There’s only one way to drive a nail with a hammer. You can only drive down a one-way street one way. And there’s only one way to calculate Pi.
When it comes to IT strategies, however, there are few absolutes. IT leaders, teammates, and consulting organizations often draw lines in the sand when it comes to any given approach to solving a technical or business matter.
But the fact is, in IT, there are often several ways to approach and attack a problem. While each approach is equally valid, at the end of the day it comes down to which among the valid approaches aligns best to a given organization’s business and culture.
It is in the spirit of debate and decision that we offer a new series of blog posts focused on CyberSecurity that provide a point and a counterpoint, featuring Unisys Nick Evans, Vice President and General Manager within the Office of the CTO and Roberto Tavano, Vice President of Global Security Sales for Technology, Consulting & Integration Services.
Today’s question: HOW MUCH SECURITY IS ENOUGH?
Nick answers: “You need a balanced and adaptive approach.”
Roberto counters with “Security is not an exotic matter. It’s just part of your life.”
Nick Evans: You Need A Balanced and Adaptive Approach
Nick Evans, Vice President and General Manager
Office of the CTO
Over the past decade, we’ve seen instances of cybercrime increase in frequency, scale, and sophistication. As a result, there’s a growing need for ever-more robust CyberSecurity measures for businesses in order to keep up with this “cyber arms race.” Coincidentally, today’s high tech workplace is driving the need for sensitive data protection systems, dealing with an increasingly porous enterprise security perimeter, and other security vulnerabilities.
Considering that the threat level for cybercrime is constantly changing, it’s important to be able to understand the relative risk levels and determine how much, and when, to invest, in terms of an appropriate level of insurance. I’m talking about the well-known risk-reward continuum, one that will change year-over-year or even more frequently. According to a recent study by the Ponemon Institute, just released in March, it’s estimated that recovery from a successful data breach will now cost a typical enterprise an average of $5.5 million.
Besides rising year over year threat levels, the actual physical layout of enterprise security is also changing. Traditionally, you put your security at the perimeter – either the building or firewall – forming a simple boundary. Today, with the explosive growth of the Consumerization of IT, where information workers bring their own personally-acquired devices to work, we’ve entered the era of what I call “the borderless enterprise.”
IT departments are increasingly asked to secure progressively porous and blurring security perimeters in a situation where data is residing on smartphones, tablets, netbooks, and myriad other Internet-connected consumer devices well beyond the organization’s four walls. Now compound all this with cloud computing, and software as a service, where an increasing amount of transactions are conducted in the public cloud or within externally-hosted private cloud environments. You have to take an holistic approach, and think about all the potential areas of vulnerability where a person (or, increasingly, persons) can gain access to sensitive data, wherever it resides.
So to design your most appropriate security measures, you need to constantly balance your risk/reward equation and invest accordingly, while carefully monitoring emerging technologies for potential new security vulnerabilities.
RobertoTavano: Security is not an Exotic Matter. It’s Just Part of Your Life.
RobertoTavano, Vice President of Global Security Sales
Technology, Consulting & Integration Services
Perfect security does not exist. We all know that. Furthermore, everybody in an enterprise has their own point of view on security. Management sees IT security as purely a technical matter, while end users might find it annoying to have to change usernames and passwords every few months.
Security professionals understand their current level of security is never enough. They know that risk cannot be zero at any time under any circumstance. So the question to ask isn’t “how much security is enough?” The question to ask is, “are you truly capable of calculating the cost of stopping a potential attack?”
Direct costs are often straightforward to calculate. But what about the indirect costs? Brand value, legal actions, tarnished image, loss of credibility, etc. – assigning a value tag to such elements depends solely on your organization’s business model and environment.
Incidentally, indirect costs could be vastly bigger then direct ones. You want your security to be like the oxygen in the air we breathe. Without it your chances of survival are zero. Yet you are hardly aware of its existence – it’s just an integral, invisible part of the environment. Security should not stand out as a fence or as a special feature, but rather seamlessly weave into the very fabric of your organization.
So when talking about the cost of security and who is responsible for driving security, for me, it’s all about a team effort. The CEO has to consider CyberSecurity very high on his or her agenda. And the organization must educate their employees to behave in a secure fashion.