Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


I am pondering the Risk-Cost security equation a lot these days, as I'm certain you all are.
Some things just absolutely must be protected, others just aren't that important. Some days, I think we as an industry forget that little fact.
And legislation/compliance aren't helping any.
When you think about security, I'm more and more convinced that you have to put it into the context of overall cost. There's more to it than the cost of an encryption device, moreso than most areas of IT, you have to worry about user costs when deploying security. If it stops them from doing their job, then it's costing the organization money. And often the best of security practices are the worst of corporate policies for that very reason.

Think of it this way, we all want our bank to protect our critical information, no questions asked. But if the bank tells me "small surcharges of pennies a month to adequately protect your personal information" I'm good with that. If they further say "Adequately means super strong for your SSN, account, and credit card info and just kind of strong for your name." I'm even okay with that. If they close with "for twenty bucks a month we can protect your name super-strongly too", I'm not okay with that.

Think about it. What ever you put in has to be both secure and viable. Doesn't matter if you're locking out spyware or encrypting the database, if it stops people from doing their job, then it's too expensive. If it slows them down it likely is too expensive. But if it doesn't improve your security stance, then it's certainly too expensive - just not worth the money.

Lots of the security industry is still stuck in the "uber-secure" mode, one where the more secure the better, and users better live with it. I think our history as an industry has shown that they won't, and a system designed like that will get circumvented or pulled out of production in short order. Don't waste your employer's money, it would be much better spent getting you a raise.

Until next time,