Thoughts on IT Security

While I may be in the minority, IT security is never going to be "sexy," and rarely going to merit a C-level or board level position.

The security folks in the room will beat me up on this, but security spending is like life insurance. Everyone knows they need it, but everyone hates going through the exercise of buying it and wants to get it over with quickly. If you’re tasked with pitching IT security at your company, determine some different levels of security (aka insurance) and their associated costs, determine what your company is comfortable spending, and outline the risks associated with each spend level. Then write the check and be done with it.

You’ll look like Captain Doomsday or completely out of touch with the business as a whole if you spend months touting security while your peers are trying to get products out the door.



  1. That approach and attitude is pretty much gotten us to where we are today – not very good security. We have stuck are heads in the sand well beyond the amount of time that is reasonable, and have stuck the security tasks to the unlucky, the unacknowledged and, frequently, the unskilled.

    Security is an important part of management and operations, like many other things are. It’s a necessary part of doing business. If not dealt with adequately, it can bite you.

    Go ahead, assign it below the C-level, write the check and be done with it, you think. Tell the security people to handle it and go away, see where it gets you. If a business-person is not willing to commit to making sure a decent job is done with the security of their people and assets, they’re not much of a business-person, or neighbor for that matter.

    It is regrettable that that the society doesn’t do a good job of sorting the flashy, the urgent and the important and prioritize actions accordingly, but individuals can and should.

  2. Hi Arthur,

    I think we would both agree security is important, and I am certainly not underestimating its importance especially in light of the recent high-profile security breeches (Sony anyone?).

    What I am saying is that trying to pitch security through doomsday scenarios, and breathless tales of hackers and crackers is akin to the life insurance salesman that starts his pitch with tales of your funeral, your children in rags, and your spouse doomed to a life in the gutter: counterproductive.

    Security operations need to be well-run, appropriately funded, and capable, but they need not be obsessed about, or a major focus at the C-level (sounds like we might disagree here). The average CIO that spends more than 10% of their time talking to other CxOs is likely going to appear out of touch, save for some highly security-focused industries.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: