Should security be business driven or risk driven?
May 2nd, 2007 by Jesper Kråkhede
Now and then I get engaged in discussion regarding if security should be driven by business or by risk. Meaning that either security issues should be risen when business wants a new function or changes in an existing function or security should only be risen as an effect of riskanalysis.
This is not a simple question that is easy to answer and as all other architects I give the same answer: It depends!
I have the opinion that security should not be a problem but a way to do business securely. For exampel: If a business function wants to use credit cards in their daily business my job is NOT to say nay at first but try to find why and how we can do it securely. Way to often I meet with CSO´s or CIO´s that has a nay per default and by that takes the business development to a halt directly.
By this I do not say that everything goes. I say that everything should be considered and if it can be justified it should be implemeneted if it is good for business.
More often then not the nay sayers tends to work more with a riskanalysis driven security approach then a business driven. But still: Security is only a property on any given process, piece of information, application or hardware. Security is not something in itself.