Philosophy of Security, Part 2 – Why do we do “security”?
In Part 1 of this series we have looked at a high level concept of what it is that we are dealing when when we talk about security.
No matter what else you might think on this topic, there is one fact about security that most, if not all of us agree on: Security costs a lot of money. Having “security”, in whatever form it takes, costs the businesses both time and money. This impacts a business’ bottom line and eats into profit margins.
- Security costs us time in the sense of ensuring your business processes have built in protection for you and your customers (such as requiring passwords or that customer data is not left lying around on desks where someone can easily access it).
- Security costs us money in terms of investment in safes, locks, secure storage services, firewalls, guards, etc.
So why do we do security?
There are three broad reasons why we expend time and money on security:
1. Regulatory and/or contractual obligations
This is the easy to spot and an obvious case, but one that is often the most expensive to comply with. Quite often the kinds of security tools, and the types of business processes are seen to provide compliance and are specified as part of the regulation and/or contract. This makes certain types of security mandatory.
- Government regulations, such as the various privacy laws (e.g. Commonwealth of Australia Privacy Act 1988 ), which dictate what we can and can’t do with information entrusted to us by our customers, and that we must protect that information.
- Banks and other financial institutions require on-line merchants have certain security measures in place before they will allow those merchants to take and process credit card transactions on-line, and often these measures are part of the contract you have to sign to gain access to the merchant facility. Payment Card Industry (PCI standards) standards are an example of contractually mandated security .
2. Customer/Supplier expectations:
Our customers and suppliers expect us to behave in a certain way, a way that implies that we will protect their information (personal or commercial) from being seen by other people and organisations. This means that:
- We are expected to have “published” privacy policies (as part of our public facing systems or included as part of our contract paperwork);
- We are expected to require the user identification of some sort – most often in the form of usernames and passwords – to identify users during prior to granting access to a commerce or an information system; and
- We are expected to use tools like the Secure Socket Layer (SSL) protocol to encrypt information being sent over communications networks.
3. Desire for protection of our own business assets
This area is often the least well defined, because deciding how much time and money to spend on protection of our own assets is driven in large part by our own assessment of risks associated with each of these. In general business assets can be grouped into 3 categories:
- physical – materials, goods, stock and buildings;
- intellectual property – processes, procedures, formulae, code and business data; and
- reputation – the “good name” of the business, and the level of trust placed in our goods and services by our customers.
How you arrive a decision about what, how and how much to protect your business assets is the domain of risk management, and it merits a separate discussion.
In the case of most small and medium businesses, most of the security that you need to worry about will fall into three categories: regulatory compliance, protection of customer data, and protection of your own assets – including your reputation.