Skip to content

Two Really Right Things, and One Really Wrong One

November 18, 2010

Jeffrey Carr, founder of the Grey Goose Project, author, and general security guy, recent posted an article in Forbes, entitled “Three Things that Every CEO Should Know About Cyber Spending“.  Two of those things are very salient, accurate statements, in effect stating that (a) there’s no such thing as “100% secure”; and (b) the job of IT is to protect organizational data assets, not be the personal tech team for senior executive management.  These are both very true statements, and point out long-standing philosophies with which most security folks will wholeheartedly agree.

Unfortunately, Jeffrey’s other point is not so universally accepted.  In fact, I would argue that if a CEO read his article and took it to heart, Mr. Carr’s brief article stands to push back the hard-won gains made by information security in the commercial world by a decade or more.  So what was this sacriligous claim?  Simply put:

If your enterprise isn’t in energy, defense, or finance, it’s not a high priority target so don’t spend money like it is.

Now, let’s take a look at that statement in some detail.  Yes, no doubt these industries see a lot of cybersecurity attacks.  But then again, so do retailers… and healthcare payers and providers… and educational institutions… and technology service providers… and civilian government agencies.  In fact, a quick scan of the last six months of the Privacy Rights Clearinghouse database shows that each and every one of these industries has experienced a significant data breach, many of which were perpetrated through malicious attacks and/or behavior.  Of the 73 reported data breaches just since the beginning of October, only 4 were associated with defense organizations/contractors (2) or financial services (2). What does that tell you?

So what’s my point?  It’s this: information security is a matter of risk.  The more valuable information is to your organization, the more important that cybersecurity spending should be.  Are there businesses where cybersecurity defense shouldn’t be a high priority?  Absolutely… but they can’t be nicely parceled by industry vertical as Jeffrey tried to do in his article.  Everybody needs to be vigilant, regardless of whether they’re in energy, defense, financial services, retail, healthcare, education, or any other industry.

The specific amount oranizations spend to protect their information will vary, but it’s not dependent on their industry — it’s dependent on how important it is to ensure that the data maintains confidentiality, integrity, and availability.  Security industry experts should know better.

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: