Page 1

WP_finalartwork:Layout 1



Page 2

INFORMATION SECURITY WHITE PAPER The Economics of Security April 2010

WP_finalartwork:Layout 1



Page 3

Information Security White Paper The Economics of Security, April 2010


employee, who, by then, will have more kit at their

In just three years time current university

by its employers but being used on a corporate

students will be approaching their mid-20s

network that is literally a link between user owned

and already be established in the UK

devices and a data centre in the cloud. The spread of

workforce. They will be the young driving

the corporate IT infrastructure will be far greater, as it

force in organisations, keen to put their

spans personally owned computing devices and cloud

stamp on the way things are done, thus

based computing power within the corporate network.

inducing a radical switch in the way we do

This span will not only increase in terms of physical

business. This will be in areas where we

infrastructure, but also in terms of its range of use.

only debate and dabble today, but that will be automatic to the workforce of 2013. These changes include the means of communication, of networking and of collaborating both inside and outside work.

The workplace will be awash with technology owned

Social networks are so endemic to the next generation workforce that to ban their personal use will no longer be acceptable. Work and non-work boundaries will become not just blurred but totally nonexistent. Work patterns will flex beyond known

Look at the average 20 year old today and you

capabilities. New mindsets in the workplace will be

will see insights into the future working practice of

required to deal with the information addiction that

business. Consciousness about how, where and

our newest employees demand. Productivity, to them,

when to communicate and access information, will be

will be based on doing what’s needed, when it’s

replaced by a mindset that demands to do so without

needed, and that covers both work and non-work life

thinking, wherever they are, with whatever tools are at

at any point in 24 hours.

their disposal or of their choosing. Business life will operate largely from a smart phone, notebook or thin client, not a PC and a desk in the traditional sense. The tools of the trade will be social networking sites, online meeting places, text and IM as much as email and phone. In fact, the means of communication will

While every work situation is different, for example there is not much justification for nurses being on Facebook when they are looking after patients, for people whose jobs are predominantly computerbased, this blurring of boundaries is inevitable.

become irrelevant to the user, who in many cases will

What we’re describing is not a million miles away,

be unaware of the application they are using. The tools

it is less than three years from now. Over the next

of the job will simply merge into one interface and

few years we will see organisations develop

information pipe that analyses what you are doing or

comprehensive strategies for cloud computing,

saying and to whom, routing it the most effective way.

CIOs focus more on information services than assets

The days of a new employee starting work and receiving their standard issue hardware from an employer will be gone. The employers’ duty will be purely on giving and managing access to the


personal disposal than the company can provide.

and new employees bring the most advanced IT user knowledge into the workplace ever. It’s only going to continue. What we are dealing with today is the tip of the iceberg.

information each employee needs to do their job.

So why does all of this matter? Because, these

The means of doing so will be the choice of the

changes will mean a radically altered view of the role

WP_finalartwork:Layout 1



Page 4

role of security. It’s no longer just about protection

to securing your organisation for success.

and locking up your data. It’s about letting

The origins of information security date back to a

data flow as freely as is securely possible to

time in the not so distant past, but when organisations

achieve the best economic returns and results for

were vastly different to what they will be in just five

the organisation.

Personally owned computing devices in the workplace

Managing information access and control for users

Corporate network

trigger a necessary change in mindset and approach

IT department

years. The threats are changing but so is the


of information security in organisations and also

Cloud based computing power supporting the business


So, information security really started to matter when

When the film War Games was released in

organisation’s IT infrastructure via this new unsecured

1983, the Web was a largely unknown

global network was the gauntlet needed for hackers

phenomenon. While the term hacker had

who, largely for reasons of personal pride and belief

been used by those in the know since the ‘60s it was at this point that the concept of breaking into someone else’s computer system (usually a major corporation or the government) became public knowledge.

the web became a serious business tool and the floodgates opened. The possibility of accessing an

that computers should be free and open, were hell bent on ‘getting in.’ Much of the early days was about experimentation to see what was possible, with no personal malice or intent to make money intended. Hackers simply wanted to know what they could do with data inside an organisation

War Games may have been a fictional story but it

once they had got access to it. It was a backlash

was to be a powerful ‘early warning’ for companies

against large organisations that were seen as starting

and government departments on what was to

to use computers as an aid to capitalism. Hackers

transpire over the subsequent quarter century. This

were revolutionary in their own minds; their origins

fictional account was, ironically, soon followed by

were not in criminality but in an early belief of the

fact, when the first real hacker case occurred the

power of open computing. Their implied power,

same year involving a group of American teenagers. It was at this point that the US Government published

however, put fear into the heart of large corporations and governments.

its first laws on computer criminality. The rest, as they

And so the IT security industry was born, defined very

say, is history.

clearly by three words – fear, uncertainty and doubt.


