Services > e-Xpertise in Industry > Issue 28> Hot topic
     
Services overview
For vendors
For users
For intermediaries
Cambashi ezine

Nov 2006 issue
- Looking East
- Security vs Risk

Jun 2006 issue
-PLM Universe
-Everyone likes sausages..

Jan 2006 issue
-New Year's Resolutions
-Biometric Technologies

Back issues
 
e-Xpertise in Industry November 2006 ezine print version

 

Hot Topic: Security vs. Risk

Some of you may have witnessed the disruption caused when new hand luggage restrictions were imposed at all UK airports. Amongst the many articles that subsequently appeared in the press, one in particular stayed with me. It considered terrorism in a strictly mathematical fashion and suggested that the scale of society's response is wholly out of step with the size of the threat - a point of view you might not be willing to accept.

There is an interesting parallel with the issue of computer security. In this case, conversely, it would be possible to argue that the IT industry's response, in general and at least so far, is wholly inadequate in the face of the size of the threat. We are told "risk" is a very important issue for a very well-governed business.

In both cases the response - at least in practical terms - is more about how risk is perceived than the actual level of risk. Viewed dispassionately, the actual threat of terrorism is slight - almost insignificant when compared to say, road traffic accidents. The number of people who set out to do harm is tiny.

In the corporate world the situation is very different - both in terms of scale and intent. Staff do not set out to do harm. They regard insecure actions as no more than a slight infringement of rather pedantic company rules. The number of staff who think like this could be very large - a significant proportion of total staff. Through their actions, they may easily become the unwitting accomplices of people whose goal is not disruption but gain. The whole nature of the security threat against the business has changed in recent years - away from the rather quixotic image of the amateur hacker to the altogether much more sinister face of organised crime.

The "compliance" marketing messages miss the point. They focus on the perception of risk; the need to please investors and regulators. There is no consistent global framework of law or regulation that makes it necessary to disclose computer security incidents although regulatory requirements like Sarbanes-Oxley Act of 2002 (SARBOX or SOX) and BASEL II both require these security infringements to be reported, logged and the actions monitored. But marketing messages from the IT industry are about maintaining the paperwork rather than using the information to reduce the risk of losses.

It is obvious that the only way to reduce risk and loss is to learn from security failures - just like in manufacturing which has embraced continuous improvement or Kaizen promoted by Deming. Marketing messages that focus on the gains from upgrading security rather than the cost of doing the minimum to please regulators would make a refreshing change.

Bob Brown

back to top

Also in this issue . . . .

Feature Article:

Looking East for 2006 and beyond…: Nick Ballard looks at wordwide trends in the Engineering Applications market
Book Review:

The Way of the Dog by Geoff Burch is reviewed by Allan Behrens

Cambashi researches best practice and assists IT suppliers in best practice implementation. For more information on Cambashi services please email info@cambashi.com

To subscribe: send an email with the word "subscribe" in the subject line to : ezine@cambashi.com

© Copyright 2006 Cambashi Ltd

back to top