Maksim Kabakou - Fotolia

Security Think Tank: Business input will help keep security usable and cost effective

How can organisations maintain usability and keep support costs low without compromising on security?

Security is a business enabler and should be touted as such. If your company has good security, tell the world and you might just get a more clients because of it. However, that does not mean that security needs to be bought at any cost. Instead, it needs to be cost-effective, and that, of course, is the rub – what is cost-effectiveness?

One rule of thumb is that the cost of a security control or set of controls should not be greater than the value at risk.

This raises questions about what is at risk and what is its value. This all comes down in the end to understanding a company’s business, its client base, its inputs and outputs, the data that the company holds and the company’s appetite for risk.

But why go to all this bother and what does a company do with it? This information, which can only come from the “business” side of a company, can be used to help identify threat sources, such as pressure groups, disgruntled employees and criminality, and who in a company should be able to create, modify and/or see specific groups of data (remember, enough to do the job with least privilege). 

With this business input, the operational side of a company can then formulate appropriate technical and non-technical security strategies and policies. 

Knowing what needs to be protected, the value at stake and the company’s risk appetite then enables the identification of vulnerabilities, both technical and operational. This, in turn, leads to appropriate controls and control mechanisms to be identified.

Following this route should ensure that control mechanisms are not over-engineered, such as by being expensive or difficult to use, or under invested and therefore relatively ineffective.

It should also ensure existing mechanisms are more effectively used, such as Active Directory user groups and roles, file access controls and password complexity.

Remember user education is a key control that does not need to be very expensive and can be a good balance against highly invasive technical controls, as some emails with malicious intent will get through even with the most paranoid technical security. 

With clear direction from the “business”, the implemented security procedures and control mechanisms will be appropriate, maintainable, usable and cost-effective. Without good direction it is more likely that implemented controls will be more expensive, possibly protecting the “wrong” things, and not be particularly user friendly.

Read more on IT risk management