INFORMATION SECURITY WHITE PAPER The Economics of Security April 2010
Information Security White Paper The Economics of Security, April 2010
LIFE ON A CLOUD WITH A SMART PHONE
employee, who, by then, will have more kit at their
In just three years time current university
by its employers but being used on a corporate
students will be approaching their mid-20s
network that is literally a link between user owned
and already be established in the UK
devices and a data centre in the cloud. The spread of
workforce. They will be the young driving
the corporate IT infrastructure will be far greater, as it
force in organisations, keen to put their
spans personally owned computing devices and cloud
stamp on the way things are done, thus
based computing power within the corporate network.
inducing a radical switch in the way we do
This span will not only increase in terms of physical
business. This will be in areas where we
infrastructure, but also in terms of its range of use.
only debate and dabble today, but that will be automatic to the workforce of 2013. These changes include the means of communication, of networking and of collaborating both inside and outside work.
The workplace will be awash with technology owned
Social networks are so endemic to the next generation workforce that to ban their personal use will no longer be acceptable. Work and non-work boundaries will become not just blurred but totally nonexistent. Work patterns will flex beyond known
Look at the average 20 year old today and you
capabilities. New mindsets in the workplace will be
will see insights into the future working practice of
required to deal with the information addiction that
business. Consciousness about how, where and
our newest employees demand. Productivity, to them,
when to communicate and access information, will be
will be based on doing what’s needed, when it’s
replaced by a mindset that demands to do so without
needed, and that covers both work and non-work life
thinking, wherever they are, with whatever tools are at
at any point in 24 hours.
their disposal or of their choosing. Business life will operate largely from a smart phone, notebook or thin client, not a PC and a desk in the traditional sense. The tools of the trade will be social networking sites, online meeting places, text and IM as much as email and phone. In fact, the means of communication will
While every work situation is different, for example there is not much justification for nurses being on Facebook when they are looking after patients, for people whose jobs are predominantly computerbased, this blurring of boundaries is inevitable.
become irrelevant to the user, who in many cases will
What we’re describing is not a million miles away,
be unaware of the application they are using. The tools
it is less than three years from now. Over the next
of the job will simply merge into one interface and
few years we will see organisations develop
information pipe that analyses what you are doing or
comprehensive strategies for cloud computing,
saying and to whom, routing it the most effective way.
CIOs focus more on information services than assets
The days of a new employee starting work and receiving their standard issue hardware from an employer will be gone. The employers’ duty will be purely on giving and managing access to the
personal disposal than the company can provide.
and new employees bring the most advanced IT user knowledge into the workplace ever. It’s only going to continue. What we are dealing with today is the tip of the iceberg.
information each employee needs to do their job.
So why does all of this matter? Because, these
The means of doing so will be the choice of the
changes will mean a radically altered view of the role
role of security. It’s no longer just about protection
to securing your organisation for success.
and locking up your data. It’s about letting
The origins of information security date back to a
data flow as freely as is securely possible to
time in the not so distant past, but when organisations
achieve the best economic returns and results for
were vastly different to what they will be in just five
Personally owned computing devices in the workplace
Managing information access and control for users
trigger a necessary change in mindset and approach
years. The threats are changing but so is the
of information security in organisations and also
Cloud based computing power supporting the business
SECURITY: ORIGIN OF SPECIES
So, information security really started to matter when
When the film War Games was released in
organisation’s IT infrastructure via this new unsecured
1983, the Web was a largely unknown
global network was the gauntlet needed for hackers
phenomenon. While the term hacker had
who, largely for reasons of personal pride and belief
been used by those in the know since the ‘60s it was at this point that the concept of breaking into someone else’s computer system (usually a major corporation or the government) became public knowledge.
the web became a serious business tool and the floodgates opened. The possibility of accessing an
that computers should be free and open, were hell bent on ‘getting in.’ Much of the early days was about experimentation to see what was possible, with no personal malice or intent to make money intended. Hackers simply wanted to know what they could do with data inside an organisation
War Games may have been a fictional story but it
once they had got access to it. It was a backlash
was to be a powerful ‘early warning’ for companies
against large organisations that were seen as starting
and government departments on what was to
to use computers as an aid to capitalism. Hackers
transpire over the subsequent quarter century. This
were revolutionary in their own minds; their origins
fictional account was, ironically, soon followed by
were not in criminality but in an early belief of the
fact, when the first real hacker case occurred the
power of open computing. Their implied power,
same year involving a group of American teenagers. It was at this point that the US Government published
however, put fear into the heart of large corporations and governments.
its first laws on computer criminality. The rest, as they
And so the IT security industry was born, defined very
say, is history.
clearly by three words – fear, uncertainty and doubt.
