IT Security - At What Cost?
IT Security solutions are expensive. Considering the pricing pressures on businesses due to competitive moves, how much should one spend on IT Security? How safe is safe? These are questions on every CIO’s mind. The key issue with IT Security is that it plays on fear -the fear of what happens if something is not in place. This leads to Organizations being forced to look at high-end solutions, which may never be used.
As the CIO of a mid-sized IT Organization, I use a simple measure to determine what we need to invest in IT Security. The measure is directly related to Business Risk. The usual tendency amongst most of us is to classify all information as confidential and we feel that any information that is accessed by people who are not authorized to access this will lead to business risk and competitive disadvantage. However, this is not necessarily true.
Identifying the right data to secure
Each organization works differently and the information they capture is specific to them and the risks associated with them are also specific to them. Let me take an example to illustrate this point.
Generically, as we all agree, Sales information is sensitive and must be protected by employing the highest levels of IT Security. Consider two organizations:
Organization 1: A Manufacturing Organization which supplies standard material to Enterprise Customers and stores Sales information such as Sales Orders and Invoices in its ERP system. The discounting models vary across Customers and is kept extremely confidential in its ERP.
Organization 2: A Services Organization that deals predominantly with government contracts. This Organization also stores Sales Information such as Sales Orders and Invoices in its ERP system. The calculation for each tender are complicated and is maintained in the desktops / laptops of certain key employees in the Sales and Finance departments.
For the CIO of Organization 1: it is important to protect the ERP and the data stored in the ERP. Access to the Sales module of the ERP should be controlled and users across the organization should not be allowed to download any of this data, since this is competitive information and can impact winning/ losing deals. Any IT Security solution that enables these controls in the ERP system should be implemented.
Let us now come to Organization 2. Since this Organization mainly deals with Government tenders, the final Sales price is well-known to multiple parties, including competition. In fact, in most cases, the final prices are even displayed on respective Government websites. For this Organization, high investment in deployment of IT Security systems to protect the ERP data may be misplaced. Instead, the most important data is how the final price was arrived at, which are the workings present on a few desktops / laptops and hence, it is these laptops / desktops that controls need to be implemented in.
As can be seen from the above example, we must first distinguish what is sensitive data for an Organization aligned to Business objectives. The same data need not carry the same sensitivity across all Organizations and hence needs to be treated differently. Data that needs to be protected can vary vastly based on various parameters such as
1. Business that the Organization is engaged in
2. Type of customers / Vendors / Employees
3. Regulatory and Contractual obligations
4. Value of data to its competitors
5. Point of origin of sensitive data in an organization
6. Points of use of sensitive data
7. IT systems being used, etc.
Once the above is understood, it becomes a little easier to identify the high-risk areas. Once the high-risk areas are identified, the next step is to identify the right solution.
Identifying the right solution
Security technologies are developing at a rapid pace and so are the threats. The critical parameters that help in identifying the right solution are:
• Data Sensitivity Classification– As has been explained in the earlier example, data classification based on sensitivity is the key to selecting a fit for purpose solution. Sharper the classification, better the solution.
• Point of Origin– Once the point of origin of sensitive data is understood, the type of safeguards that are required become clearer and at this point it is easy to evaluate the right solutions. It is observed that safeguards are more effective if implemented as close to the data source as possible
• Time Horizon– Any Security solution should be implemented with a 3-year timeframe in mind. A time horizon beyond 3 years may be sub-optimal since the solution itself may become obsolete or new threats may render it ineffective.
The above will ensure the evaluation and investment is within the boundary of need. The requirement definition will be sharp, which will ensure a fit for purpose solution is implemented. Most importantly, no money is wasted on solutions that don’t minimize the Information Security risks of the Organization.