If you were to take a look at the two, you would find similarities between IT security and the insurance industry. Maybe we should take a moment to look at that.
The insurance industry is based on risk and a person purchasing insurance does so based on all of the possible costs that may be incurred based on the probability of the risk occurring. So someone may spend the $50 to buy some accident insurance that has a probability of 1 in 100 happening that can may incur a cost of $1000.
Now securing IT is also based around the cost that may be incurred based on risk of an incident occurring. So for example if I have a piece of equipment that costs $500 that holds data that is worth $500, then I may spend $50 to secure that $1000 worth of equipment and data from a risk that has a 1 in 100 chance of happening.
Do you notice any similarities? Of course!
I may have oversimplified a few things, but the concept is basically the same.
The only thing to consider is that in insurance, they only insure you against the risk of something happening; IT security on the other hand puts mechanisms in place to minimize the risk of something happening.
With insurance you must take appropriate steps to prevent what to avoid it particular accident from happening, while with IT security, you’re spending money to reduce the risk of a particular threat happening.
The thing with IT security, as with insurance, is that you may never eliminate a risk. You may spend thousands and millions of dollars and still a risk may remain. But if you look at the similarities of IT security and insurance it doesn’t stop there.
Another way in which they are very similar is the way that they are sold. Have you ever been sold insurance before? I have, and I personally hate insurance agents! Insurance agents sell and fear uncertainty and doubt – FUD. They sell with statements such as, “You must think about your family,” or, “What would happen if you are sick or an accident happens and you are unable to work; how are you going to support them?”
They play on fears and appeal to your darkest emotions.
IT security vendors play a similar game. They also use FUD to put buyers in an uneasy and uncomfortable position where they believe that their risk is much greater than they may perceive it to be. This is one of the reasons that I hate sales pitches from IT security vendors.
Now don’t get me wrong, I believe that IT security devices are an important part of protecting an enterprise environment. But what I also believe is that a lot of people overestimate what is required to protect their environment and, in some instances, underestimate what they should be protecting.
IT Security is not as simple as just throwing technology in there and thinking that you are protected.
IT Security involves a full holistic approach with technology, your people and executive management to bring a certain level of awareness and behaviour that will ensure a secure environment. However many businesses don’t look at the people aspect and use too much technology for their IT security needs, often based on the advice of the same IT security vendors.
Take my advice and take everything that IT Security vendors say with a tablespoonful of salt.
I understand that having a lot of IT Security systems in place helps you feel comfortable and secure. But just as you can have too much insurance, you can have too much IT Security systems.
And too much IT Security systems can have the opposite effect of what you are trying to achieve. More on that point in another article.