As part of my daily routine in preparation for interaction with my teammates and customers regarding client computing, I always seek out any latest information regarding security breaches being reported. The bad news is that I typically do not have to look too hard or too far for this information. But first, the disclaimer ....
The contents and comments on this blog are mine and do not represent those of my employer.
As consumerization of IT continues to be underway, risk is dramatically increased as the devices become more vulnerable. There comes a point in time, regardless of the reality, where a message no longer resonates. Security messaging may be a part of that situation.
From an IT perspective, security will always be a top priority. However, as IT is perceived to becoming more commoditized, the end users and the departments may become "tone deaf" to the messaging.
In my research there have always been certain realities we all have to deal with such as :
- "risk is not real until to happens, to you"
- "we really cannot protect against everything"
- "let's take a reasonable risk"
There are other realities that we can discuss in later blogs, but these three I am hearing quite frequently of late.
1. "Risk is not real until it happens, to you"
There is something benign about the dialog of risk. If you have not been breached, either your social security number, your medical records, personal information, etc. the discussions about risk seem over reacting, perhaps too alarmist. However, if you have not been breached in today's environment, you are lucky, and luck is not an IT strategy.
2. "We really cannot protect against everything"
To some enterprises this theme has translated into a strategy of acquiescing and doing the minimum to protect information. It is an acknowledgement that there is a cost associated with security and that until something happens, the business case is not compelling. The parallel here is the life insurance conversation. If you cannot protect against everything, protect against nothing.
3. "Take a reasonable risk"
This is the latest dialog. In this respect I could not disagree more with this approach. What is reasonable to you , may not be reasonable to me. If you have my data and information, my expectation is that your business would do everything to protect my information, as well as other customers. I understand financial limitations, and I understand realities as well just as you the reader do, however, find another place to make trade offs.
It seems the more removed decision makers are from IT, the easier it might be to reduce the IT security expenditure.
I would submit that there is not a reasonable risk to take, only again a conscious and unconscious decision.
At the end of the day, a business' brand is likely its most important asset. This brand can get tarnished indefinitely for a long period of time if security is not taken seriously. By, seriously my expectations be that on the overall IT budget, security expenditures are never reduced.
If a business has weak asset management for hardware and software,non-encrypted mobile devices, non-secured desktops and laptops, and in general struggles with governance and BYOC, then risk may become very real, very quickly.
These are my thoughts, what are your?