I've not yet come across an organisation that doesn't have some kind of group that focuses on IT Security. And, frankly, its hard to imagine any organisation that could get by without one, either.
But am I the only person who wonders whether the cost to remediate IT security issues is actually worth it?
Apparently, there are very few IT security people who ask that question. I was at this event the other day, and I was talking to a security person, someone quite senior. During the course of the conversation, I was informed that the strategy was to remediate every potential vulnerability, no matter how small and how theoretical. When I asked him how he paid for all this, he told me that finding the money wasn't his problem. Going on further, he said that when he issued a security directive, he expected it to be followed, and if it wasn't able to be, the workstream or project got closed down.
I shut my mouth at this point, knowing I was speaking with that most invidious of creatures, the professional security specialist. You know the type: they spend all their days dreaming up the reasons you can't do something, rather than helping you find out how you can. Theirs is the right to kill any change for any reason, so long as it is related to a "potential security issue".
The lack of business-centred thinking amongst security specialist is endemic in financial services.
Let us, for example, force employees to have multiple logins that change all the time. It is so very easy to write a policy and implement technology that enforces various levels of password rules, but it isn't so simple to find the money to pay for the helpdesk calls that result from escalating numbers of password resets.
In one bank I know, the response to this was to implement a complex automated system for self-service password unblock. Wouldn't business centred thinking have suggested that a better way would be to relax the password change rules? Since when is a password the only control on business systems anyway?
Anyway, the cost of all those passwords was shown to be way, way higher than the potential costs of any reasonable incident. Didn't matter to the security people involved though, because they were security professionals. Remediating threats was their business. Finding the money to do so wasn't.
Now, obviously, it is impossible to remediate every single potential threat to any large organisation running IT systems. And quite clearly, some threats are larger than others. The problem, of course, is working out which matter and which don't. Spending millions extra on a helpdesk to reset passwords for systems that have multiple lines of defence is clearly somewhat less urgent that dealing with the latest internet banking threat vector.
Security people, for the most part, don't care because they don't have to justify the financial consequences of what they do.
But what would the effect on an organisation be if the security folk had money? And if they were accountable for paying for remediations they decided they had to have?
I bet the first thing that would go would be the self-service password reset system, and the millions extra on helpdesk calls. Objective assessment of those costs in the light of financial constraints would make both an expensive luxury.
I suspect there are already forward thinking organisations that have worked out that the business case for IT security often doesn't stack up. And I rather hope that I'll be meeting fewer professional security people in the future. Instead, I'll be meeting business people who know security, and will be trying to add up the numbers for what they do.
I am certain, when that day comes, we will not only have more agility in IT, we'll also have a much smaller security bill.
And no increase in incidents either, since all that will be remediated are those issues that matter.