The Security Dilemma

I had an interesting conversation with my wife Lisa this week. She was helping me record a series of training videos on Enterprise Security Risk Management we’re going to launch soon on the TaleCraft Security site. She heard me talk about ESRM for over an hour! I probably owe her a drink.

We filmed a bunch of five-minute stories on the different components of ESRM, and how to build the foundations of a strong security program using this approach.

At the end, she asked a really tough question – why are some companies just not getting this? How can you run a business, but not pay attention to your security program, or protecting your clients and your livelihood? What if you don’t have a program at all?!

To her, it was obvious…well, it helps to be married to a security professional. You protect your house, car, and family but not your business? That didn’t make sense to her. She sat through a primer on how to set up a risk-based security program and the benefits it brings to any sized organization. I must have done a good job because she really got it.

Unfortunately, not everyone does.

That’s the problem. Executives, board members, leaders, mid and senior level managers, end users…the list can go on. There are many organizations that still struggle with implementing a security program or going beyond the selection and installation of shiny new security tools – both for physical and cyber programs. Why do we wait until it’s too late?

Personally, I think that’s the toughest decision many organizations will make. Whether it’s a lack of understanding, a belief that they’re “too small” or “not a target”, or a concern that security will just “get in the way”. Whatever the justification is, the decision to not focus on security has been made by many organizations.

Budgets, the economy, a mandate to cut spending across the enterprise, changes in the workforce – pick a rationalization. All have led to a decision not to invest appropriately in a security program that, if designed with risk and resilience, could help the organization succeed.

We’ve both heard it – from friends that work in large enterprises or who run their own business. Their attention is focused on staying in business, growing into new markets, or pursuing upgrades to existing products. Not one mention of security, or its value to the organization.

I get it. We all make tough decisions. But not investing into protecting your organization is a decision that will have impacts.

They may not be noticed immediately, which creates a false sense of security. If I’m not impacted today, can I make it through tomorrow, or next week, or even to the end of the quarter?

I always struggled with that mindset. It feels foreign to me, but that’s because I have a bias toward security. So, I desperately try to see the other side of the decision and seek to understand why this very tough decision has been made. But in almost every instance, the lack of acceptance or understanding of security’s value is right there, front and center, in the decision process.

I’m curious. For those who’ve taken the time to read this post, have you’ve seen the same in your career? Without mentioning your current role I’d really like to know about past lives and experiences, and how it impacted you. How have you turned a negative reaction or difficult discussion into that light bulb moment?

If you could, share your thoughts…I’d really appreciate it. And I know others will too.

Have a have a great weekend folks!