Through the fog… IT security investment

The stark pros and cons

Back in the 1980s I was acting as a consultant to a shady UK government organisation based in an unmarked building in London’s Soho. Following a thorough investigation of my own background, I was allowed entry - accompanied at all times - to a stuffy vault in the basement, where a couple of micro-computers whirred away. There, completely isolated from the rest of the world, we carried out our secretive work. Any spook who was intrepid enough to make his way through the security cordon into this heavily guarded basement would be further hampered by the fact that, at the end of each working day, they keyboards were unplugged from the micro-computers and locked in a sturdy metal cabinet – a secure system indeed.

These days even the shadiest government department accepts the fact that total isolation is not a practical security policy for all but the most specialised of computer systems. The pervasiveness of IP applications: email, the web, instant messaging, hosted computing, IP telephony and so on has led to all systems being connected. This has created huge opportunities for increased productivity and efficiency. But there is, of course, the darker, more threatening side of viruses and cyber crime. To enable this new world and protect you from its dangers has meant a larger and larger proportion of your IT budgets being spent on IT security.

It is in the interests of the IT security industry to awaken you to these opportunities and threats. But if you listened to their advice alone you would spend far too much on securing your IT systems or, if you ignore them completely, your IT systems would be highly vulnerable. How do you strike a balance?

At a seminar on Trustworthy Computing a few months ago, Microsoft suggested that about 8 per cent of the corporate IT budget should be spent on security. In a recent survey Quocirca asked a number of security vendors and integrators what they thought the figure should be. The advice ranged from a few percent to over 30 per cent – in other words, no one really knows. This is not surprising.

For starters, what is IT security? This may sound like an obvious question – but when do the requirements of networking become a security issue and, therefore, a security cost? Is the control of unwanted email a security issue? When does systems management become security management? Does making employees aware of their responsibilities around IT security come out of the training budget or the IT security budget?

Security spending also varies by industry sector. It is likely that my shady friends in Soho (or wherever they are today) will have gone online but I bet they are using strong (and expensive) authentication to allow remote access. Other organisations do not need to go such lengths. Many companies allow their customers and partners access to areas of their network on entry of a simple username or password and, of course, most public websites are accessible without any security checking whatsoever.

IT security vendors are as keen as anyone to demonstrate that purchasing their products will provide some sort of return on investment (ROI) but a pure ROI approach rarely has much validity. It is much easier to justify your IT security expenditure, if you consider the total value proposition (TVP) for a given IT security issue. This approach weighs up of the pros and cons of making an investment and, in effect, quantifies the risk assessment for the security issue concerned.

With IT security there are those investments you have to make and those that you might benefit from making. Firewall and anti-virus measures are no longer choices but necessities to protect against the malicious behaviour of virus writers and hackers – not having them is like not having car insurance. Consider the pros and cons – without them your systems will inevitably fail on a regular basis, with them you can give your users a guaranteed service level. Both are now commodities, everyone has them and accepts they have to. Most spending in this area is on annuity contracts to keep products regularly updated.

The investments you can choose to make are all about openness and competitive advantage. A good example is clientless virtual private networks (VPNs). These allow access the corporate resources from any web browser. There are many pros here, most of which can not be easily quantified in financial terms: easier deployment of home working, mobility for workers without having to provide mobile devices, employees no longer have to carry heavy mobile devices (a potential health hazard), less risk of mobile devices being stolen and so on.

There are really only two cons – an increase exposure of the corporate network (resolved by employee training and the clientless VPN device itself) and the capital investment required to install the device.

Some security investments are choices today but are rapidly becoming a necessity. Spam control has been a nice to have but spam volumes are now getting so high that many organisations are rushing to find a solution. There are again many pros: increased employee productivity and responsiveness, reduced internal network traffic, reduced storage requirements, mitigation of legal risks if employees are exposed to unseemly content and so on.

The only real con is the capital expenditure required to purchase a spam filtering solution. Spam filtering is likely to follow the same route as anti-virus and become a must have commodity rather than a choice.

It is possible to quantify the total value proposition offered by any sort of investment by looking at the pros and cons of making the investment and accessing the impact of not doing so. This is a particularly useful approach for IT security where the opportunity offered by an investment is mixed with the fear, uncertainty and doubt caused by the malicious perpetrators of viruses and cyber crime. The only alternative is to sacrifice the huge opportunity offered by global networked computing and return to the islands of computing that were common in the past.