Information Security White Paper The Economics of Security, April 2010
By playing to the negative core of this maligned and misunderstood new threat to existence, the security industry established itself as the white knight which would defend us against each and every new threat. Initially, scepticism meant that it was simply a question of whether you believed the FUD or not; did you or didn’t you need information security
Two pictures have just been painted, in the same style but depicting two very different moods. The first is one of a brave new world, where truly open business collaboration becomes more than vision and desire, but nature. The second picture is one
protection? Gradually people decided they did, but
which deplores, or loves, that first scenario,
this evolved rapidly and the need became a standard
depending on whether you play for the
business requirement. Many questions arose about
good side or the bad side.
the level of protection you had – was it sufficient, was it up to date, the most comprehensive, with an increasing band of vendors constantly trying to outdo each other.
The average organisation will, or course, fear the casual attitude of future workers wanting anytime anywhere information, to be able to chat freely, choose their means and methods and explore with
The burgeoning world of enterprise software, clever
limitless boundaries. The organised criminal gangs
tools that made computers much more powerful, in
looking for new ways to make large sums will
the 1990s, created real fodder for security. As IT and software become more centric to business processes,
welcome these changes and attitudes with open arms.
unauthorised access provided increasingly large
And there lies the problem. We are heading for a bi-
opportunities to alter the fate of those business
polar world with an incoming preference and culture
processes and provide access to critical data. Like
of freedom and flexibility lauded over by a heritage
Darwinian theory the security industry evolved totally
of control, lock down and management. How do
on the nature of its surroundings. Since, organisations
organisations balance these two critical areas and
have spent millions protecting themselves against the
achieve relative freedom but still maintain their secure
fear, uncertainty and doubt that comes with the threats to IT and data.
boundaries? Too much freedom and too little control might realise short term gain for the organisation –
FUD will always lead people to over protect, or to put
fuller collaboration, more productivity, better
protection before possibilities. Doing so hinders an
relationships – but may leave many holes in the
organisations’ ability to grow, succeed, survive and
organisation’s information security armour which
develop. The evolution of information threats has
could easily be its downfall. Too much control will
accentuated this because it is now an organised threat with malicious intent. The free computer crusaders of the 1980s have long been replaced by serious criminals with money their only goal. If the industry was founded on fear 20 to 30 years ago, that fear is now on a scale that could never have
NEVER THE TWAIN...
mean that your workforce is not fully exploring its full potential and will by default severely blinker your organisation to the possibilities that await it. As people drive towards a new freedom of communication and information but organisations
been foreseen back then. Security has become the
pull us back to an ordered and restricted structure,
biggest threat to our business, not only due to the
we need to help our future colleagues to define what
criticality of data but also due to its power to make us
is not only acceptable and secure, but what is optimal
much more risk averse than is actually good for us.
in terms of success and growth.
THE ECONOMICS OF SECURITY THEORY
3. If the inverse of No. 2 is true then your security measures are too stringent. 4. A lesson in trust can be equally if not more
Enter the economics of security theory,
beneficial to your workforce than a security
Redstone’s belief that, in the near future,
information security will have the power to be more than just an insurance policy.
5. It’s not tomorrow’s modes of communication that are insecure, it is the people who do not
With the controls set correctly, security will be the new rudder that steers the organisation towards increased success or achievement of its business goals. While it will always be difficult to measure the ROI from security investments, the economics of security theory
understand them well enough. 6. Security is there to serve the business; business is not there to serve security. 7. Active data, irrespective of how or where it is
is the belief that the economic future of organisations
accessed is the critical corporate asset. It must be
and their information security measures are far more
monitored but managed.
inextricable than simply the fact that, one day, those
8. In no uncertain terms should organisations reduce
measures may prevent a large crisis or disaster.
or forget security, they should however review its
The economics of security theory states that every
daily security decision directly affects every economic
The economics of security theory defines three types
outcome. Insufficient security may make the level of
of organisation based on their attitude to security and
risk outweigh the potential benefits of more open
the impact it has on them:
exploration of ideas and information freedom. Excessive security, or ‘lock down’ will stifle innovation and productivity to a point where the workforce ‘cannot move’ when the competition can. Optimal
– Downhill Sliders – Peak Performers – Uphill Strugglers
security will allow as much freedom and exploration as possible without increasing the risk too significantly.
The rate of development in security technologies and
Downhill Sliders are the organisations of
their need for precision accuracy means that the
yesterday that have failed to change and
‘economics of security’ will be a viable business
adapt to new technology and modus
model in five years time.
