I’ve always said that its pointless investing in strong IT security because it will drag down profits and productivity which impacts your stock price in the current quarter. What you really need to focus on is preparing for the media campaign that reacts to a security breach and make the most of the media coverage for promotion and exposure.
- Invest in security technology that detects security events.
- Work with executives to build a plan for reacting to security events with class and style. Have draft press releases, a media playbook and designated personnel to handle security events. Have a cleanup strategy ready to go.
- Reduce spending on security prevention. This kills productivity and profits.
Want proof ? Look at the share prices for Sony, Home Depot, Heartland, Target and even Apple since each of those organisations experienced a security event in the last few years:
What about Home Depot ?
Or even Apple whose iCloud was supposed to have been hacked ?
A Security Strategy
Consider Target – How much money was saved by under-investing in IT security for more than a decade ? And how much benefit did this bring to the business ? All that cash flow, reduced opex and productive IT systems ( because they didn’t have stupid security restrications) has been a competitive advantage for all that time.
You still need a security prevention strategy but make it practical. You need IT Security processes to keep a reasonable level of security. Think about your own home, you lock the doors when you leave, check the windows and other practical security prevention. You do not invest in bullet-proof walls and entryways, you do not invest in two-factor authentication to get in the door after a long day at work.
- Stop over-investing in firewalls, proxy servers, data loss prevention and other forms of perimeter security,
- Allocate funding for distributed threat detection tools and systems that locate security events.
- Allocate funding for Security DevOps that can action a security plan when events occur.
- Emphasise that current security models are reducing productivity and profits.
- Use security events to increase company value by using them as marketing and media events.