Stop using the boogeyman to sell security

[InfoSec News <isn () C4I ORG>]

http://www8.zdnet.com/eweek/stories/general/0,11011,2680126,00.html

By David Thompson
February 5, 2001 12:00 AM ET

The boogeyman may be a childish cliche, but security professionals use
him all the time in their attempts to convince corporate management to
buy into whatever project they're advocating. The security industry
has for years been in the business of selling fear. Its dire warnings
of catastrophic events have become so commonplace, management has
tuned them out.

This past summer, I gave a lecture on the CIO's best security
practices. I was haunted by the frustrated questions from audience
members, who told me they agreed with my recommendations but wanted to
know, "How do we get our management to listen?" In some industries,
such as financial services, this refusal on the part of management to
take security seriously has resulted in federal regulations requiring
businesses to implement security controls.

The problem is that we are looking at this problem from the wrong
perspective. Security has traditionally been looked at as an
infrastructure cost. There is no return on the investment; it is
simply a bottom-line cost that must be borne, much like heating and
power. Of course, chief financial officers are constantly trying to
find ways to trim operating costs, and they don't always differentiate
between doing that by cutting security expenditures or by turning off
the air conditioning over the weekend.

Security professionals aren't blameless, either. They have shown
themselves to be lazy as they refuse to learn how the business side of
a company operates. Instead of learning how to calculate the return on
investment for a project, as their IT brethren do, they merely sit
back and moan about how no one takes them seriously.

It doesn't have to be this way. I have two examples of how a
well-planned security project can improve the bottom line for your
company. The first: eWEEK's December PKI eValuation demonstrated to me
that a public-key infrastructure can go a long way toward reducing the
administrative burden on your network. The products reviewed provide
the secondary benefit of implementing a single-sign-on environment,
making life easier for your users and administrators.

The second example is an active virus education program. Many
companies lose a great deal of productivity responding to virus hoaxes
when users get excited about the possibility that a mail message could
contain a virus and spread the warning like wildfire. Constant
education on what constitutes a threat and what to do in the case of
an actual virus can save your company a lot of money.

It is time for us to stop selling fear and to begin to address the
real benefits that security can offer. The industry has matured, and
now it's time for us to grow upand to stop relying on the boogeyman to
get the point across for us.

David Thompson is the former CIO at DARPA and works for
PricewaterhouseCoopers. Write him at
david.garth.thompson () us pwcglobal com.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".