Cadillac or Kia? How much security is enough, and how much is too much? Can you even have too much security?
In a performance review several years ago, I was criticized for proposing "Cadillac" solutions to security challenges like patching, security event management and endpoint security compliance -- "Cadillac" being code for "too expensive." It was surreal to hear my striving for excellence put in a negative light. I think what was said in that performance review all those years ago distills a basic conflict between information security and the company it seeks to protect. So, is seeking perfection in security a luxury or a necessity? I continue to be urged to consider it the former, and I continue to see that as folly.
With my current company continuing to suffer increasingly devastating economic pressure in this recession, all IT budgets have been stripped to the bone, we are not going to be able to start any new projects for the foreseeable future, and our main focus is to keep the lights on while spending as little as possible. It is in this climate that I'm struggling to advance my security initiatives, which are necessary to protect the company and save money.
Last week, the question of excellence came up again. Our CIO told me that I should start thinking about partial solutions instead of more comprehensive approaches to improving our security. "Instead of trying to solve the whole problem, which is too much for us to handle, just solve a part of it," he told me. I can certainly understand the appeal of that point of view. If we can't afford a full-blown implementation, we can break off a manageably sized piece and focus our resources on that. Makes sense, right?
The problem is, while that reasoning works fairly well within a standard IT environment, it may not make sense in the context of security. If you're talking about converting your old, unstable data storage devices into a state-of-the-art SAN, maybe a compromise or interim solution will tide you over until you can tackle the big project. The same reasoning applies to email (can that Exchange 2010 upgrade wait until next year?) or desktops (upgrade to Windows 7 now, or stick with XP for a while longer?) and many other IT disciplines.
But I'm not convinced the same logic works in the context of security. I've had a lot of time to think about excellence and how it applies to security. Unlike other IT specializations, where partial solutions can be effective, security has a lot more of an all-or-nothing aspect. There are some things we just have to do, or else we risk heavy consequences, up to and including complete failure of the company itself. Security is important to the continuing operation of the company. If we try to save a few bucks by cutting our security budget, we might end up with a breach that could have been prevented, leading to loss of customer confidence, bad publicity, lack of compliance with legal regulations, theft of our confidential data by a competitor or worse. But those worst-case scenarios aren't very compelling to the company's decision-makers right now. All the focus is on tightening our belts, and uncertain consequences in a murky future are not offsetting that.
So should I take the CIO's advice and get the Kia instead of the Cadillac? Sure, it's better than nothing -- but I've come to believe that a successful security program requires excellence. Otherwise, the gaps and holes we don't close will be the ones that ultimately cause our downfall. After all, the bad guys only need to find one weak spot to exploit, while I have to build a consistently solid defense. The job of the attacker is always easier than the job of the defender. Cheaping out on security can cost a lot more than it saves. I think we really do need the Cadillac.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
To join in the discussions about security, go to blogs.computerworld.com/security.