From the Editorial Director: It

I’ve overdosed on security these last couple of weeks. In addition to some Frankly Speaking (info can be found at breakfast sessions on the subject, I’ve accompanied a security vendor on a tour in Western Canada. In between, I’ve met with a number of CIOs, many of whose current woes revolve around security and related issues.

Little wonder security is a top-of-mind issue. Organizations face an increasing barrage of regulations which in many cases hold corporate officers personally accountable for what goes on in their companies. The list of threats is growing in concert with the list of newly-identified vulnerabilities that must be patched and managed. And the bad guys have graduated from being mischievous to being organized, well-funded and tech-savvy criminals.

Security is a bit like quality: it can always be improved. So one of the most vexing problems is figuring out how much security is enough. It’s one more thing for which you have to find and justify funding — with an ROI that is, to say the least, hard to identify. The end product of successful security management is what? Nothing happened. And how do you show that the ‘nothing happened’ was the direct result of your security investment?

Surveys tell us that one reason funding is hard to get for security initiatives is that CEOs tend to view it as a tactical rather than a strategic issue. The experts say security should be operationalized — a fundamental consideration in the design of processes, applications and the physical and logical infrastructure. When it comes to funding, however, it may be easier to find if the justifying argument is shifted from the tactical, ‘protection of assets,’ to the strategic, ‘investment in the brand and the trust of customers,’ the value of which the CEO may well be able to assess.

As to how much is enough? The experts recommend a risk assessment of each asset and application based on its value, type of vulnerabilities to which it may be exposed and the probability of an incident. They also say you should consider that a breach is inevitable, but one of the most neglected areas of investment is in recovery plans — the who, what and how of post-incident management.

[email protected]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows...

Unlocking Transformation: IoT and Generative AI Powered by Cloud

Amidst economic fluctuations and disruptive forces, Canadian businesses are steering through uncharted waters. To...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now