Buy or Build and the Individual Perspective

From a client perspective, a lot of energy is usually spent debating whether security is best kept ‘in house’ and delivered by client’s own personnel (or built by internal efforts), or is it better to outsource or buy ‘off the shelf’. Because security is essentially a trust issue, the natural inclination is to keep it in house, shrouded in secrecy. We know that, from a technical perspective, ‘security through obscurity’ is not good practice. The encryption algorithms that become standards are subjected to scrutiny for years before being widely adopted.

From an economic perspective, there will be security tasks which are more efficiently carried out by an outsourcer (e.g. managing firewalls or IDS), and some which are more suited for in house delivery (e.g. fraud and incident investigations), if skills exist in-house. A good provider will remind the client that they always retain the full responsibility for their organization’s security posture, even if some security tasks have been ‘delegated’ to hands and brains outside the firm.

Economics also plays a part in everyday decisions taken by individuals (employees) when it comes to doing the “right security thing.” We must ask whether security is facilitating or hindering their jobs. Is it ‘cheaper’ to comply with or to flaunt security rules and procedures? What is the employee’s time-horizon when it comes to making security decisions? The answer is making security a business enabler and with a relatively low compliance cost. Otherwise, individual cost-benefit analysis decisions (e.g. about how often to change their system password) may trump the best laid out corporate security strategies.


Fear, Risk and Economics

So, where does this discussion leave us? Are we any wiser about how to make security more widely adopted - and encouraging clients to spend more on their security budgets?

The main idea we need to tell our clients is that security can be a business enabler and not just an “IT cost,” Let’s stop viewing information security through the prism of fear and start to quantify it and, more generally, technology risks and threats in economic terms. At the end of the day, buying decisions are made by business people and not necessarily by technologists, so security investment decisions must make business sense in order to be adopted.

We need to articulate the economics angle whenever we buy or sell security. This should enable us to make rational (economics-based, rather than fear-based) decisions when it comes to security. Let’s not allow fear or the latest technological fad to cloud our judgment. We can and should place economic value on security measures, be they technology, people or processes. If we adopt an economic approach, we can demystify Information Security and make it a friend of the organization. This should benefit both the ‘buy’ and the ‘sell’ side of the market.