Security vs. Business Flexibility
by Bruce Schneier
November 30, 2015
This article demonstrates that security is less important than functionality.
“When asked about their preference if they needed to choose between IT security and business flexibility, 71 percent of respondents said that security should be equally or more important than business flexibility.
But show them the money and things change, when the same people were asked if they would take the risk of a potential security threat in order to achieve the biggest deal of their life, 69 percent of respondents say they would take the risk.”
The reactions I’ve read call this a sad commentary on security, but I think it’s a perfectly reasonable result. Security is important, but when there’s an immediate conflicting requirement, security takes a back seat. I don’t think this is a problem of security literacy, or of awareness, or of training. It’s a consequence of our natural proclivity to take risks when the rewards are great.
Given the option, I would choose the security threat, too.
In the IT world, we need to recognize this reality. We need to build security that’s flexible and adaptable, that can respond to and mitigate security breaches, and can maintain security even in the face of business executives who would deliberately bypass security protection measures to achieve the biggest deal of their lives.
Ready to increase your organization’s resilience to security threats? Download “The Cyber Resilient Organization: Learning to Thrive Against Threats,” the latest study from the Ponemon Institute.
View Our Additional Resources
Cybersecurity: The Year in Review and Predictions for the Year Ahead
Featuring Resilient’s Bruce Schneier and Gant Redmon, and ESG security analyst Jon Oltsik, this year’s panel will review the cybersecurity landscape from last year, and debate the top questions for 2016.
Resilient Systems and the Rise of the Incident Response Platforms
Maintaining a discipline of strong cybersecurity has become increasingly difficult at enterprise organizations. What should CISOs do? Integrate cybersecurity technologies, automate incident response (IR) processes, and streamline IR operations with an Incident Response Platform (IRP).
This report from Jon Oltsik, Senior Principal Analy...
USA Funds is a nonprofit corporation that helps students prepare for, access, and achieve success in postsecondary education by providing them with financial and other valued services. USA Funds was established in Indianapolis in 1960 to help families finance rising college costs. Since its founding, USA Funds has supported a total of $247 bi...
Automation in Incident Response: Ask Bruce, episode one
Resilient Systems CTO and security expert Bruce Schneier explores how security pros can intelligently leverage automation to empower incident response teams to mitigate cyberattacks faster and more effectively.