Security has become a watchword in the enterprise. On this matter, there is no debate. Where there is debate, however, is in what priority security is given, when weighed against and amongst all the various initiatives in the enterprise. Cascading from these questions is the inevitable one—is security simply an IT issue or is there more to it?
Let us resolve this issue upfront. Security is FAR more than simply an IT issue. Security needs to be understood as a core business imperative and the way an enterprise manages its security posture needs to relate directly to the way it wants to manage its business risk. Just as CEOs think about competition, regulatory compliance, product cycles, globalization, personnel retention and finance as key levers of business, so too must they work to ensure that security is elevated to this level.
Each enterprise has a unique risk profile and each management team has a unique set of parameters it uses to gauge optimal risk tolerance. Coupling these two, one finds immediately that there are no pat answers around security; and reducing it to a matter of hardening servers or locking down applications is a huge mistake, albeit one made by many enterprises. And just as a company’s business evolves, so too must its security controls and its risk mitigation strategies. Just as the environmental factors evolve (compliance, regulation, industry standards), so too must a company's security controls change.
And as attack vectors get more complex and hacking gets more sophisticated, companies have to have more complex and sophisticated counter-measures in place to ensure that their core business functions are not retarded or arrested by security breaches.
As always, there is a trade-off between security and ease of getting business done. One could take all of a company’s computers off the Internet, give few employees access to internal applications, ensure that all passwords are complex, and that users have to authenticate against the networks with many factors. One could never allow remote access and disallow mobile devices from accessing any part of the network. But at what cost? And how much risk are you exposing yourself to if you allow your employees to VPN in from home or to access a plethora of internal applications? If the IT folks and the business side of the house don’t talk, we’ll never be able to actually assess what trade-offs a company should make to ensure a high degree of security all the while enabling employees to engage in the core businesses that make the company money. Again, it’s all about the art and science of risk mitigation.