The risks of bug bounties
Image from Shutterstock.com

There have been a lot of reports lately that boards of directors and the C-suite are increasingly taking IT security more seriously. But are they also willing to compromise the organization when the chips are down? A recent vendor survey suggests many are.

The poll of over 380 European IT executives, CIOs, CISOs, auditors and other IT professionals found 71 per cent of respondents agreed security should be equally or more important than business flexibility.

But 69 per cent said they would take the risk of a potential security threat in order to achieve the biggest deal of their life.

What does this say about common sense, greed and business pressure? It may not say much at all — how people answer a theoretical question is not the same as what they would do in real life. On the other hand, arguably some executives and managers are making this decision every day knowing their infosec systems aren’t perfect.

For the record, well-known IT security expert and author Bruce Schneier admits in a blog today that he’d take the risk, too. “The reactions I’ve read call this a sad commentary on security,” he writes, “but I think it’s a perfectly reasonable result. Security is important, but when there’s an immediate conflicting requirement, security takes a back seat. I don’t think this is a problem of security literacy, or of awareness, or of training. It’s a consequence of our natural proclivity to take risks when the rewards are great.”

Rather than fight this impulse, Schneier says it should be recognized that IT security has to meet business needs — which includes speed AND protection. “We need to build security that’s flexible and adaptable, that can respond to and mitigate security breaches, and can maintain security even in the face of business executives who would deliberately bypass security protection measures to achieve the biggest deal of their lives.”

Is this possible? Would you take a security risk to complete a killer deal? I’d like to hear your opinion in the comments section below.