Why Do Companies Have Security?

Ralph DeFrangesco

On the surface, asking why we have security might seem like a really dumb question, but humor me and answer it.


Did you answer, because you are required to have it from a compliance perspective?


Did you answer, because you are recommended to have it because of an industry standard?


Did you answer, because it helps protect our assets and our business processes?


Or perhaps you answered, because of the risk to our company's reputation if it were not adequate?


These are all good answers, but they only tell part of the story. As a security professional, and a consumer, I was hoping for a different answer. Let's put on three different hats and answer this question from three perspectives: a business, a consumer, and the government.


Business: Certainly, from a business perspective I would be concerned about my reputation. If I were constantly being breached, I would lose customers, who would choose to do business elsewhere, though Larry Walsh at Channel Insider writes that some of the largest enterprises get away with murder in this regard and may not have to worry about their reputations, even if they do suffer security breaches that are publicly known. In addition, I might pay a fine if I didn't meet certain regulatory requirements. I could also lose my ability to do business if I didn't meet my partners' and industry's standards/requirements. So, as a business owner, it is in my best interest to have the best security I can afford so I can stay in business. IT Business Edge blogger Lora Bentley sees spending on compliance as a way to save company money in the long run. But most businesses will spend whatever is necessary to become compliant -- no more, no less.


Consumer: As a consumer, I don't quite see it the same way. I want businesses to have whatever security measures are necessary to protect my interests. This might include my personal, financial or private health care data. I don't care about businesses having security for any other reason than to protect me, the consumer, the best way they possibly can, and expense should be no object. The reputation of companies I do business with better be good or I will find another vendor.


Government: The government is caught in the middle. It wants and needs businesses to protect their own and their consumers' data, but also gets pressure from industry lobbyists to ease up on regulations. For example, when Sarbanes-Oxley first came out, it was very stringent and cost businesses a lot of money to comply with. Businesses applied pressure, and requirements continue to be adjusted. As far as costs, the government does not really care what businesses pay for security as long as they don't complain about it.


So I will ask the question again, "why do we have security?" It clearly depends on whose point of view you take. I think the common thread is to protect data. Do you think that businesses actively weigh implementation costs, fines, and their reputations against whether or not to implement security measures?

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post
Aug 19, 2009 3:58 AM Jason Hall Jason Hall  says:


You bring up a great topic and one that leaves much room for thought with the varying perspectives you provide.

Based on my experience, I can tell you that the majority of companies out there really don't care about security. It is an after-thought. Why? Because we are human! How many times do we say...that couldn't happen to me.

A great mentor of mine once said that a business is just an entity with no feelings. Although we put our time and energy into our work because we want to make a difference, in the end...does the business care? Your manager might because he or she looks good. But the business will continue with or without you. But the one thing my mentor did not say is that a business is comprised of people, with feelings that do care. They do their work every day because they want to make a difference.

Don't rely on a business to implement security. Rely on those that are in the ditches to ensure your protection. They are the people that make the difference, not the business. If it were up to business, we would have no rules or regulations. That is why we need lobbyists. In the end - it boils down to one thing - money!

Aug 22, 2009 1:43 AM bernadene bernadene  says:

Hi Ralph,

Society as a whole cannot afford not to excel in Security standards and best practices. Why, all the reasons you mentioned, and with the constant security breaches in large companies, both internal and external. But most Americans have short term memories. They are outraged at first, but then move on and forget what happened. If a person has identify theft it hits closer to home, and what we all must remember Security doesn't just impact the business and their bottom line (which is why less money is spent on Security), but threatens society as a whole.  Until businesses and consumers really focus and realize the importance of Security, things will remain the same.  Even with all of the published Security breaches, some changes are made to address the issue at hand. Business needs to 'dig-deep' and think strategically to anticipate worst-case scenarios and more importantly spend the money to do so!

Aug 27, 2009 9:35 AM b allen b allen  says:

Why do we have security?  Because we want to feel secure, whether that be physically or our information, and we recognise that not all of the people out there are good and trustworthy.  We worry about losing our credit cards or someone else obtaining them and using them without our knowledge or permission.  We worry about our personal safety and that of our nearest and dearest, e.g. when alone or it's late.  We would be concerned if unauthorised people had access to our health information or used it for the wrong purposes.  We want reassurance that none of these sorts of events happen.

What constitutes security differs depending on the context and your perspective, which helps you identify what is needed for that security.  Businesses want to stay in business so they do what they need to to not get prosecuted/fined by the authorities and their clients will entrust them with their information. 

Consumers need businesses to be trustworthy and keep their information secure, so many check who they are giving their information to before they do to know whether they can trust, otherwise they move on.  Those that don't are taking a risk, which often pays off but not always.  But there is not that much that we can do to secure ourselves when we have to hand over our information. 

Governments believe'it is a good thing' which is why they legislate and regulate.  As citizens we have no choice but to trust the government with our information - there is no alternative provider, which can lead them to be less secure than they might be if they were a business. 

Businesses do weigh the implementation costs and restrictions against likely fines and their reputations if they get caught when deciding whether or not to implement security.  They don't want controls, and if they feel they have to have them they will put in the bare minimum they can get away with because they only see the need to protect themselves enough to stay in business.  Business is about taking risks.  Going without, or the bare minimum, is the sort of risk they are prepared to take.


Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.