The boogeyman may be a childish cliche, but security professionals use him all the time in their attempts to convince corporate management to buy into whatever project theyre advocating. The security industry has for years been in the business of selling fear. Its dire warnings of catastrophic events have become so commonplace, management has tuned them out.
This past summer, I gave a lecture on the CIOs best security practices. I was haunted by the frustrated questions from audience members, who told me they agreed with my recommendations but wanted to know, “How do we get our management to listen?” In some industries, such as financial services, this refusal on the part of management to take security seriously has resulted in federal regulations requiring businesses to implement security controls.
The problem is that we are looking at this problem from the wrong perspective. Security has traditionally been looked at as an infrastructure cost. There is no return on the investment; it is simply a bottom-line cost that must be borne, much like heating and power. Of course, chief financial officers are constantly trying to find ways to trim operating costs, and they dont always differentiate between doing that by cutting security expenditures or by turning off the air conditioning over the weekend.
Security professionals arent blameless, either. They have shown themselves to be lazy as they refuse to learn how the business side of a company operates. Instead of learning how to calculate the return on investment for a project, as their IT brethren do, they merely sit back and moan about how no one takes them seriously.
It doesnt have to be this way. I have two examples of how a well-planned security project can improve the bottom line for your company. The first: eWeeks December PKI eValuation demonstrated to me that a public-key infrastructure can go a long way toward reducing the administrative burden on your network. The products reviewed provide the secondary benefit of implementing a single-sign-on environment, making life easier for your users and administrators.
The second example is an active virus education program. Many companies lose a great deal of productivity responding to virus hoaxes when users get excited about the possibility that a mail message could contain a virus and spread the warning like wildfire. Constant education on what constitutes a threat and what to do in the case of an actual virus can save your company a lot of money.
It is time for us to stop selling fear and to begin to address the real benefits that security can offer. The industry has matured, and now its time for us to grow up—and to stop relying on the boogeyman to get the point across for us.