Is Security a Burden or a Business Asset?

Security - Other

Typography

Smaller Small Medium Big Bigger
Default Helvetica Segoe Georgia Times
Reading Mode

Implementing a security plan can be a hassle, but nothing like the hassle you could have if you don't.

For many organizations, the need to add to or introduce security in order to meet regulatory compliance is seen as a serious burden being imposed upon them with no defined advantages. This article examines security from all angles and exposes how it can be perceived as an asset and/or a burden to an organization.

First, let's outline the views on how security can be construed as either a burden or an asset, and then we'll put the integration issues into perspective.

Burden

To understand why people often see the need for security as a burden, we need to look at the issues that come up when trying to introduce security policies and safeguards into a business.

Responsibility

Who is responsible? Management, the MIS department, the board, or is there already a security group? Politically, does the owner of the responsibility have the backing of all groups? This rocky ground is often the reason that many people see security as a burden and that projects either fail to get off the ground or fail to deliver what was expected.

The people who are responsible for implementing the security policies and solutions often feel that everyone is against them because they are trying to force people to do things for the benefit of the "security group" rather than for the benefit of the business in general. Those who don't have the responsibility often feel that the things they're required to do in the name of security get in the way of their "real job" and that these things are imposed on them just because the security group wants it that way. They feel it is simply making their job harder and see no benefits from it.

The solution is to get everyone in the business unit to understand that security is the responsibility of all staff members and that the benefits are for all. Only with ongoing training and education can this be fully achieved. This buy-in is needed at all levels in the business, from the board member down to the janitorial staff; they all need to understand the need and be willing and able to play their part in the overall plan.

Budget

Implementing an overall security strategy and solution is an expensive exercise, but the question is often where the funding for it is to come from. Sometimes, the board mandates that certain security requirements are to be met, but they fail to allocate funds or even determine where the cost center for such expenditure is to be. The result is often that departments that are expected to fund the security efforts are left feeling they have lost budget for their own planned changes. This is often the reason for the resentment and the view that security is a burden.

Some companies simply say, "We haven't budgeted for security this year." So it doesn't get done. The point of concern here is that if there is no budget for security, is there budget for the greater costs of a data breach? This view is unfortunately often the retort of smaller companies that are even less able to weather the costs and resultant impacts of a breach.

So what is the solution? The need is to find some department or group that can allocate the budget to implement security. The budget needs to take into consideration the costs of hardware, software, training, and staffing. It needs to be understood that security is not a "fit and forget" item; an ongoing budget must be allocated to cover this. It also is important that the budget is allocated for just this need and cannot be siphoned off for general IT or staffing costs.

Value

Many organizations see security as having no value-add to the business. They feel that it gets in the way of the day-to-day operation of the business and that it may in fact have a totally negative impact. The problem becomes worse when staff are told that some project has been cut back or canceled in order to be able to fund a security implementation, especially if this was a pet project or something that the group or person had been working on for some time. All these points can lead people to believe that security is a burden and that it brings no value (or even brings a negative value) to the business or operation.

Only education and information is able to overcome these concerns.

Resistance to Change

"Why do we need to change what has been OK for years?"

"I don't need to be controlled in what I can access!"

"I need to have access to everything just in case I need it."

"My job cannot have restrictions put in the way."

"We won't be able to operate with extra restrictions."

These are the types of things we hear from staff as to why security is a burden on the business when in fact they mean on them personally. Sometimes change can push outside their comfort zone.

This is yet another reason to involve everyone in the discussions and education sessions prior to planning changes. Staff must realize that security can reap dividends when the implementation starts. People who understand the reasons that things are being planned and are able to voice their concerns and worries are far less likely to be resistant to change. And their input can often be valuable in getting the best overall solution for the business and staff.

Cannot Categorize Information

A great many businesses have seen a rapid increase in the amount and types of data they are dealing with, and often it seems easier and more cost-effective to simply increase the amount of storage available than to actually understand and manage the data they hold. The root of the problem is that staff finds it too difficult to separate what is sensitive and what is not. What this means is that determining who should have access to what and when becomes a serious burden, and security is blamed. The fact is that this should have been done as the business expanded.

This is a serious problem for many companies, and there appears to be no simple and straightforward answer to the problem. Often, the need highlights the fact that there has been uncontrolled growth in storage and the data contained on it, accompanied by insufficient IT staff to monitor what is occurring, which compounds the burden of implementing a business-wide solution. Even major companies have this issue. When IBM reported the loss of information on a tape in 2007, it was found to contain the details of staff who had left many years before and should have been deleted! Many companies consider it too difficult to separate what is sensitive and what is not.

Business Asset

A good security plan should never be considered a burden! The business assets are profound.

Security

Many facets of a well-rounded security plan will not show their value to the business simply because the attempts to breach the security will not be seen or recognized. In many companies, the details of spam email have stopped being examined. The number of emails with viruses contained and disinfected or the number of defenses against hack attacks are simply not reported to senior management because they are a day-to-day occurrence. The value of a strong security implementation, however, is that the business continues to run without users being disturbed by inboxes full of spam, having their computers run inefficiently because of programs infecting these machines, or--worse still--having keystroke monitors recording their actions.

One only has to look back at the reports of large amounts of data being lost or stolen on a site such as privacyrights.org to be able to contemplate the damage such announcements do to the business involved. Just imagine if TJX had had systems and procedures in place to stop the hacking. That business lost both reputation and value. Had the hack been prevented, would the company even have understood the value they were getting for their investment in a well-rounded security plan?

The misplacement of a single tape by Le Salle bank left two million customers concerned about their personal information and cost the group hundreds of millions in fraud insurance and other costs even though the tape was subsequently found. Imagine if this company had been encrypting the tape: Would senior management even been made aware a tape was lost and so realized the value of their security investment?

The problem with having a good, robust security infrastructure in place is that the value is rarely noticeable. But by not having one, the costs are very public and the damage obvious.

Storage

Because a business needs to understand the types of its data, the levels of sensitivity of that data, and the locations where data is held, the process of implementing security often also brings other benefits to an organization. Once the data is understood, it becomes easy to remove the many duplications and unnecessary versions and to move the data to the correct type of storage required. Often, this activity will actually free up much storage and give the users better access to the information they need. The result can be that planned expansion of storage is delayed or even canceled when it is found to be unnecessary because of the better utilization of the existing storage.

Policies

Because a security audit will indicate areas of operational need, new policies will be compiled, and in many cases, this process will help to smooth the day-to-day operation of a business by making it clear just what staff can and can't do. Policies on their own are not sufficient, so various other things--such as removing USB access and controlling the configuration of desktop PCs--will be implemented, all helping to ensure that systems run smoothly and staff cannot add unauthorized software to their desktop units. This action ensures that all the software installed and running in the business is controlled and correctly licensed.

Integrated Security Systems

The process of integration might start with trying to understand the concept of a total business-wide approach and then filling in the details. It is important not to focus on just one issue; as with all things, security is only as good as the weakest link. To use the military approach of "need to know," you start with the premise that no one has access to anything anywhere. From there, you allow access only to people who need that information to do their jobs and only at times they need it. Once a system like this is implemented, it is easier to track who has access rather than who is denied it. As new areas of information are added, the default is again to allow no access. This security method avoids inadvertently allowing people access because denial of access was accidentally omitted. It is also much simpler to audit actions in the setting.

Physical security should never be overlooked and needs to be part of the overall plan. Simply saying only authorized staff should have access to the server room, for example, does not stop staff from being able to access workstations in another area where they don't need authorization. By departmentalizing things and granting access only where it is required, security becomes easier to implement and control.

People

Often, people are the weakest link in any security system. Sometimes, breaches can be intentional, but in most cases, they're the result of laziness or lack of understanding. A good security solution ensures that employees are fully trained on what they can and cannot do but also ensures that the system is designed in a way that they cannot breach security either by intention or by error. The recent loss of 24 million records by the United Kingdom's HMRC (Her Majesty's Revenue and Customs) department was blamed on a very junior member of staff breaching policy by copying data to a disc and sending it in the mail. This should simply not have been possible; no one should be able to export data in any clear-text form, and desktop PCs should have any removable media features disabled if they can also be used to access sensitive data.

Electronic

The problem with many software or hardware solutions is that they seem to imply that they are a "solution in a box" and are all that is needed to meet a company's security needs. This is clearly far from the truth, so a very open attitude is needed when approaching security. All levels and systems need to be looked at and all areas of risk viewed. Is it possible to print sensitive data on a printer outside the secure area? Could sensitive data be transmitted outside the business unencrypted? Could someone either unintentionally or purposefully change information on a database without specific authorization? The list goes on and on and needs continuous assessment, test, and correction. Outside specialists can offer penetration testing in electronic systems, but what about the physical side? Could visitors access information by deception? People are renowned for being basically trusting by nature, and the standard phone call purporting to be from the help desk ("Can you just type this and tell me what you get back?") is always a concern.

Only by educating the whole team and getting them to view security as part of their job can you ensure a robust system that does not have the standard weak links.

Asset, Not Burden

A security policy and all the hardware and software that go with it help to ensure that your organization will still be doing business in the future. And that's the whole idea, isn't it?

Paul Howard is a security consultant for BOSaNOVA, Inc., a leading developer of security solutions, enterprise-class thin clients, and iSeries connectivity products. Paul is a veteran of the storage and encryption industry who, before designing BOSaNOVA's Q3 and Q3i storage encryption appliances, worked for numerous defense-related contractors on storage solution technologies. For more information on BOSaNOVA's security solutions, visit http://www.theq3.com/ or contact Paul at This email address is being protected from spambots. You need JavaScript enabled to view it..

Also Read

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Book Reviews

Book Review: Extract, Transform, and Load with SSIS

Do your business apps access different data sources? This book shows you how to make that task easier
Book Review: 21st Century RPG: /Free, ILE, and MVC

David Shirey’s first book is an educational and entertaining read for “modern” and “old” RPG programmers alike
Book Review: Developing Business Applications for the Web--With HTML, CSS, JSP, PHP, ASP.NET, and JavaScript

If you are ready to get into Web application development, take this book along as your guide
Book Review: DB2 10.5 Fundamentals for LUW: Certification Study Guide (Exam 615)

DBAs who use the book will find it very helpful first in their test study and later as a reference book.
Book Review: DB2 11 for z/OS Database Administration—Certification Study Guide

This is a well-written DB2 11 book that could easily stand on its own as a reference manual, not just a certification guide.
Book Review: Free-Format RPG IV, Third Edition

Jim Martin comes through for us again.
Book Review: IBM i Security Administration and Compliance, Second Edition
Book Review: Programming in ILE RPG, Fifth Edition

This book really hits the mark and is a must-read for all RPG developers.
Book Review: DB2 10.1/10.5 for Linux, UNIX, and Windows Database Administration: Certification Guide
Book Review: Subfiles in Free-Format RPG

Whether you're a newbie or a seasoned pro, this book has something for you.
Book Review: Evolve Your RPG Coding: Move from OPM to ILE ... and Beyond

This book provides an amazingly comprehensive introduction to the concepts while at the same time delivering enough technical detail to make you productive very quickly.
Book Review: Database Design and SQL for DB2
Book Review: The Chief Data Officer Handbook for Data Governance

When implemented appropriately, data governance is a powerful framework.
Book Review: DB2 10 for z/OS: The Smarter, Faster Way to Upgrade

Trying to figure out whether to upgrade? Read on.
Book Review: 5 Keys to Business Analytics Program Success
Book Review: DB2 11: The Ultimate Database for Cloud, Analytics, and Mobile
Book Review: Flexible Input, Dazzling Output with IBM i

Today, it's all about input and output. Getting data into the IBM i from non-traditional sources and then displaying it back out again in varied formats. But where can you go to learn all that you need to know about this critical skill?
Book Review: Advanced Guide to PHP on IBM i

Enterprise-level PHP skills and techniques have been adapted for IBM i developers in Kevin Schroeder's new book.
Book Review: Java for RPG Programmers

If you've been putting off learning Java, you have no excuse anymore!
Book Review: DB2 10.1 Fundamentals: Certification Study Guide

Too valuable to be classified as merely excellent certification material, this book should also rightly take its place on DB2 DBA bookshelves as a solid day-to-day DB2 reference.
Book Review: DB2 10 for Z/OS Database Administration: Certification Study Guide

Whether you're trying to get certified or you just need a great reference book, this is the book for you.
Book Review: Developing Web 2.0 Applications with EGL for IBM i

It's everything you need to know, from the bottom up.
Book Review: Advanced Integrated RPG

Isn't it about time somebody told us how to integrate RPG and Java?
Book Review: Managing Without Walls

If you manage remote or satellite teams, this book is a must-read!
Book Review: Managing Without Walls

If you manage remote or satellite teams, this book is a must-read!
Book Review: The Remote System Explorer

