Wednesday, 30 January 2013

Myth #8: Security is too expensive

Let’s not kid ourselves – security isn’t cheap.  We have to buy hardware, and software, and staff, and training and auditors, and in each case somebody is putting their hand in your pocket and taking their cut.  But that’s not what this is about.  The myth is that it’s too expensive, that it doesn’t add value and that it’s only a “nice to have”.

Instead of thinking about security, for a moment imagine taking your family to a public swimming pool for a fun day out…

Public pools have fences.  They have lifeguards.  They have water in the pool, that is the right depth, the right temperature and has the right treatment to ensure that it is safe.  They have non-slip surfaces and signs that say “no running”.  They have lots of controls all designed to keep everyone safe, and most of them not noticed by anyone.

But the fences aren’t 10m high.  There are not hundreds of lifeguards.  The water still splashes out of the pool.  There aren’t patrols with assault rifles enforcing the “no running” rule.  These would be silly.  These would be a waste of money.

Security can be too expensive if spent in the wrong place, whether in a business or a public pool.  Businesses that overspend on hardware and underspend on testing are wasting money just like putting armed guards at a public pool.  They probably believe security is too expensive, but that isn’t really their problem.

For some businesses security is not considered a cost at all, is a core strategy.  Qantas is rightly proud of their safety record.  They don’t believe that safety is too expensive.

Information security is really just data safety.  Know what information is important to your business and protect it well, but not too well.

Security is a measure of the health of your company, and that makes this myth plausible.

Phil Kernick Chief Technology Officer