Information Security is Inversely Proportional to Revenue Generation
A colleague of mine recently forwarded the following list of “security maxims” compiled by the Argonne National Labs. Highly recommended if you need a quick smile or two.
We have a maxim here that I was surprised was not on the list: ”The information security posture of a system is often inversely proportional to the revenue it generates. ” or alternatively, “The information security posture of a system is often inversely proportional to its business criticality”. On first blush, that may sound crazy, but if you think about it it makes a tremendous amount of sense.
Companies are often hesitant that a fix or upgrade will cause a problem, so the more critical the system is the more likely it is that we will hold off “for a bit”. The next cycle we hold off a bit again, until eventually the situation is hopeless.
Consider the following examples from assessment projects we have performed;
- An online application that processes $8B a year of transactions that was running on a seven year old codebase and servers. Virtually the only change made in seven years was the implementation of IPS in front of the solution to protect the solution from web application attacks.
- A “media” company that derives billions in revenue from a system that is dependent on PDP11, OS2, and DOS. They scour eBay to find old 286 machines with clock speeds below 12Mhz because the code gets “flaky” on higher speed processors.
What to do if you recognize yourself in this blog?
Well-contemplated compensating controls can help you make the best out of a bad situation.
Related Articles That Might Interest You
Download: Information Security Attestation Guide
A Best-Practices Guide to Information Security Attestation
Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.
Free Download: ISO 27001 Implementation Roadmap
Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.
Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!
Free Whitepaper: Stop Wasting Money on Penetration Testing
Penetration Testing is most frequently performed to:
- Substantiate the net effectiveness of a mature control environment
- Prove to a third party that an environment is secure/trustworthy
- Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
- To validate that significant changes did not have unanticipated results
Free Whitepaper: Five Best Practices for SIEM
The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.
Free Download: A Best Practices Guide to Database Security
Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.
Is ISO 27001 Right for (Y)our Organization?
Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar
- How to deal with increasing threats
- How to manage multiple regulatory requirements
- How to handle client requests for attestation
- To validate that significant changes did not have unanticipated results
Risky Business Blog
Simplified Blog
Techno Blog
In The News
RSS Feed
Random Article
About the Author:
John W. Verry, CISA/27001 Lead Auditor/CCSE/CRISC - "Security Sherpa" - Information Security Auditor