The business of security

17.04.2006
We secure information systems because the business would be brought to its knees if we didn't protect trade secrets, vital corporate networks and sensitive data. Yet the business would also be brought to its knees if we spent every last dime in the treasury on security. Yes, it's possible to overspend on security. The trick is to figure out how to reach what ex-CIO Doug Lewis calls "the prudent zone" of security investment.

Increasingly, IT leaders are using a risk-based model that directs security spending to the places where a breach would cause the most damage to the business. Companies such as Textron and Standard Chartered Bank are already headed down this road, using metrics to prioritize security risks and allocate resources to mitigate them more efficiently. Some companies use a dashboard to keep an eye on all of those security metrics from a single console. Some classify data at different security levels -- much like intelligence agencies do -- so they can match the security effort to the classification level.

This new model is replacing "gut feel" decisions with equations like Risk = P x L, where P is the probability of an event that will cause a financial loss of L. It's a far cry from installing a firewall. But a business-driven, cost-benefit approach to security investments is something the chief financial officer, CEO and board of directors can embrace, which may be the most important benefit of all.

Mitch Betts is executive editor at Computerworld. Contact him at mitch_betts@computerworld.com.