Too Much Security?

Can you have too much Security? I know it sounds strange coming from a Security consultant, but it’s a question that I believe more people should be asking. It is one of a series of questions that many organisations should be looking at, along with ‘What am I protecting?’, ‘How much is it worth to me and others?’ and ‘What are the threats to my assets?’ before they start allocating budget and resources to their next security projects.

A self-evident truth of Security is that if you don’t know what you’re protecting and don’t know what the threats to it are, then you’re going to do a lousy job of protecting it. Defences are structured around protecting specific assets. Make a list and define your assets, detail why they’re valuable and what the threats to them are. Or better still, give us a call and we’ll do the TRA (Threat and Risk Assessment) for you!

At risk of incurring the wrath of the IT security industry, the fact is that sales men and women are fantastic at helping you buy expensive tools and products that partially address a potential risk that you may have, under certain circumstances in the future for assets with an as-yet undefined value. Maybe that’s a little extreme, but the important part of the example was at the end: ascertaining the value of assets. If you don’t know the value of the asset, how can you make an informed opinion on how much to spend on protecting it?

Asset value in most organisations tends to have a time component – what is the assets’ value right now? And its’ value tomorrow? Next week? Next year? Is it valuable to someone else in 5 years time? If an asset has no discernable value after a year, why would you want to spend the same amount of money protecting it then as you do today? This concept of time-based value is central to some security disciplines such as cryptography, where the aim is not necessarily to make unbreakable codes, but rather to make the investment in time, effort and equipment required to break a code significantly uneconomical for the value of the information being protected. It all comes down to a case of bang per buck per tick – how much money do you spend to protect a value of a set value for a set period of time.

Lastly, an asset only has value if you can use it – if you have so many layers of security around something, so that it interferes with business process, you have to ask: do you have the wrong security, is it in the wrong places or too much of it?