HOME . PARTNERS . CAREERS . CONTACT .
< E-zine home   |   Recommend SSC Security Matters to an associate   |   All content © 2008

SSC Security Matters

How We Think About Business Security
by David A. Linsky — CEO, SSC, inc.

In a world with threats across the globe and a business climate of increasing regulatory mandates, managerial complexity and shifting risk factors, the way an organization thinks about security and manages its security spending directly impacts its business performance.

Recent studies have indicated that because of security concerns, more than 80% of businesses have shied away from innovation. How we think about security drives both budgets and expectations; especially where securing critical assets are concerned. At SSC we believe the task of security management is not to reinforce traditional concepts and methodologies, but to question those very concepts and methods.

We believe that it is important to broaden our understanding of the concept of security in total, and how the various parts of a security program constitute the whole. Broadening our concept of what encompasses effective security requires comprehension of available new technologies and methods and accepting that what has always been, is not necessarily the best approach. It's very tempting to attribute security to technological innovation and to be thoroughly disappointed when the vulnerability that causes you the greatest loss comes from overlooked human factors.

The problem of what's necessary and effective in security is a basic economic one. How do we spend valuable resources most effectively when different departments and individuals needs diverge? Who makes the judgment about where to spend security dollars and what parameters and metrics are being used to decide?  A collective action problem for security management requires a coordinated effort to collect data about needs from all of the entities involved and a mechanism to make sure that the needs of all involved are considered. Adjusting security budgets to compensate for poorly designed or implemented technology and security operating solutions is both inefficient and expensive. In the provision of our services across the northeast, we see businesses that are overloaded with information security protocols and policies. This only reinforces the traditional view in many organizations that security is, at best, a necessary evil due to its primary focus on trying to constrain behavior and the difficulty inherent in measuring the return on security spending.

Security technology providers often push our industry to accept solutions that require regular and expensive upgrades that do not normally improve security. We believe that truly effectual security has to consistently begin by evaluating exposures, the probability of the exposures being exploited and the criticality of the consequences. Security cannot be successfully managed or delivered without a solid plan derived from a solid methodology for assessing security needs based on all three criteria, exposure, exploitability and criticality. This is then followed by a plan to reduce risk in all three areas. Nothing should be done unless it is in the context of risk, criticality and likelihood of loss. A well executed vulnerability and risk assessment is the driver for real change in how we think about and address security spending.

At SSC we believe that 'New Thinking' on security starts with a high-level risk assessment and the collection of needs, threats and supported with training to improve the human factor. Driving valuable security solutions into the next decade and beyond will require innovation and execution that starts from a solid plan.

© 2008 SSC, Inc.

Run your business on accurate information, not guesswork.  Contact SSC for a confidential Security Consultation. Our E-zine: SSC Security Matters