versão em portuguêscontact@proteus-security.com

HOW TO SCOPE THE INVESTMENT IN SECURITY?
Know how to evaluate the investment in security and to establish the right moment to start an Information Security project.


Many times when analyzing investment priorities, due to unawareness of the risks involved information security is still left with a very low percentage in the Information Technology budget. Therefore, security projects end up forgotten or are poorly scoped.

It is much simpler to demonstrate the importance and the magnitude of the lack of security in a practical way. Unfortunately, in some cases if investment is constantly postponed, the potential problems also end up postponed. And, many times, until after the moment where some unpleasant situation has already occurred. These situations can range from a simple headache to a significant compromise of company-wide results.

Dimensioning investments in security is a difficult proposition, since there will be no changes that can be identified as improving productivity, earnings, or sales. The situations identified will be those where these items may suffer potential losses. And it is in situations like these where optimism, lack of information, and sheer neglect can prevail.

Investing in winning situations, where the established metrics are measured as ROI or ROE, is theideal situation for most managers. If it turns out successful, they can reap the benefits, and, if it is unsuccessful, the lesson is learned and another approach is tried.

Investing in prevention situations, on the other hand, is not the least attractive. If something goes wrong, the loss which was to be avoided in the first place is materialized; and if it is successful, there are no changes in the positive results, only the mitigation of risks, where the company's financial results were neither positively nor negatively affected. To the less informed, this type of investment may seem pointless. However, the damages that can be incurred as a result of a security breach can constitute a loss of such magnitude that may turn the entire business unfeasible.

The data presented below are facts. And they clearly show that such investment deserves due diligence at the right time, thus avoiding an unpleasant situation where reactive investments must generated after some incident has already occurred. And, even in these cases, it is worth remembering that much damage can be caused that may not even be noticed by companies.



- 90 per cent of companies that responded to a survey from the CSI (Computer Security Institute) have suffered some kind of invasion in the last 12 months

- 80 per cent of them have sustained financial loss as a result of these invasions (from a total of US$ 455 million)

- The loss was concentrated in losses due to theft of confidential information (US$170,827,000) or financial fraud (US$115,753,000)

- The majority of companies (74 per cent) cited its Internet connection as the most frequent point of attack, whereas 33 per cent have cited their internal systems

Source: CSI (Computer Security Institute), www.gocsi.com



Even when security planning is started at the right time, there are several pitfalls that must be avoided to keep the chosen solution from becoming an illusion, giving a false sensation of security. When one analyzes the market, we can see that products and services are presented as being the Holy Grail of information security, the black box that when connected to the network will keep all threats far away.

Unfortunately, though, the solution is not so simple. Security is not something static, a sort of lid that closes itself forever over the source of all worries. Security is a process, which must be planned and started by professionals. It is comprised of risk environment, products, project, and maintenance. The security process requires dedication on the part of the company, it requires a commitment. And, most importantly, everything that has been planned must be executed.

Knowing the vulnerabilities of an environment is an important step, but in itself does not solve the problem. When security work starts, special attention must be given to the implementation of the corrective actions. Reports, however complete and impressive they might look, should not replace the direct work of reducing and eliminating vulnerabilities.

The security process must really be treated as something continuous. Isolated actions such as vulnerability analysis and installation of new products have little effect. Networks and systems evolve and change ever faster within a company, making the continuous maintenance work a necessity. A secure network, if it has its security process halted, will get back to its original risk and vulnerability status in a matter of weeks, or even days. Without the constant attention of a professional, there is no security.

When planning and scoping investments in security, the process must be seen as a whole. Security must be seen in all its aspects, whether physical, technological, or human. Through this approach, the policies and norms that must be implemented will be identified, as well as the products which must be acquired and implemented, and, especially, the services that must be executed. This will allow the emergence of a complete outlook which brings real security and adds real value to the business without wasting resources.



Copyright © 2008 Proteus Security Systems. All Rights Reserved