How much network security does a small or midsize business need? To find out, IT managers must measure their companies' tolerance for risk and make a business case for pursuing a network security system that fits
My 12-year-old son asked me the other day what data sounds like.
Being asked a computer science question, or more particularly a networking-based question, caused me to break out the hanky I reserve for those times when I find out my backup copy was an incremental instead of a full. I thought about the whistles of the old modems of yesteryear, the whirl of 8mm backup tapes, the 2,600-MHz tone of a phone switch, the capacitor start fans in a large router or switch. (I have goosebumps...)
So with the sage-like wisdom of my 18 years in information technology, I said, "Go ask your mom."
Truthfully, if data had a sound, I bet it would sound more like "ka-ching" -- the sound of a cash register draining an IT budget. This is certainly true in network security.
Since I can't make a living fishing, network security is my bread and butter. I have shown the value of security over and over in presentations, videos, radio, Morse code, you name it. And it's easy! I can scare eight lives out of a cat with hacking tools and statistics. Security is badly needed and misunderstood in our industry. After a presentation, I always fear that a street-smart C-level executive will come up and ask me to make a business case for what I've presented without the scare tactics. I would turn into Barney Fife trying to buy a car right on the spot.
So now that I've exposed a deep personal fear, let's look at how we can justify spending cash on network security. First, understand that your data has value. Not just a little, but a whole lot. In fact, $67.2 billion is lost annually on computer-related crimes, according to the FBI. As a point of reference, in today's money, it cost about $135 billion for the entire Apollo space program. With that kind of money at stake, folks are going to work very hard to get access to your data.
Security is needed, but we can't assume we have an unlimited security budget. If that were true, we would have sales reps stalking us like the paparazzi hound movie stars. To determine how much we should spend on security, we need to look at two factors: risk aversion and risk tolerance.
Before we get into this, understand that risk aversion and risk tolerance are based on data points you fill out in a 100-question InfoSec management survey, scored 0 through 5, with 0 being not applicable and 5 being grave effects. The benchmark most companies test this against is ISO 17799, "The Code of Practice for Information Security Management."
Don't rush through this survey or pass it down to someone else in your organization. It should be completed by a C-level executive. This not only gives it immediate buy in, but also helps the C-level set the vision and understand the process. IT folks should work with the results of this survey and not the vision of the survey.
Next Page: Better Safe Than Sorry?
