Security at any Cost?

I am a FIRM believer in securing systems and data at a level equivalent to the value of the systems or data or the risk associated with the loss of the data or system.  But I have to draw the line when securing data or a system results in interruptions to the operation of what was, up to this point, a secure and well-run system.

Let me use an analogy here to make my point:  When you carry cash, checks, and/or credit cards (CCC), you carry them in a purse or wallet which then goes into your pocket.  You don’t put your CCC into a safe and carry the safe around, do you?  You don’t keep your CCC secured away at home and then run back home every time you need access to CCC to make a purchase, do you?  And we are talking about items that could result in your losing a significant amount of money, or worse, identity theft.

Drawing on this analogy and applying it to systems and data – how much security is too much security for your systems and data?

Do you spend much of your day working through the security mechanisms just to access your systems/data?  Are your systems/data so important that they must be very difficult to access?  Isn’t the purpose of having your data in electronic form so that it is readily available and easy to access?

Stepping back, maybe it is worth looking at what the security folks are trying to do.  Obviously, they are trying to protect data and systems from being breached, compromised, or lost.  Sounds good, right?  But their idea of protection may be so draconian that you have a difficult time accessing your email or accessing and editing a document.  I understand the security viewpoint that any individual piece of information may not be important enough to merit protecting, but when you put together a finite number of pieces of information, that may become something worth protecting.

And here we get back to the question – protect the systems and data at what cost?

Sorry to say that I don’t have any answers here.  But I do want to make a few points:  Security personnel should spend some time and brain cycles understanding the value of the systems/data and the risk of them being compromised, breached, or lost.  It is much easier to apply a blanket security policy, but seldom does one policy truly fit all.  If security personnel understand the systems/data and their function and value, maybe they will craft an appropriate security policy that strikes a balance between making the systems and data available to authorized users and protecting it from the bad guys.

As always, please let me know if you have questions or comments, and I will do my best to address them.

Advertisements

About Tim Smeltzer
I am a husband, father, and technologist. While I am very much interested in almost all technology, my current area of specialty is secure mobile messaging. You will find me blogging from time to time on mobile technology - what I think is cool, what I think is not cool, and how to do things. Please be nice if you leave me comments. I am really trying to help!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: