Security Experts:

Connect with us

Hi, what are you looking for?


Risk Management

The Myth of Security Enabling Your Business

IT Security Myths

Organizations That Do Not Invest Even in Baseline Security Are Realistically Uncompetitive

IT Security Myths

Organizations That Do Not Invest Even in Baseline Security Are Realistically Uncompetitive

Every year there are reports and surveys which make the case that security inhibits innovation, productivity and generally holds businesses back. I am not going to argue with that sentiment. Security requires that things are done in a certain manner, which can act as a constraint on wanting to do things a different way. What I do want to address is the notion that this is the case because security people just don’t get business. It’s actually the reverse – businesses do not get security. And this misconception is based on several fallacies, false beliefs and myths. 

Security as an add-on cost

The first myth is that security is an add-on cost. It is not. Security is, instead, an inherent cost of using digital technologies. Any realistic calculation can only be done by weighing the two against each other – the gains of using digital technologies minus the cost of securing them. Only when that sum turns negative can it be considered an overhead. Digital Technology has granted huge gains and enabled the world to manage complexities that would be impossible to deal with any other way.

This argument is like claiming that minimizing the chances that an airplane will crash is an unnecessary cost. Planes are metal tubes powered by mechanical engines that fly hundreds of miles up in the air. Crashing is an inherent risk of flying. But the benefit of an airplane is that it can get us safely to a destination in a much shorter time than taking a ship, driving or walking.

If every third plane crashed, people would find an alternative method. It would not be an appealing everyday mode of transport. There is always a slight probability that a given plane can crash – but that probability is negligible (According to statistics, flying is in fact far safer than driving). The productivity gains and time savings, on the other hand, are immediately discernible, as anyone who has ever sailed from Europe to the US can attest. 

Security can be bolted on after the fact

The second myth is that security can be bolted on after the fact. It cannot. Security must be included from the beginning, or it can rarely be effective. Design decisions made without consideration for security can make good security challenging to impossible.

As an example, despite decades of bad experiences and lessons learned from prior technology generations such as Mainframes and the Internet, best practices are regularly ignored when new technologies are introduced. From one technology evolution to the next, the expectation that security will be bolted on afterwards persists. IoT is the latest example of this axiom, where manufacturers rushing to market are oblivious to good security practices, with predictable consequences. Compared to the perception that security inhibits productivity and innovation, the reality is bad security has a far greater negative impact. There’s no greater inhibitor to innovation than a lack of trust in a technology because it has been badly secured.

Making Security Easy

The greatest myth of all is that security people should make security easy. Good security isn’t easy, and many of the challenges and problems it must address do not actually derive from the security field.

This is like blaming a doctor for the fact that human bodies are frail. Similarly, since we know smoking increases our chances of getting lung cancer, we can’t smoke and then blame the doctor for not being able to cure the cancer. Security people don’t intentionally complicate business processes, instead it is often a by-product of providing good security. They also would prefer if it was easy.

There are discussions around enabling the business with security, which are of course ludicrous. Security enables a business to be secure and nothing else. This may provide a competitive advantage in some cases, but in general it has a very different basis. People don’t try to avoid sickness, injury and stay alive for a competitive advantage, they stay alive because the alternative is to be dead. 

The alternative to good security is being breached – with all of the associated consequences: losing credibility, trust, intellectual property, money and not fulfilling regulatory compliance. Not being the victim of these things already enables the business.

Organizations that can’t afford even baseline security, which includes patching, are realistically uncompetitive. Until recently this has been ignored, businesses have gotten away lightly, but we already seeing this change. Ask some of the former executives of Equifax if they would push the security team to prioritize Innovation and Productivity over Security again. 

It is easy to believe you are flying when you are actually falling, just because you haven’t hit the ground yet.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Risk Management

In this virtual summit, SecurityWeek brings together expert defenders to share best practices around reducing attack surfaces in modern computing.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...