Information Security News mailing list archives
Stop using the boogeyman to sell security
From: InfoSec News <isn () C4I ORG>
Date: Thu, 8 Feb 2001 20:12:09 -0600
http://www8.zdnet.com/eweek/stories/general/0,11011,2680126,00.html By David Thompson February 5, 2001 12:00 AM ET The boogeyman may be a childish cliche, but security professionals use him all the time in their attempts to convince corporate management to buy into whatever project they're advocating. The security industry has for years been in the business of selling fear. Its dire warnings of catastrophic events have become so commonplace, management has tuned them out. This past summer, I gave a lecture on the CIO's best security practices. I was haunted by the frustrated questions from audience members, who told me they agreed with my recommendations but wanted to know, "How do we get our management to listen?" In some industries, such as financial services, this refusal on the part of management to take security seriously has resulted in federal regulations requiring businesses to implement security controls. The problem is that we are looking at this problem from the wrong perspective. Security has traditionally been looked at as an infrastructure cost. There is no return on the investment; it is simply a bottom-line cost that must be borne, much like heating and power. Of course, chief financial officers are constantly trying to find ways to trim operating costs, and they don't always differentiate between doing that by cutting security expenditures or by turning off the air conditioning over the weekend. Security professionals aren't blameless, either. They have shown themselves to be lazy as they refuse to learn how the business side of a company operates. Instead of learning how to calculate the return on investment for a project, as their IT brethren do, they merely sit back and moan about how no one takes them seriously. It doesn't have to be this way. I have two examples of how a well-planned security project can improve the bottom line for your company. The first: eWEEK's December PKI eValuation demonstrated to me that a public-key infrastructure can go a long way toward reducing the administrative burden on your network. The products reviewed provide the secondary benefit of implementing a single-sign-on environment, making life easier for your users and administrators. The second example is an active virus education program. Many companies lose a great deal of productivity responding to virus hoaxes when users get excited about the possibility that a mail message could contain a virus and spread the warning like wildfire. Constant education on what constitutes a threat and what to do in the case of an actual virus can save your company a lot of money. It is time for us to stop selling fear and to begin to address the real benefits that security can offer. The industry has matured, and now it's time for us to grow upand to stop relying on the boogeyman to get the point across for us. David Thompson is the former CIO at DARPA and works for PricewaterhouseCoopers. Write him at david.garth.thompson () us pwcglobal com. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Stop using the boogeyman to sell security InfoSec News (Feb 09)
- Re: Stop using the boogeyman to sell security security curmudgeon (Feb 10)