How much security is too much security?

Matt Tett

Matt Tett is the Managing Director of Enex TestLab, an independent testing laboratory with over 22 years history and a heritage stemming from RMIT University. Matt holds the following security certifications in good standing CISSP, CISM, CSEPS and CISA. He is a long standing committee member of the Australian Information Security Association (AISA), Melbourne branch, and is also a member of the Information Systems Audit and Control Association (ISACA). Enex TestLab can be found at http://www.testlab.com.au blog at http://enextestlab.blogspot.com and can be found on twitter as @enextestlab.

Enex TestLab’s various divisions cut across a large number of industry sectors, perhaps more so than most organisations. From my perspective, we deal with an impressive number of organisations and individuals within those industries. Heading this organisation, therefore, requires me to wear a number of different hats in any given day. But the one common denominator is the humans that we need to interact with.

It is amazing how each industry really seems to attract certain individuals, one day I may write a book on the subject. But for now I’d like to look at two sectors we have had to work with on a regular basis, one is marketing and the other is security.

I really hate to say it *flame hat on* but there are many similarities, not so much with the individuals but with their mission within the business.

There is a saying often cited by my marketing colleagues that half of the money you’ll spend on advertising is wasted, but you just don’t know which half.

In a similarly awkward way, it’s only a good day for security when nothing happens. You can spend a lot of money to ensure no breaches are detected and none of the information, which may have even been leaked, is released publicly.

CSOs are constantly striving for better visibility of critical issues, while on the other hand fearful of a breach or release that they will ultimately wear.

Security teams within the business are focused on identifying the important information and communications channels in and out of the business, then classifying the type and value of that data, and providing risk assessments and gap analysis and seeking best practices for dealing with the security of that information. Which ultimately ends up as a dollar figure that needs to be signed off--or its back to the drawing board. And we all know that the buck does not stop there, it continues, with licencing, maintenance, vulnerability assessments, penetration tests, auditing, reporting etc.

The bottom line is, the business now realises they need security, they rely on the CSO and their team to provide them with a cost figure and the answer to, “how much security do we require?” How does a layman assess whether the input is worth it for the result, or is the CSO just protecting their patch? Where is the balance? How is it quantified?

It is similar with marketing. The business might understand it needs to do some advertising, but how much? And, what actually gives them a bang for buck? How is it quantified?

One thing I observe dealing with these business areas is their attention to detail in documentation. Now the paranoid security practitioner in me figures security is just covering their backsides with legal. However, the marketing guy in me argues it might be more the other way around. Both lines of work are on a razor edge all the time, and they are constantly being pushed down and told to justify themselves.

Not saying it is a bad thing, documentation is great, and has its place, generally as report output from an engagement. It is the reams and reams that are required up-front to enable “buy-in” from the business that consumes significant amounts of time, to be filed away in an anonymous location waiting for discovery by an undetected intruder searching for commercial information.