How do you know you are secure enough?
Oct 31st, 2009 by Jesper Kråkhede
At the same presentation I was approached by the CIO asking me: You are suggesting quite substantial changes in our way of working. How do you know that this will solve the problems and how do we know that this is the real problems?
I first started to explain how security works and that you have to make your risk analysis first otherwise you do not know what you are facing. Shortly he hushed med and said: I know that you are an expert on your subject and I trust that your solution is good and sound but I have to explain the added cost for the board. What should I say?
My answer was very quick: “Take the slides explaining Return Of Security Investment and the slides explaining the identified risk and show them. The risk they have identified them self and the costs comes from your CFO. As for the risk mitigation that is the result of this workshop and my experience. Do you think that will do?”
“Probably but are we secure enough?” he said smiling. I only answered with a smile, but the answer to the question is easy. As long as you could do your business every day you are secure enough. A company seldom stands and falls with a single incident. Most of the time the only effect is costs having to be covered. My mission is to make those costs as low as possible with as little money as possible.
Still the issue is as always: How do you calculate the cost?