I have heard this sentiment, perhaps not put quite as bluntly as that, on several occasions over the last few years when working with clients and engineers on security related projects. My role would have been to help embed a particular piece of security software or introduce a piece of consultancy or business process which would help improve the organisations security posture.
The question, often raised as a bargaining tool, is often focused on the, ‘well I understand what you propose and I know it will increase the security of scenario X, but why should I do it?’. In honesty, it is a good question. Organisations have finite budgets which will cover all of IT and related services, and it is a fair objective, to have to show and prove, either via tangible or intangible RoI, that a piece of software or consultancy will have a beneficial impact on the organisation as a whole.
Justification and SRoIReturn on Investments, or Security Return on Investments are clearly a useful tool for proving that a particular security related project will have a benefit to an organisation. An organisation will probably already know that this value will break even very quickly, before even starting to look at service and software providers to help implement such a project. During the business case and feasibility study phase, a basic high level SRoI could generally be used to see if initiating the project is actually worthwhile.
The main drivers for many security related initiatives have often been related to external factors. I refer to these factors as external, as I am referring to factors that are generally reactionary or not originating from the overall strategy of the business. These factors could include things like compliance requirements, responses to previous security attacks or data breaches. If these factors didn’t exist, would those security projects and budgets be allocated?
Security as a defaultUnfortunately, the answer may be no, hence the thoughts prompted by this article title. Security is often not seen as essential to the business strategy either via from a delivery, efficiency or cost savings perspective. It is something the organisation often feels they have to do. “If we don’t sort the access control process out, we’ll get fined”. “If we get hacked again, and lose more customer records, our reputation will be unrecoverable”. Sound familiar?
Security as a default option is probably some way off the agenda for many enterprise IT strategists. The fail-safe option is costly, complex and evolving. The generation of the CISO role, is a great step forward in providing security level awareness to the overall business strategy. Whilst currently that role is really focused on completing the ‘must’ have security practices, over time this may evolve to allow security to become a default option. Default within the software development lifecycle, new business processes, and employee attitudes and so on.
The key to making this happen will take a careful balance of showing the tangible and non-tangible benefits of having a better security posture, without restricting business or employee agility.