My colleague Jon Collins from Freeform Dynamics posted a really interesting question over on The Register: “Does business really care about security?”
Like all the big, crunchy questions, the answer is a lot more complex than initially seems possible.
You could take some sort of statistical approach – what proportion of businesses deploy antivirus software to their desktops? – and come up with a big number that implies ‘yes, it does’. (Or maybe not).
You could interview the CTOs of a representative sample of large organisations and ask them for more in-depth examples and views. Again, it’s pretty likely that you’ll come up with a positive picture.
However, those results are misleading in some respects. And I think that’s because the question involves two big abstract terms. ‘Business’ is an idea, not a person, so it doesn’t care about anything much. Security doesn’t appear on the mission statement, I’d be willing to wager. Nor would it be appropriate for it to be there. Alongside things like Health and Safety, environmentalism and equality of opportunities, it’s the sort of thing we expect businesses to care about, but we know it’s not their primary function. And does ‘business’ mean the board, the IT department or every single member of the organisation?
Similarly, ‘security’ is extremely slippery as an idea: we’re talking about systems, software, attitudes, processes and policy.
So to break it down: does Jon in logistics make sure his internet browser is patched* to the currently advised levels? No, he couldn’t care less. He’s got a big shipment that needs to be in Paris tomorrow – so don’t start messing with his machine right now, thank-you very much. But he does care –a lot – that his system works and that he doesn’t get in trouble.
What we keep arguing for is an holistic approach to security. That doesn’t mean that we need to persuade Jon that his patch levels need to be up-to-date. That isn’t going to happen. Sorry.
What it does mean is that the security and IT department are able to manage his security for him – all the time. It’s pretty much impossible for Jon to screw-up or for his machine to get compromised because the policies are baked into the processes and the technology.
What are your views on this? Voice your opinions on the Register’s Security That Fits Workshop before it closes later this month.