This book speaks directly to the thousands of IBM i programmers who develop in RPG, COBOL, CL, and DDS every day.
Book Review: IBM System i APIs at Work, Second Edition

API expert Bruce Vining delivers the only comprehensive guide to APIs.
Book Review: Functions in Free-Format RPG IV

This one short volume manages to essentially be both a general introduction and a detailed reference.
Book Review: DB2 11: The Database for Big Data and Analytics
Book Review: IBM Mainframe Security: Beyond the Basics

Beginners will have a strong foundation after reading this book. Experienced professionals will reference it frequently.
Book Review: IBM InfoSphere: A Platform for Big Data Governance and Process Data Governance

Find out how IBM is addressing the challenges of big data.
Book Review: Fundamentals of Technology Project Management

Projects can be overwhelming, but taken in small, deliberate steps, all projects are achievable.
Book Review: Customer Experience Analytics

Use CEA as a strategic weapon to stay ahead of your competitors.
Book Review: Big Data Analytics: Disruptive Technologies for Changing the Game

The disciplines of data analytics are evolving to meet the new challenges of big data.
Book Review: IBM i Security: Administration and Compliance

If you have any interest in IBM i security, whether as an administrator, a programmer, or an auditor, then this book is the perfect resource.
Book Review: DB2 9.7 for Linux, UNIX, and Windows Database Administration (Exam 541)

This book, written by the creator of the certification exam, reveals exactly what you'll need to know to prep for the test.
Book Review: Selling Information Governance to the Business

Who governs the information that runs your company?
Book Review: You Want to Do WHAT with PHP?

If you're serious about programming in PHP, get a book that treats you that way.
Book Review: The IBM i Programmer's Guide to PHP

Both a primer and a reference, this book is a must-have for anyone who wants to program in PHP.
Book Review: JavaScript for the Business Developer

There's no faster, easier way to become proficient in JavaScript.
Book Review: SOA for the Business Developer

If you want to know how SOA works in the real world, this is your book.
Book Review: DB2 9 Fundamentals

Whether you want to obtain an IBM certified DB2 professional certification or simply become well-rounded in the fundamental concepts of DB2 and general database theory, this is your book.
Book Review: The Modern RPG IV Language, Fourth Edition

This book isn't a training manual; it's a reference book.

Resource Center

Node.js on IBM i Webinar Series Pt. 2: Setting Up Your Development Tools

Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:
Profound Logic Solution Guide

More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.
Power10 Power Hour

IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:
Comply in 5! Well, actually UNDER 5 minutes!!

TRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now! Request Now.
Combating Ransomware: Building a Strategy to Prevent and Detect Attacks

Forms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.
Top IBM I Security Vulnerabilities and How to Address Them

IT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.
What Most IBM i Shops Get Wrong About the IFS

Can you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:
Backup and Recovery on IBM i: Your Strategy for the Unexpected

Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:
Manage IBM i Messages by Exception with Robot

Managing messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:
Easiest Way to Save Money? Stop Printing IBM i Reports

The thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:
Hassle-Free IBM i Operations around the Clock

For over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:
Why Migrate When You Can Modernize?

Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.
The Power of Coding in a Low-Code Solution

When it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:
Low Code: A Digital Transformation of Supply Chain and Logistics

Supply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:
Resource Center

The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit
Node Webinar Series Pt. 1: The World of Node.js on IBM i

Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.
IBM i Transformation Risks Every Business Leader Should Know

Join us for this hour-long webcast that will explore:
What to Do When Your AS/400 Talent Retires

IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn:

Analytics & Cognitive Categories

Latest Analytics & Cognitive News

Career Catgories

Latest Career News

Cloud Categories

Latest Cloud News

IT Infrastructure Categories

Latest IT Infrastructure News

News Categories

Latest News

Programming Categories

Latest Programming News

Security Categories

Latest Security News

Typography

Share This

Burden

Business Asset

Integrated Security Systems

Asset, Not Burden

Also Read

LATEST COMMENTS

MC Press Online

Support MC Press Online

Book Reviews

Book Review: Extract, Transform, and Load with SSIS

Book Review: 21st Century RPG: /Free, ILE, and MVC

Book Review: Developing Business Applications for the Web--With HTML, CSS, JSP, PHP, ASP.NET, and JavaScript

Book Review: DB2 10.5 Fundamentals for LUW: Certification Study Guide (Exam 615)

Book Review: DB2 11 for z/OS Database Administration—Certification Study Guide