Wednesday, 22 August 2012

Security is a Contraceptive, but Ribbed!

During a recent conference presentation, I heard a speaker proclaim 'IT Security is a Contraceptive, it does nothing to improve performance', much to the amusement of the audience.

I completely disagree with that statement and regard it as an uninformed viewpoint by those who generally do IT and IT Security poorly, as in my experience I have seen how good IT security practises can have many positive effects on business performance. 
Consider one of the holy information security trinity (CIA Triad), "availability", which is all about "business availability", and tied to business performance.  When comes to availability security measures is very much part of the performance equation, the threat of malware and denial of service attacks should be assessed along with the threat of power outages and hardware failure. For example business critical web services which has not been built with a capacity to withstand denial of service attacks can cause business performance problems much worst than any random IT hardware failure or freak weather incident.

I have witnessed on countless occasions business IT department reluctantly introduce 'Change Control' against critical IT infrastructural to meet information security regulation. Every time this resulted in major shifts in stabilising the IT infrastructure, previously the business had just accepted it was normal practice for IT infrastructure to be unreliable like British trains. This IT stabilisation led to improved overall business performance, efficiency gains and ultimately more profits. 

But the final business benefit to performance is completely invisible, it is very hard to measure and can be near impossible to demonstrate to board members, that is the avoidance of data breaches. A data breach can have a serious negative impact on business performance, with breach investigations and remediation actions hitting hard on human resources across the business, especially within management. Breaches hit the margins too, can incur many short term costs hurting business budgets and projects, from large fines to drop in share prices, contract cancellations and contract penalties, and the loss of new business due to reputational damage.

So IT Security may well be a Contraceptive, but remember it is ribbed to increase performance.

No comments: