Organizations That Do Not Invest Even in Baseline Security Are Realistically Uncompetitive
Every year there are reports and surveys which make the case that security inhibits innovation, productivity and generally holds businesses back. I am not going to argue with that sentiment. Security requires that things are done in a certain manner, which can act as a constraint on wanting to do things a different way. What I do want to address is the notion that this is the case because security people just don’t get business. It’s actually the reverse – businesses do not get security. And this misconception is based on several fallacies, false beliefs and myths.
Security as an add-on cost
The first myth is that security is an add-on cost. It is not. Security is, instead, an inherent cost of using digital technologies. Any realistic calculation can only be done by weighing the two against each other – the gains of using digital technologies minus the cost of securing them. Only when that sum turns negative can it be considered an overhead. Digital Technology has granted huge gains and enabled the world to manage complexities that would be impossible to deal with any other way.
This argument is like claiming that minimizing the chances that an airplane will crash is an unnecessary cost. Planes are metal tubes powered by mechanical engines that fly hundreds of miles up in the air. Crashing is an inherent risk of flying. But the benefit of an airplane is that it can get us safely to a destination in a much shorter time than taking a ship, driving or walking.
If every third plane crashed, people would find an alternative method. It would not be an appealing everyday mode of transport. There is always a slight probability that a given plane can crash – but that probability is negligible (According to statistics, flying is in fact far safer than driving). The productivity gains and time savings, on the other hand, are immediately discernible, as anyone who has ever sailed from Europe to the US can attest.
Security can be bolted on after the fact
The second myth is that security can be bolted on after the fact. It cannot. Security must be included from the beginning, or it can rarely be effective. Design decisions made without consideration for security can make good security challenging to impossible.
As an example, despite decades of bad experiences and lessons learned from prior technology generations such as Mainframes and the Internet, best practices are regularly ignored when new technologies are introduced. From one technology evolution to the next, the expectation that security will be bolted on afterwards persists. IoT is the latest example of this axiom, where manufacturers rushing to market are oblivious to good security practices, with predictable consequences. Compared to the perception that security inhibits productivity and innovation, the reality is bad security has a far greater negative impact. There’s no greater inhibitor to innovation than a lack of trust in a technology because it has been badly secured.
Making Security Easy
The greatest myth of all is that security people should make security easy. Good security isn’t easy, and many of the challenges and problems it must address do not actually derive from the security field.
This is like blaming a doctor for the fact that human bodies are frail. Similarly, since we know smoking increases our chances of getting lung cancer, we can’t smoke and then blame the doctor for not being able to cure the cancer. Security people don’t intentionally complicate business processes, instead it is often a by-product of providing good security. They also would prefer if it was easy.
There are discussions around enabling the business with security, which are of course ludicrous. Security enables a business to be secure and nothing else. This may provide a competitive advantage in some cases, but in general it has a very different basis. People don’t try to avoid sickness, injury and stay alive for a competitive advantage, they stay alive because the alternative is to be dead.
The alternative to good security is being breached – with all of the associated consequences: losing credibility, trust, intellectual property, money and not fulfilling regulatory compliance. Not being the victim of these things already enables the business.
Organizations that can’t afford even baseline security, which includes patching, are realistically uncompetitive. Until recently this has been ignored, businesses have gotten away lightly, but we already seeing this change. Ask some of the former executives of Equifax if they would push the security team to prioritize Innovation and Productivity over Security again.
It is easy to believe you are flying when you are actually falling, just because you haven’t hit the ground yet.