Structuring Security: Where to Aim
If you've ever been involved in IT infrastructure planning, either for your own resources or a client's, then you've been asked the infamous question:
How do we keep it secure?
In reality though, how isn't the first question when addressing security (or the second).
The first question is what? What exactly is "it"? You can't secure what you don't know. What physical assets and information residing within are we protecting? Identifying this has varying degrees of difficulty.
The second question is why?, and tends to take teams by surprise.
"Why do we want to keep our network secure? So we don't get breached - isn't that self explanatory?"
Not. At. All.
Here's where most security efforts hit roadblocks and go no further. To properly structure a security effort, you have to frame it in the sense of the business. Fundamentally, Information Security is a way to address risk.
There are four legitimate actions any business can take to address risk:
- They can mitigate the risk with technologies, processes, etc.
- They can transfer the risk with insurance
- They can avoid the risk by shutting down the operations causing the exposure
- They can accept the risk
These four actions, when done properly, equate to a balancing act of value. Here's an easy example:
My business is exposed to a risk that, if occurs, will cost me $1,000,000 in damages. The odds that it will occur in any given year are 10%. The cost to mitigate the risk is $50,000 a year.
Simple math shows us $1,000,000 x 10% = $100,000. This suggests mitigating the risk to be the sound decision. However, it's also clear the math doesn't always work out in favor of mitigation.
In some cases, it may be a better business decision to accept the risk of being hacked.
This is why it is important for every security initiative to begin with understanding what is at stake and what that means to the overall goals of the business. There are multiple ways to achieve this framework, which will be addressed in another article, and it is always a good idea to seek the advice of experienced professionals.
