Security vs. Business Flexibility

by Bruce Schneier

November 30, 2015

This article demonstrates that security is less important than functionality.

“When asked about their preference if they needed to choose between IT security and business flexibility, 71 percent of respondents said that security should be equally or more important than business flexibility.

But show them the money and things change, when the same people were asked if they would take the risk of a potential security threat in order to achieve the biggest deal of their life, 69 percent of respondents say they would take the risk.”

The reactions I’ve read call this a sad commentary on security, but I think it’s a perfectly reasonable result. Security is important, but when there’s an immediate conflicting requirement, security takes a back seat. I don’t think this is a problem of security literacy, or of awareness, or of training. It’s a consequence of our natural proclivity to take risks when the rewards are great.

Given the option, I would choose the security threat, too.

In the IT world, we need to recognize this reality. We need to build security that’s flexible and adaptable, that can respond to and mitigate security breaches, and can maintain security even in the face of business executives who would deliberately bypass security protection measures to achieve the biggest deal of their lives.

Ready to increase your organization’s resilience to security threats? Download “The Cyber Resilient Organization: Learning to Thrive Against Threats,” the latest study from the Ponemon Institute.

Comments (0)

Leave a Reply

Your email address will not be published. Required fields are marked *

4 × 3 =

View Our Additional Resources

  1. Cyber Security in 2017 and the Year Ahead: The Fifth-Annual Year-in-Review and Predictions Webinar

     

    Cyber Security in 2017 and the Year Ahead: The Fifth-Annual Year-in-Review and Predictions Webinar

    In IBM Resilient’s fifth-annual year-in-review and predictions webinar, our panel of cyber experts will discuss and debate the trends and stories that defined cyber security in 2017, and offer their predictions for what to expect in 2018. This year, we are also live streaming the event on Twitter for more engagement.

    Watch Now
  2. Six Steps for Building a Robust Incident Response Function

     

    Six Steps for Building a Robust Incident Response Function

    To overcome today’s top security challenges, organizations are increasingly seeking to orchestrate their incident response (IR). They aim to build agile, measurable IR workflows, increase communication and coordination, and arm their team with the right tools and intelligence.

    Download Now
  3. Top Global Research Laboratory

     

    Top Global Research Laboratory

    Learn how a top global research laboratory replaced its ticketing system with a purpose-built Incident Response Platform (IRP) -- and enabled its team to increase the effectiveness and efficiency of its security operations team.

    Download Now
  4. Improving Response with Orchestration and Automation: Ask Bruce

     

    Improving Response with Orchestration and Automation: Ask Bruce

    To effectively respond to today's complex cyberattacks, security teams need to coordinate their people and technology throughout the entire incident response (IR) process. When IR orchestration is supported by automation, organizations can accelerate their response and make their IR team more intelligent. In this video, IBM Resilient CTO Bruc...

    Watch Now