The Security Conundrum

It’s hard not to worry about security. Even though I live in one of the safest cities of America (according to recent crime statistic ratings), I lock my car doors in the driveway and lock my house doors when I leave. The statistics might say that’s unnecessary, but it didn’t feel unnecessary last summer when two houses on my street were broken into (one in broad daylight) and miscellaneous household things were taken. What should I be doing to protect myself and my belongings? And what about from a technology and privacy perspective—it’s one thing if someone takes my TV, it’s another if they take my laptop or memory cards with personal and corporate data on them. Making sure I’m doing the right thing to ensure security is important, even when you live in one of the safest cities in America.

It’s easy to be frozen by fear from security concerns—especially nowadays when security and privacy issues are top of mind for many C-level executives and corporate boards. The visible impact of security breaches on large brand-name companies (for example, my local paper, the Boston Globe recently had to announce to tens of thousands of subscribers that it had accidentally disclosed their credit and debit card numbers—oops!) makes the security issue not only seem more real but more possible. Recently regulatory requirements and greater scrutiny also mean that organizations are more focused on security and the implications of poor security practices than ever before.

Today there’s a way wide of potential risks associated with security or privacy threats. At the top level there are threats to a company’s brand and reputation if or when it becomes the target of successful attack or exposes secure data through negligence or incompetence. For example, a cable company that exposure the names of its subscribers and their billing information accidentally would put its brand and reputation at risk. Another threat potential issue is compliance and regulatory requirements and the risk that security breaches or lapses open up for an organization, as well as just plain old concern over corporate data that might fall into competitor’s hands.

However, organizations also have to balance these (and other) security risks and implications with a range of business issues. For example, security costs money and takes resources. Can an organization justify the investment it has made, or wants to make, in security technologies or resources? Will the end—a more secure organization—justify the means and expense? How will an organization’s security procedures or technologies affect its ability to do business? In addition, security threats and potential vulnerabilities are increasing in complexity and sophistication every day, making it more difficult (if not more expensive) to ensure protection.

Lastly, and this is possibly the most important issue facing companies, is to what extent do security threats and potential issues affect or inhibit new business models and business growth. Organizations that ignore or avoid potential opportunities—such as developing a new business partnership, offering a new service that requires more sophisticated privacy requirements or not streamlining a business process that could expose private data--are not acting in the best interests of their stockholders or themselves. Frequently, organizations take (or avoid taking) these types of steps simply because they can’t or don’t have a way to evaluate and mitigate risks.

But of course, the question is what to do? There’s plenty of reason to take a bunkers-oriented approach, battening down the hatches and preparing to assault whatever nefarious attacks come your way. Secure your data, lock your doors, put the valuables in the safe.

To some extent, one of the potential problems in addressing security concerns is the very fact that they’re never ending—a good security approach is pretty much the same as good procedure for shampooing—lather, rinse, repeat. In order to address security concerns in a viable way, organizations have to start by assessing where they stand and understanding the potential security risks. Then decisions have to be made to either improve security in selected areas or accept the level of risk and protection in the existing security precautions. The second step is then planning, designing, and building and improved security environment, as determined by the objectives defined in step one. Lastly, of course (this is the repeat step), organizations need to evaluate their changes or measure their effectiveness, and then go back to re-evaluate the entire security plan and policies on a regular basis or when business needs or environmental changes occur.

These are certainly good steps and are required for all real security solutions. But I also think that part of the solution is looking at security problems a little differently than we have traditionally looked at them. Possibly there’s another approach—one that mixes safety with opportunity and balances potential risks against potential gains and the extra costs that implementing security policies requires. I believe that the best approach is for organizations not to simply react to potential security threats, but to take a holistic approach to security and threat management, balancing risks against opportunities and costs. In my next column, we’ll explore this idea a bit more and identify how more proactive and less reactive approach to security can actually benefit IT departments and organizations and potentially increase opportunities instead of simply absorbing endless amounts of resources, time and money.

About the Author

David Kelly - With twenty years at the cutting edge of enterprise infrastructure, David A. Kelly is ebizQ's Community Manager for Optimizing Business/IT Management. This category includes IT governance, SOA governance,and compliance, risk management, ITIL, business service management,registries and more.

As Community Manager, David will blog and podcast to keep the ebizQ community fully informed on all the important news and breakthroughs relevant to enterprise governance. David will also be responsible for publishing press releases, taking briefings, and overseeing vendor submitted feature articles to run on ebizQ. In addition, each week, David will compile the week's most important news and views in a newsletter emailed out to ebizQ's ever-growing Governance community. David Kelly is ideally suited to be ebizQ's Governing the Infrastructure Community Manager as he has been involved with application development, project management, and product development for over twenty years. As a technology and business analyst, David has been researching, writing and speaking on governance-related topics for over a decade.

David is an expert in Web services, application development, and enterprise infrastructures. As the former Senior VP of Analyst Services at Hurwitz Group, he has extensive experience in translating the implications of new application development, deployment, and management technologies into practical recommendations for enterprise customers. He's written articles for Computerworld, Software Magazine, the New York Times, and other publications, and spoken at conferences such as Comdex, Software Development, and Internet World. With expertise ranging from application development to enterprise management to integration/B2B services to IP networking and VPNs, Kelly can help companies profit from the diversity of a changing technology landscape.

More by David A. Kelly

About ebizQ

ebizQ is the insider’s guide to next-generation business process management. We offer a growing collection of independent editorial articles on BPM trends, issues, challenges and solutions, all targeted to business and IT BPM professionals.

We cover BPM standards, governance, technology and continuous process improvement, as well as process discovery, modeling, simulation and optimization, among many other areas. We follow case management, decision management, business rules management, operational intelligence, complex event processing and other related topics. We closely track important trends such as the rise of social BPM, mobile BPM and BPM in the cloud. We also explore BPM’s use in functional areas, such as supply chain and customer management, and in key verticals, such as financial services, health care, insurance and government.

ebizQ's other BPM-oriented content includes podcasts, webcasts, webinars, white papers, a variety of expert blogs, a lively online forum and much more.