How to use Security Controls as Business Drivers

In the year 2000, security discussions often started with the question, "How much security is enough?" That was soon followed by, "How much security can our organization afford?" And then by, "What is the return on investment in security?" If your company is still having discussions like this on the topic of digital security, it is time to take stock of how the world has changed since 2000.

Having sufficient security defensive measures and adequate access controls is no longer an option for systems on any network. Government seems to add more regulatory and oversight standards every day. The auditors and associates sent from audit firms to check your books are becoming much more technologically astute and are attending the same security seminars that only IT staff was present for in the past. The body of knowledge of what constitutes adequate protection of data is also expanding rapidly across all sectors of the economy.

The awareness of security breaches is propelled across all sectors by the news media because organizations in every sector and division of the economy fail to some classic hack or have been infected by malicious code or, worse, victimized by internal wrongdoing gone undetected for a long time. Privacy advocates continue to lobby for additional required measures to protect personally identifying and financial information.

If all of that isn't enough, the civil courts are becoming the battleground for fault finding when organizations' security is breached and harm finds victims because control methods and mechanisms proved seriously wanting.

Security concerns alone render sufficient reason for using a formal architecture design process and a highly disciplined approach to protect information technology systems, networks, and applications. Reactionary approaches to security design place the hackers at an advantage and the IT staff in a no-win downward spiral of iterations of discovery, patch, and run.

Security is hard to measure. The minimum acid test must be as follows:

• Is the security as good as it can be?
• Have you afforded sufficient resources to expect to be successful at protecting the data?
• Has the security investment been worth it?

There is no ROI in failing to provide adequate security controls in your organization regardless of the sector or business you are in. Regardless of how your company goes about evaluating improvement projects and new IT initiatives, do not get caught in the trap of failing to do what is needed to protect digital assets, because the ROI is hard to find and quantify. Accept that security controls and protective measures are one of the external forces, and do all that can be done within your available resources to get it right. In the process, try to avoid the flavor of the week products that waste resources and deliver little added security value.

[From Security Controls for Sarbanes Oxley Section 404 IT Compliances by Dennis C. Brewer]