Widening the vocabulary of security

Security is now more about managing risk than fighting hackers, but IT professionals do not have the language to join the debate. This is not a good thing.

  • E-Mail
By  Eliot Beer Published  July 17, 2007

Yesterday a rather fierce internal debate briefly reared its head in the ACN offices - that of how to illustrate a feature on security. This might seem a straight-forward - or even trivial - discussion, but it uncovered an interesting problem: we only have one visual vocabulary to talk about IT security.

Why should this matter? Well, for the most part it wouldn't - the majority of security writing deals with threats, attacks, defences and protection. These concepts all have readily available visual metaphors - often drawn from the world of physical security, such as padlocks, walls, guards, guns, shields and so on and so on.

In fact, these metaphors come so easily to mind that most of them now fall squarely in the grounds of cliché - a visual shorthand that no one associated with the IT industry thinks twice about.

This is a bad thing, make no mistake. Security is now much more than firewalls, antivirus and network access control. Security at a strategic level has much more in common with the insurance industry than the technology industry - or the battlefield.

Unfortunately, most IT professionals are not well versed in the language of insurance adjusters and risk management consultants. The nature of IT often gives a rather ‘binary' outlook on the world - things are either right or wrong, on or off. Black or white.

In the real world, as any politician knows, there are only shades of grey. In the cutthroat world of business, this is also implicit knowledge - but this represents a stumbling block on the road to effective communication between business leaders and IT hotshots.

For the uber-geek, security is a finite problem - throw enough resources, people and late-night sessions with a pizza at it, and it will be dealt with. In the past, the value of these resources was small enough that most sensible businesses would happily pay it to feel secure.

But now that breaching enterprise security - or breaching the security of enterprises' customers - has become a business in itself, the resources needed to lock down an organisation totally are now beyond the means of any normal business, anywhere in the world.

The equation becomes even more complex for enterprises which use electronic channels to do business - websites, but even electronic payment terminals in physical stores. The easier it is for customers to use these channels, the easier it is to hack them. So do you lose money from security breaches, or do you lose money from disgruntled customers? An unenviable decision to make.

So security has moved on, and is now a business issue, not a technological problem. Enterprises must make some hard calculations about the risks of doing business in a connected age, and how much they are prepared to lose - just as a retail store will decide what constitutes an acceptable loss to shoplifting.

The industry now needs to work on a new way of expressing these concepts, and bring the language of business forward to the front line (another military metaphor) of IT security - just as IT concepts have made their way into the business.

What are your views on the security debate? Is IT security a war that can be won, or a variable that must be factored in to a business plan? Email your views to acn@itp.com. Look out for a discussion of security risk management in August's ACN.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code