Selling Security

October 31, 2014

The Global Financial Crisis has cause many companies to tighten their belts, and find ways of reducing expenses and limiting capital outlay. In many cases, security expenditure is in the crosshairs, though often for completely the wrong reason.

When security is implemented well, bad things tend not to happen.

When security is implemented well, bad things tend not to happen. It is that simple. The downside is that security can actually be a victim of its own success, resulting in a situation where management argue, wrongly, that "nothing ever happens, why are wasting all this money?". Many security professionals will be familiar with this situation, and there are even fabulous conspiracy theories about law enforcement and security organisations staging incidents merely in order to justify their own existence. As if they weren't busy enough as it were.

Like it or not, with the dreaded "GFC", companies are going to have to seriously evaluate their current spend. There is also little doubt that a lot of money is being wasted with no proportional return on this investment.

Good Security is about keeping the bad guys out. Not the good guys.

Anyone familiar with risk management will know there is almost no way you can totally eliminate risk. You can only reduce or manage it, to a comfortable level. In too many organisations however, the approach to security, is to apply "as much as possible". Often, this means spending the entire budget, inevitably suffering additional incidents and then going cap-in-hand to beg for more money to "improve" (read: increase) security. This is before you add empire-building personality types, who given the choice would love to turn their organisation into a cross between Fort Knox, Abu Ghraib Prison and Absolom Island. Naturally the staff of that organisation and customers alike, will be thrilled...

In many cases though, the desire to enforce "as much security as possible" comes not from a desire to wield power, but from a basic lack of training in risk-management. Specifically, the ability to work out where security is required, in what form, and how much, in order to suitably mitigate any given threat or reduce its likelihood of occurrence and impact to an acceptable level. If you read that paragraph and sniffed "he's just regurgitating basic risk assessment", good. If not however, you may care to study risk management, as you may be spending too much time, effort and money in the wrong areas, or not enough where it counts.

Making the Case for Security

Our company has excelled at security expense reduction, which in many cases has not only saved money, but improved security as well. By adopting a risk-based approach to security implementation, prefaced by business analysis, the end product saw our clients start to see security as a business-enabler, not a hindrance. Rank and file staff, are actually saying "Thank you" for security systems and processes, which offer them side-benefits (besides peace of mind). This is in stark contrast to the situation in many organisations where security is perceived by staff at best, as a "necessary evil", and at worst ignored, or regarded as (and there's no easy way to say it) a pain in the arse.

This approach has allowed our clients (and us) to continue to enjoy their security budget, even as belts are tightened. Security is recognised both for its role in the traditional protection of assets, as well as a business support tool, reduction of which would have direct consequences elsewhere in the organisation. This is about more than just creating a Return on Security Investment (ROSI) but rethinking how security is sold to an organisation's management.

A good example of this is the way firewall vendors have reshaped their approach in the last few years. Initially, firewalls were sold as a 'must have' security appliance. Whilst this was certainly a fair assessment, the options for repeat sales were limited, and clients wanted the bare minimum which 'just worked', rather than all of the Big Shiny Boxes that vendors were trying to sell them.

Today, you will find a firewall is not sold as a basic security device. Instead, it is a wonderful appliance, which will help reduce telecommunications expenses and allow happy staff to work from home, increase staff productivity and meet legal compliance obligations. Oh, and it also does security. When you consider what's actually required to do that - Virtual Private Network (VPN) services, content filtering and logging, you can see it's essentially just a firewall box. However, it's now being presented differently and makes an attractive case to dollar-wary management. Can you say "Value Add"?

Security professionals need to stop concentrating solely on locking things, and start identifying parallel means to help the business move forward.

There are many sources of conflict between security and service. A simple example is presented by a doorperson. Customer service and good manners, would suggest they should open the door for people. Good security however, suggests it be kept closed until a person is verified. Another classic source of conflict is between security (closing and locking doors) and fire safety, which encourages opening unlocked doors.

Any capable professional reading the above two scenarios, should be able to find an easy solution to each 'dilemma', which meets safety and service requirements, without an unreasonable compromise in securing any given assets. The same approach should be taken to other security areas. If this attitude is entrenched, it is more likely that effective security will become transparent, rather than an obstacle. In many cases security will become 'part of the furniture' which cannot easily be unwound from day-to-day operations as it is so highly integrated and (wait for it) appreciated.

IT Security presents more challenges. There is a similar trade-off, between useability and security. More 'feature rich' operating systems such as Microsoft Windows, are inherently prone to malicious software, than an operating system which does not have all of its "services" enabled by default, such as FreeBSD (a free Unix-like operating system) or various Linux versions. If you've ever used the latter, you'll know it's not exactly 'pretty', and is completely off limits to a beginner. This is why basic 'hardening' guides for operating systems always specify turning off all unnecessary features.

The more you 'lock down' hardware and an operating system however, the fewer features work. A practical example is USB ports. These pose a significant risk of information theft, as tiny 'thumb drives' can now carry massive amounts of data, which can be easily copied and carried off premises, without detection by network based content filtering mechanisms.

The standard 'knee-jerk' reaction in this scenario is to disable USB ports altogether. This can easily be achieved within the operating system or via hardware means, including physically disabling the port (rapidly implemented with glue, but not easily reversed). However, so many devices now connect via USB, including keyboard and mouse devices, that disabling a USB port may render the computer all but useless.

Savvy software developers have designed software which controls access by USB peripherals, such that you can control what is connected. For example, keyboards and printers are okay, thumbdrives and iPods are not. Many companies have rushed to install such software. Unfortunately, they have now committed to yet another system to administer and another access control list to maintain.

Buying more Shiny Boxes isn't the answer

For any given security problem, there is a box which can fix it. Or so the vendors will have us believe. Remember, once they've sold it, their job is done. However the buyer's job is just beginning. And it won't be the vendor's reputation who is damaged, when 12 months later, that expensive box proves to be little more than...An expensive box.

It may sound cynical raising these issues. However, we have seen, literally, dozens of organisations, who have ever increasing spends on their security, but do not seem to be approaching the 'light at the end of the tunnel' - actual security and peace of mind. As you can imagine, with so much invested, they are usually loath to start over again, and therein lies a large part of the problem.

Good Security is Cheap Early, Expensive Late.

Typically, it is medium to large size organisations who develop a sudden interest in Security Compliance Programs. Often they have to apply compliance systems, audit controls, policies and procedures retrospectively to existing operations. Although the end product is often a good one, nobody seems to enjoy the effort of getting there. A frequent comment is "I wish we'd done this as we went along". However, the goal 'back then' was to build systems and processes (and grow the business) - not to add security controls along the way. Put another way, it's like getting the roof on before you've built all of the walls.

It is far better, to start thinking about these issues earlier, when you are growing. Learn about risk management and how to identify where to allocate your resources. Consider the above discussion in terms of your business and how it operates, to find the right mix of security, protection and business benefit. Don't fall into the easy trap of buying lots of sexy security toys. Concentrate instead on boring matters, like policies, procedures and training. Those will establish the credibility which will later allow you to 'play with the toys' as you grow your security management systems.

The lesson: Be disciplined, be boring and be successful. is the first Australian security company to fully address both physical and IT security matters for true, end-to-end security, from guards and guns to firewalls and hackers. As well as assisting organisations with risk-assessment, review and development of security, Calamity has a well-proven record of inexpensive, yet highly effective, ways of increasing return on security investment, raising assurance and staff awareness.

For further enquiries or reprint information, click here to contact Calamity.

Have a question?
We'll answer your enquiry within 24 hours.