Security is never just "on" because it is relative to your requirements and the time and effort you apply to it. Unfortunately, due to a number of factors, security can actually be off. Once security is being invested in, there are many questions to answer about how much security is enough. Too much security can get in the way of doing business. The amount of security that your organization has is a balancing act between business needs and levels of protection.
Security is never just "on." Unfortunately, it may actually be "off."
Security can impact profitability in a positive or negative manner, depending on how it is managed. Improving security to reduce risk may cost money, and as with most of life, the last 20 percent of risks to be eliminated will cost 80 percent of the money. Once basic security needs have been met, it is important to balance risk reduction costs against the potential for loss if security fails. Most business plans contain some allowance for downside risks. Many security-related risks exceed these allowances, but a case-by-case analysis should be done before large security investments are made.
Too Much Security Can Get in the Way of Doing Business
In a typical well-secured company, an access policy may state that any employee granted access to internal computer applications must pass an external security check (such as a search for a criminal record or prior employment problems). But that policy could make it impossible to bring in temporary staff to cover short-term needs. The external security check could take longer than the period of employment. Then is the policy appropriate? For some companies it is. A similar problem arises when the policy requires, for security reasons, that a central department add all computer users.
In some companies, the time to add a new user from the central administration department exceeds the time that the temporary employee will be needed. Instead of re-evaluating these policies and fixing the processes (or technology), many managers design bypass mechanisms that undermine security. A typical bypass to the latter problem is to define a pool of unidentified user accounts on the computer that can be assigned and reassigned locally. Eventually, these accounts become the property of someone who should not have them, and his or her access can neither be audited nor controlled. Security has failed.
Lower security levels result in increased risk to the business. But higher security levels may result in business being hurt. Both business and security managers need to find the appropriate middle ground that provides adequate protection with minimal business impact. Figure 12 plots the benefits of security versus the costs of security. As with many business projects, 80 percent of the benefit is derived by 20 percent of the cost. The last 20 percent of the benefit will become much more expensive.
Figure 12 Cost/benefit of security.
There is no such thing as perfect security. In fact, good security doesn't cost that much, and trying for really high levels of security may be cost-prohibitive.