While I believe that antivirus software, firewalls and the like are necessary components of security programs, I don't think people know why they're necessary. Security managers buy and implement these technologies to address likely attacks, but they can't explain their benefits in business terms. The damages caused by viruses are so self-evident that nobody argues about the funding required to buy the antivirus software or subscriptions. In contrast, since security programs are developed to address situations in which potential losses are not as clear, information security managers have difficulty justifying the required funding.

When information security managers understand the real reason that security programs exist, they can implement cost-effective programs that address organizational needs and garner appropriate funding. The real reason a security program exists is to manage risk. And that's why most current security programs are next to useless.

To manage risk, you must first define it. While there are many risk formulas, the one that I have found to be most effective is the following quasi-mathematical construction:

Risk = ((Threat * Vulnerability) / Countermeasure) * Value

In this equation, value is the amount that your information and/or services are worth. Notice that I did not refer to the value of your IT, such as the hardware, software and support personnel. The fact is that hardware and software are fungible, and the cost of its replacement is trivial when compared to the value of the data on a computer. A backup tape, for example, might be costly, but it's worth millions if it's storing credit card numbers -- when you consider the potential financial fraud, the cost of reissuing the cards and the loss of business resulting from the loss of customer confidence.