The eight truths of the economics of security approach: 1. Corporate information security must never be on default full volume; it must start on 0 and be increased to the minimum point necessary. 2. If your staff morale and performance is affected more by security breaches than it is by lack of
Their heavy duty security approaches will become unworkable for a modern workforce and customer base and they will be constantly playing lip service to new methods without actually delivering. Key traits include: – Organisations that are too risk averse in their nature with over-engineered security measures that hinder open collaboration. – Workforce empowerment is limited, reducing
information access then your security measures
morale and loyalty and creating subversive
are too relaxed.
employee behaviour to ‘beat the system.’
Information Security White Paper The Economics of Security, April 2010
– Customer communication is highly secure but
the lack of security measures will become wearing
service operatives are ill informed, impacting
on employees when they are personally put at risk.
loyalty and ability to serve. – As new generations become the main market for these companies they will fail because their security policies do not allow them to communicate with customers in their chosen way. – Personal technology and social networking is banned in the workplace which leads to policy breaking and reduced staff flexibility. – Productivity is impacted by too many closed doors affecting service delivery, revenues and profit. – Entry level recruitment challenges caused by
– Customers like dealing with them but trust becomes an issue when data is lost or mislaid, or when service operators are over familiar with the situation. – The company’s IT infrastructure becomes a minefield with no checks taking place on the personal technology being used on corporate networks. – As a result of the above these companies will become a nightmare to do business with. – Careless security breaches lead to fines, for example, The Data Protection Act, or even litigation against the company; leading to losses
ageing brand perception amongst young people.
and a bruised reputation. People steer clear of
Old style security means this isn’t a company
people want to work for. – The cyclical effect of the above causes damage – Complex policies are not understood and not adhered to anyway.
to the company which almost permanently restricts its ability to reach positive levels of productivity and profitability.
Uphill strugglers Uphill Strugglers are the organisations for whom data loss and malicious attacks are severely hindering their progress. They may well be newer organisations without the heritage to know that being too risk-seeking does not
Peak Performers Peak Performers will be those organisations that correctly define their security needs in line with both their business objectives and
provide a sustainable business model. They can
the nature in which the business needs to
adapt and flex as needed in their work but have little
work, operate and communicate with its
or no benchmarks on which to founder basic security
requirements. When opportunity knocks they come running regardless of the risk. But, as a result they are failing to grow or gain critical mass due to significant losses denting their brand and financial performance. Key traits include:
Unlike Downhill Sliders they will map security needs onto business goals and work to balance risk and reward. It will not have less focus on security than Downhill Sliders but its focus will be different. Rather than aiming to control and manage information access,
– Organisations that are risk-takers by nature, they won’t let any security concerns get in the way of
is checked based upon the parameters of usage – user,
doing the deal.
recipient, application, part of network used.
– Can often be seen as very trendy or hot organisations to work for in the short term but even
Peak Performers will aim to ensure that all ‘active data’
Unlike Uphill Strugglers however, Peak Performers will not underestimate the need for security. They will not
take unnecessary risks but adapt their approach to
– Workplace morale will be extremely high due to
security to allow maximum ‘information footfall’ within
a strong team ethic and greater understanding
set policies and boundaries. Key traits include:
of trust alongside the knowledge that malicious
– Organisations that will take calculated but not
attacks must be avoided at all costs.
extreme risks in their operation because they
– New generations will adopt these companies as
have worked out that the potential benefit of
their favourites because they are extremely easy
change and modernisation of information
to do business with and highly trustworthy.
exchange outweighs the potential risks.
– A relaxation of personal / work boundaries will work two ways. It will achieve greater productivity
– Highly collaborative workforces operating within agile supply chains. Finding an optimal
from staff that will be more willing to work when
way of working and getting things done will be
required but also allow them the freedom to carry
paramount, but there will be checks to ensure
out personal tasks like use of Facebook during
unnecessary risks are not taking place.
working hours. – Productivity reaches an all time high. Security threats
– Simplicity and common sense will prevail in
are kept at bay but lock down is a long way away.
security policies and procedures.
The ’Economics of Security‘ curve Productivity and profitability
100 90 80 70 60 50 40 30 20 10 0
Lowland Strugglers Low information security measures
Peak Performers Optimal information security measures
Downhill Sliders High information security measures
performance. As new generations with new attitudes
In three years time chief information security officers
to different challenges and achieve a much finer
will not simply be kept awake at night by the
balance between fear and risk, and opportunity and
performance of their data loss prevention software or
openness. Thud factor (to the business) will be as
protection against malicious attack. Rather, they will
important as FUD factor is in all security decisions and
be concerned with whether their security measures are
purposed as we turn to the economics of security and
enabling or disabling the business and its
swap our fears of the past for a brave new world.
enter the workplace we will need to find new answers
Offices in Birmingham, Cambridge, London and Stoke-on-Trent t: 0845 201 0026
Published on Aug 2, 2010