) * Value
In this equation, value is the amount that your information and/or services are worth. Notice that I did not refer to the value of your IT, such as the hardware, software and support personnel. The fact is that hardware and software are fungible, and the cost of its replacement is trivial when compared to the value of the data on a computer. A backup tape, for example, might be costly, but it's worth millions if it's storing credit card numbers -- when you consider the potential financial fraud, the cost of reissuing the cards and the loss of business resulting from the loss of customer confidence.
Several factors contribute to the value of the information under the protection of your security program. These factors include tangible value, nuisance value and value to competitors. For instance, a marked-up customer list may be worthless to your company, but not to your competitor. Antivirus software is considered a requirement because the cost of an infection is so high: Viruses can destroy work that took months to create, bring down your business for a period of time and take hours per system to clean up. The lost productivity alone is significantly more than the software license fees.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
