I’ve overdosed on security these last couple of weeks. In addition to some Frankly Speaking (info can be found at www.itworldcanadaevents.com/) breakfast sessions on the subject, I’ve accompanied a security vendor on a tour in Western Canada. In between, I’ve met with a number of CIOs, many of whose current woes revolve around security and related issues.

Little wonder security is a top-of-mind issue. Organizations face an increasing barrage of regulations which in many cases hold corporate officers personally accountable for what goes on in their companies. The list of threats is growing in concert with the list of newly-identified vulnerabilities that must be patched and managed. And the bad guys have graduated from being mischievous to being organized, well-funded and tech-savvy criminals.

Security is a bit like quality: it can always be improved. So one of the most vexing problems is figuring out how much security is enough. It’s one more thing for which you have to find and justify funding — with an ROI that is, to say the least, hard to identify. The end product of successful security management is what? Nothing happened. And how do you show that the ‘nothing happened’ was the direct result of your security investment?

Surveys tell us that one reason funding is hard to get for security initiatives is that CEOs tend to view it as a tactical rather than a strategic issue. The experts say security should be operationalized — a fundamental consideration in the design of processes, applications and the physical and logical infrastructure. When it comes to funding, however, it may be easier to find if the justifying argument is shifted from the tactical, ‘protection of assets,’ to the strategic, ‘investment in the brand and the trust of customers,’ the value of which the CEO may well be able to assess.

As to how much is enough? The experts recommend a risk assessment of each asset and application based on its value, type of vulnerabilities to which it may be exposed and the probability of an incident. They also say you should consider that a breach is inevitable, but one of the most neglected areas of investment is in recovery plans — the who, what and how of post-incident management.