WP_finalartwork:Layout 1



Page 5

Information Security White Paper The Economics of Security, April 2010

By playing to the negative core of this maligned and misunderstood new threat to existence, the security industry established itself as the white knight which would defend us against each and every new threat. Initially, scepticism meant that it was simply a question of whether you believed the FUD or not; did you or didn’t you need information security

Two pictures have just been painted, in the same style but depicting two very different moods. The first is one of a brave new world, where truly open business collaboration becomes more than vision and desire, but nature. The second picture is one

protection? Gradually people decided they did, but

which deplores, or loves, that first scenario,

this evolved rapidly and the need became a standard

depending on whether you play for the

business requirement. Many questions arose about

good side or the bad side.

the level of protection you had – was it sufficient, was it up to date, the most comprehensive, with an increasing band of vendors constantly trying to outdo each other.

The average organisation will, or course, fear the casual attitude of future workers wanting anytime anywhere information, to be able to chat freely, choose their means and methods and explore with

The burgeoning world of enterprise software, clever

limitless boundaries. The organised criminal gangs

tools that made computers much more powerful, in

looking for new ways to make large sums will

the 1990s, created real fodder for security. As IT and software become more centric to business processes,

welcome these changes and attitudes with open arms.

unauthorised access provided increasingly large

And there lies the problem. We are heading for a bi-

opportunities to alter the fate of those business

polar world with an incoming preference and culture

processes and provide access to critical data. Like

of freedom and flexibility lauded over by a heritage

Darwinian theory the security industry evolved totally

of control, lock down and management. How do

on the nature of its surroundings. Since, organisations

organisations balance these two critical areas and

have spent millions protecting themselves against the

achieve relative freedom but still maintain their secure

fear, uncertainty and doubt that comes with the threats to IT and data.

boundaries? Too much freedom and too little control might realise short term gain for the organisation –

FUD will always lead people to over protect, or to put

fuller collaboration, more productivity, better

protection before possibilities. Doing so hinders an

relationships – but may leave many holes in the

organisations’ ability to grow, succeed, survive and

organisation’s information security armour which

develop. The evolution of information threats has

could easily be its downfall. Too much control will

accentuated this because it is now an organised threat with malicious intent. The free computer crusaders of the 1980s have long been replaced by serious criminals with money their only goal. If the industry was founded on fear 20 to 30 years ago, that fear is now on a scale that could never have



mean that your workforce is not fully exploring its full potential and will by default severely blinker your organisation to the possibilities that await it. As people drive towards a new freedom of communication and information but organisations

been foreseen back then. Security has become the

pull us back to an ordered and restricted structure,

biggest threat to our business, not only due to the

we need to help our future colleagues to define what

criticality of data but also due to its power to make us

is not only acceptable and secure, but what is optimal

much more risk averse than is actually good for us.

in terms of success and growth.

WP_finalartwork:Layout 1



Page 6


3. If the inverse of No. 2 is true then your security measures are too stringent. 4. A lesson in trust can be equally if not more

Enter the economics of security theory,

beneficial to your workforce than a security

Redstone’s belief that, in the near future,

monitoring system.

information security will have the power to be more than just an insurance policy.

5. It’s not tomorrow’s modes of communication that are insecure, it is the people who do not

With the controls set correctly, security will be the new rudder that steers the organisation towards increased success or achievement of its business goals. While it will always be difficult to measure the ROI from security investments, the economics of security theory

understand them well enough. 6. Security is there to serve the business; business is not there to serve security. 7. Active data, irrespective of how or where it is

is the belief that the economic future of organisations

accessed is the critical corporate asset. It must be

and their information security measures are far more

monitored but managed.

inextricable than simply the fact that, one day, those

8. In no uncertain terms should organisations reduce

measures may prevent a large crisis or disaster.

or forget security, they should however review its

The economics of security theory states that every

value regularly.

daily security decision directly affects every economic

The economics of security theory defines three types

outcome. Insufficient security may make the level of

of organisation based on their attitude to security and

risk outweigh the potential benefits of more open

the impact it has on them:

exploration of ideas and information freedom. Excessive security, or ‘lock down’ will stifle innovation and productivity to a point where the workforce ‘cannot move’ when the competition can. Optimal

– Downhill Sliders – Peak Performers – Uphill Strugglers

security will allow as much freedom and exploration as possible without increasing the risk too significantly.

Downhill Sliders

The rate of development in security technologies and

Downhill Sliders are the organisations of

their need for precision accuracy means that the

yesterday that have failed to change and

‘economics of security’ will be a viable business

adapt to new technology and modus

model in five years time.


The eight truths of the economics of security approach: 1. Corporate information security must never be on default full volume; it must start on 0 and be increased to the minimum point necessary. 2. If your staff morale and performance is affected more by security breaches than it is by lack of

Their heavy duty security approaches will become unworkable for a modern workforce and customer base and they will be constantly playing lip service to new methods without actually delivering. Key traits include: – Organisations that are too risk averse in their nature with over-engineered security measures that hinder open collaboration. – Workforce empowerment is limited, reducing

information access then your security measures

morale and loyalty and creating subversive

are too relaxed.

employee behaviour to ‘beat the system.’


