The Business Value of Security
By Martin Kiaer, Principal Consultant, Microsoft MVP Security, CISSP, CISA, MCSE, MCSE+Internet, CCNA
If you deal with security, then one way or another, you already know that security is a cost—either in terms of features, performance, or usability. You might deal with this fact everyday, and might even have accepted it to a certain extent. But what if I tell you that you can change the perception about security being a cost, and instead use it as a business enabler? That new perception might make a big difference when you write your next business case for a new system and need to ask for more funding. So let me show you how.
A Good Security Solution Should Fail Well
When you design a new solution or application, sooner or later you will see both passive and active security failures. No matter how well you design your solution, security will eventually fail. When you design security into your solution, you should, of course, focus on how it will work and interact. But even more important, focus on how it will fail.
The next time you design and implement a new solution, look for how you can prevent a chain reaction of bad things from happening when your solution is compromised. When you look ahead to prevent failure, you end up with a solution that limits the damage when compromise occurs. In other words, make sure your design fails well.
How will a solution that fails well, affect the business value of security? Well here’s an example. Your company creates an online portal that runs on a Windows Server 2003–based infrastructure and that uses .NET framework. A competing company has a portal that was recently compromised; so your company wants to ensure that potential customers have confidence in the new portal. Solutions that fail badly are ones you don’t want to be remembered for.
So your company tries to streamline the infrastructure: you segment, implementing the portal in a three-tier environment. During installation, you remove as much human interaction as possible by using scripted and unattended installations. You centrally administer tools like Group Policy in Active Directory. To improve portal security and optimize daily operations, you optimize your patch management procedures. You do all of this in the name of security. What you actually end up with is an infrastructure that provides added value for something you’ve already invested in. You have a portal solution that is more dynamic and robust, and that easily adapts to withstand new threats and attacks.
You also better understand the technology that you are running and at the same time, your IT staff is productive because you removed cumbersome installation and maintenance tasks from daily work. You have just increased your business value by using security as an enabler.
But wait, there’s more…
The Human Factor
Security is actually all about people—not just about the ones who attack a system, but also about those who protect it. You’ve probably heard this referred to as Layer-8 security. One thing to keep in mind: you have to trust people if you want your security solution to work. The details of a secure solution are often complex, but the way security works and fails is something all people can understand. Keep this in mind when you design and implement your security solution.
People have an advantage because they can improvise, make fast decisions, and detect problems, much better than a machine. Ironically, people are also the weakest link in the security chain. They are typically the reason your security solution fails.
So how can you turn human frailty into an asset? Make sure you involve, delegate, and inform the relevant people when you build security into your solution. Within an organization, security is a group effort—both vertically and horizontally. Involve everyone and be open to constructive feedback and suggestions about your solution. By using security as a tool to communicate across the entire organization, you make people aware of the assets you are trying to protect, using security as a motivator that increases business value by making people interact and share ideas.
There's no such thing as perfect security; however, security doesn’t need to be perfect, but the risks must be manageable. When you effectively manage your security risks, you have a powerful business-critical security solution that is more than just a cost.
You can’t change the fact that security always follows the money. You can, however, change your approach, by making security into a valuable business tool that you use as an enabler and motivator—both for technology and for people. Now that’s something no business can be without.
See other Security MVP Article of the Month columns.