The problem with IT security is in the name: traditionally it focussed too much on technology, concerning itself with controls and mechanisms, forgetting the very reason behind it: safeguarding organisational assets. The net result being disproportional protection measures: either safeguarding every asset which bore a high cost, or insufficient protection failing to save valuable assets - their value only realised once a security incident occurred.
And the resulting fallout saw IT departments blamed for their best efforts at providing an inadequate solution to an organisational-wide problem.
A paradigm shift occurred some years later in which the term 'Information Security' emerged, bringing about a culture change by redirecting focus towards WHAT needed protecting and spoke less about WHO - introducing the concept that security was EVERYONE'S responsibility, not just the domain of IT.
Businesses understood they had an important part to play: categorising assets according to organisational value - what impact it would have when lost, rather than just tangible asset price. A lost laptop could mean £1000 replacement costs to IT, but a missed contact opportunity of £10,000 to the business. If the laptop was actually stolen and confidential data leaked, add a further £100,000 in fines. And let's not forget future business retard through to soiled brand reputation and reduced customer trust... it's all downhill from there.
But prevention isn't everything, the law of diminishing returns shows that there is a point at which over-prevention becomes cost-inefficient (and sadly, many immature organisations have their threshold set insanely low). This is where RESILIATM steps up, asking how to resist the adverse effects of a security incident. Can it be contained?
Simple answer: yes. Security is a journey, not a destination, and follows a simple process:
1. Identify key assets. Categorise them according to value to the organisation, rather than monetary value - understand the impact if they were lost or stolen. Data loss is one issue, data theft carries a higher cost: as mentioned above, we're not just talking about fines, we're talking about brand reputation and haemorrhaging customers.
2. Determine the organisation's risk appetite. What are the threats to these assets? Where are their vulnerabilities? Some risks are completely unavoidable, or carry a disproportional mitigation cost so may be accepted - but a response plan should be available should the risk turn into an issue. Safer to have a plan and hope it never gets used, than not have one at all.
3. Communicate the strategy: plan and announce. Who are your stakeholders? What will their responsibilities be? Do they understand the consequences of unfulfilled responsibilities? Are there any pre-requisites - such as further training or legislative measures that require satisfying?
4. Execute the plan: involve people and processes, not just technology. Embed the changes culturally by making security a natural part of everyday workflow - people need to be secure habitually through awareness of the benefits and ramifications rather than feel it's another checkbox exercise.
5. Review & audit: apply governance at all levels, perform checks to assess maturity levels and review opportunities for improvement, measure and report to show evidence of compliance being met and identify weak points. Or you could just leave it to crackers to find those weak points first...
But all this is not without pain. Security requires board-level commitment, dedicated effort and serious investment to be successful: the very people responsible for approving defensive counter-measures are those that lose the most when they're not done - those that stand to have the reddest faces when explaining why something wasn't done earlier. So there's your ROI: if you want to know what your budget is, consider how much it costs to your organisation if you don't do it and suffer penalties.
RESILIATM: if security ain't for you, perhaps it's for your competitors.