We’ve heard about the Ernst and Young employee leaving a laptop on a bus. ING had sensitive data on a laptop that was stolen. Events like these cause an interesting psychological phenomenon I refer to as “The Recency Trap” — changing your habits based on perceived risks caused by recent events.
| View the Entire Series | |
|
The Five Most Common Misconceptions of Enterprise Security Misconception No.1: Over-Relying on Network Defenses Misconception No. 2: Believing the Hype of Technology and Tools Misconception No.3: Too Many People Assumptions Misconception No.4: Assuming Secure Software is Costly Misconception No.5: The “Recency” Trap If you want to comment on these or any other articles you see on CIO Update, we’d like to hear from you in our IT Management Forum. Thanks for reading. – Allen Bernard, Managing Editor.
|
The mistake organizations make here is overreacting to perceived threats, which in turn allows for more real or serious threats to go unattended.
A Sense of Falling
When high-profile cases like E&Y, ING, and, more recently, the VA hit the public conscience, organizations tend to react by making adjustments in their security spend. These incidents of lost laptops or data tapes led to organizations rolling out new policies to encrypt all data on laptops and in databases.
Not to say that laptop and database encryption is a bad policy, per se, but you have to understand it only mitigates the risk of physical theft of the computer or database. Further, it does not protect the organization from risks such as hacking, malicious code, bots, worms, Trojans, insider crime, un-authorized workers who steal proper authorization, criminal third parties, etc. And this all assumes encryption was implemented correctly and the organization provided ample training for their teams — which almost never happens.
The driver for the new policy was a perceived new or heightened threat. This is psychology is a dangerous trap.
The same thing happens in the non-IT world, too. In 1967 Sweden changed from driving on the left side of the road to driving on the right. What happened? In the 12 months following, auto fatalities dropped by 35%. Was the right side of the road safer? Was there a major advancement in automobile safety in Sweden in 1967? No.
There was simply a change in rules and as a result people felt more at risk due to the recent “incident.” The sad part is that 12-months later, auto fatalities were exactly where they were pre-1967. People “forgot” they were at risk and adjusted behavior once again.
Rising to the Occasion
When asked to qualify why you’re seeking security budget dollars, ask yourself whether the amount of spending is absolutely critical or if you’re just doing it to cover your butt. CISOs (chief information security officers) and CIOs are frequently in the position of having to justify security spend. If the drivers are eerily similar to the ones mentioned above, consider the reasons carefully before asking for those dollars.
Perhaps you’re even asked to implement a certain security solution because your board recently became aware of a security incident in a similar type of organization and they’re fearful the same might happen at your organization. While you’re asking yourself questions, ask this one, too: “If I alone had the ability to decide where and how to spend security budget, and I could only choose one place, where would I spend it?”
Often the answer is different than where your board might choose. Forcing the issue can make you a voice of reason in a world of security FUD (fear, uncertainty and doubt).