Managing SecurityQ: If security is an illusion and impossible to achieve, what's the point?
A: While total security is impossible, it is possible to have some security. Certain security techniques can mitigate some of the most common risks. For example, locks keep curious people away from sensitive or valuable materials. A curious person might become a thief if tempted -- the lock eliminates this risk. A serious thief won't be thwarted, but there are less serious thieves than there are curious people.
Q: How do I figure out how much security my company needs?
A: This is not an easy question to answer. Every company is different. Some businesses are easier to secure than others. Some need a lot of security, others need a little. Here are a few pointers, but this is mostly a matter of intuition and business saavy.
First identify the potential risks. Some starting points: data getting stolen, data getting destroyed, systems becoming unavailable, etc. Now figure out how much it would cost your business if those risks became real. This is your exposure.
An investment in security will reduce the likelihood of a risk happenng. In some cases, a small investment might signifcantly reduce the odds of a problem. In other cases, making an improvement might be very expensive. Usually, basic security measures can be inexpensive but highly effective. Past the basics, things can get pricy. At some point, the cost of the investment becomes more than the marginal improvement in the odds is worth.
Managing Security: The Security Assessment
Q: What is the difference between an assessment and an audit?
A: At the moment, personal sematics. Security consulting companies use these terms interchangably. In our opinion, an audit is a formal process closely tied to some sort of regulatory/compliance need. An assessment is more informal -- often performed by interal staff as a self-diagnostic tool.
Reserving Rights: Digital Rights Management