There is a developing trend to enhance security often beyond the perceived risk that you or a business will probably ever be exposed to. Some would class this as an obsession and others well it’s ‘risk based’. The question of proportionality and return on investment is often discussed and here lies an interesting point….do security professionals secure budgets based on fear?
Regularly we are reading about high profile security breaches but many companies are now beginning to realise that being breached or suffering another type of security incident is part of the cost of doing business. As security professionals we know the best way to get additional focus (and money) for security is to have a publicly named and shamed high profile security breach (and not necessarily against your business). This isn’t right but as we all know it happens and there are numerous examples of exactly this.
Sometimes security is a bit like the gruesome scenarios played out in the Final Destination movies…..the swinging lump of steel misses you but only to be caught out by the one coming from the other direction! We are all worried about the what if’s…..we have alarms, PIR lights and CCTV at home but the chances of being burgled are a low 3%, but again it’s the fear factor!
Recently at the 2015 RSA Conference Alien Vault surveyed 1000 people on Security and Ethics in the Workplace, below are some key findings from this study:
- 20% of respondents have witnessed a company hide or cover up a breach
- Over half of security professionals utilise hacker forums or associate with blacklist to keep abreast of the latest threats and technologies
- Most believe the CISO (chief information security officer) should be ultimately accountable for a breach
- Security breaches are used as leverage to increase security budgets
- 58 per cent of security professionals said they had never worked at a company that had covered a breach
This survey demonstrates a fear factor is in place. When the inevitable doomsday occurs security teams still find themselves under considerable pressure which can contribute to breaches being hidden or vulnerabilities ignored. After all if the CISO’s head is likely to roll then the trade-off is probably going to be throwing large amounts of money at a problem that may not even occur……let’s just hope it’s the right amount of money in the right places!