WP_finalartwork:Layout 1



Page 7

Information Security White Paper The Economics of Security, April 2010

– Customer communication is highly secure but

the lack of security measures will become wearing

service operatives are ill informed, impacting

on employees when they are personally put at risk.

loyalty and ability to serve. – As new generations become the main market for these companies they will fail because their security policies do not allow them to communicate with customers in their chosen way. – Personal technology and social networking is banned in the workplace which leads to policy breaking and reduced staff flexibility. – Productivity is impacted by too many closed doors affecting service delivery, revenues and profit. – Entry level recruitment challenges caused by

– Customers like dealing with them but trust becomes an issue when data is lost or mislaid, or when service operators are over familiar with the situation. – The company’s IT infrastructure becomes a minefield with no checks taking place on the personal technology being used on corporate networks. – As a result of the above these companies will become a nightmare to do business with. – Careless security breaches lead to fines, for example, The Data Protection Act, or even litigation against the company; leading to losses

ageing brand perception amongst young people.

and a bruised reputation. People steer clear of

Old style security means this isn’t a company

these companies.

people want to work for. – The cyclical effect of the above causes damage – Complex policies are not understood and not adhered to anyway.

to the company which almost permanently restricts its ability to reach positive levels of productivity and profitability.

Uphill strugglers Uphill Strugglers are the organisations for whom data loss and malicious attacks are severely hindering their progress. They may well be newer organisations without the heritage to know that being too risk-seeking does not

Peak Performers Peak Performers will be those organisations that correctly define their security needs in line with both their business objectives and

provide a sustainable business model. They can

the nature in which the business needs to

adapt and flex as needed in their work but have little

work, operate and communicate with its

or no benchmarks on which to founder basic security

many stakeholders.

requirements. When opportunity knocks they come running regardless of the risk. But, as a result they are failing to grow or gain critical mass due to significant losses denting their brand and financial performance. Key traits include:

Unlike Downhill Sliders they will map security needs onto business goals and work to balance risk and reward. It will not have less focus on security than Downhill Sliders but its focus will be different. Rather than aiming to control and manage information access,

– Organisations that are risk-takers by nature, they won’t let any security concerns get in the way of

is checked based upon the parameters of usage – user,

doing the deal.

recipient, application, part of network used.

– Can often be seen as very trendy or hot organisations to work for in the short term but even


Peak Performers will aim to ensure that all ‘active data’

Unlike Uphill Strugglers however, Peak Performers will not underestimate the need for security. They will not

WP_finalartwork:Layout 1



Page 8

take unnecessary risks but adapt their approach to

– Workplace morale will be extremely high due to

security to allow maximum ‘information footfall’ within

a strong team ethic and greater understanding

set policies and boundaries. Key traits include:

of trust alongside the knowledge that malicious

– Organisations that will take calculated but not

attacks must be avoided at all costs.

extreme risks in their operation because they

– New generations will adopt these companies as

have worked out that the potential benefit of

their favourites because they are extremely easy

change and modernisation of information

to do business with and highly trustworthy.

exchange outweighs the potential risks.

– A relaxation of personal / work boundaries will work two ways. It will achieve greater productivity

– Highly collaborative workforces operating within agile supply chains. Finding an optimal

from staff that will be more willing to work when

way of working and getting things done will be

required but also allow them the freedom to carry

paramount, but there will be checks to ensure

out personal tasks like use of Facebook during

unnecessary risks are not taking place.

working hours. – Productivity reaches an all time high. Security threats

– Simplicity and common sense will prevail in

are kept at bay but lock down is a long way away.

security policies and procedures.

The ’Economics of Security‘ curve Productivity and profitability

100 90 80 70 60 50 40 30 20 10 0

Lowland Strugglers Low information security measures

Peak Performers Optimal information security measures

Downhill Sliders High information security measures


performance. As new generations with new attitudes

In three years time chief information security officers

to different challenges and achieve a much finer

will not simply be kept awake at night by the

balance between fear and risk, and opportunity and

performance of their data loss prevention software or

openness. Thud factor (to the business) will be as

protection against malicious attack. Rather, they will

important as FUD factor is in all security decisions and

be concerned with whether their security measures are

purposed as we turn to the economics of security and

enabling or disabling the business and its

swap our fears of the past for a brave new world.

enter the workplace we will need to find new answers


WP_finalartwork:Layout 1



Page 1

Offices in Birmingham, Cambridge, London and Stoke-on-Trent t: 0845 201 0026

Information Security White Paper from Redstone  
Information Security White Paper from Redstone  

Redstone looks at balancing IT security to allow businesses to flourish.