A balanced view of the value of security

The security market is an interesting area for Nucleus. We’re a strongly value-focused firm and security has more of a panic and fear sales strategy than a measured value strategy. I think that’s why we’ve found security initiatives are more often reactive to news headlines than a strategic corporate foundation with a long-term plan. Chief Security Officers (is this really a “C” level job?) may argue otherwise but I’ve yet to see a business case for a security initiative that doesn’t include an estimate of the value of the organization going out of business, the cost of every credit card on file being stolen, a plague of locusts, and severe flooding because Russian hackers somehow remotely turned on the sprinklers in the corporate office. If anyone questions the possibility of an event it’s usually met with the childish response of: “it could happen.”

This past July we decided to start covering the security market with a view toward the business balance rather than the sky-is-falling hype. Amir Ahari is leading the sales effort with Rebecca Wettemann, our VP of Research, adding that area to her team’s coverage.   We’re going to focus on two aspects of security: first, what is the most efficient way to accomplish the security level you wish to achieve, and second, will the downside to users and customers be greater than the expected value of the increased security? We hope the result is research that generates a credible ROI to address the needs of the business decision maker.

More often than not the panic strategy of security drives bad behavior for an organization. I’m sure we’ve all experienced password requirements that are so complex you’re forced to write it down. Hopefully not on a sticky note under your keyboard, but in our 2006 report (G68 – Password benchmarks) we found 1/3 of people keep their passwords written somewhere and 1/3 of those are on sticky notes. Things haven’t changed much, although fingerprint technology, now common in phones, offers promise.

But what happens when the “it could happen” folks get out of hand and really lose the balance between security and the user? I recently experienced this with our payroll processor. Although it already required 2 separate passwords to access payroll information, a recent enhancement (for my benefit apparently) added a requirement to answer one of four challenge questions to PCs it recognized and an additional text message passcode (frustratingly sent to our office main number) to PCs it didn’t recognize.

Normally a challenge question is a minor annoyance but here’s where things get interesting. I can only imagine a security consultant in a conference room with a group of security fanatics generating a set of impossible questions. The choices included “What color is your childhood dog’s collar?”, “What is your neighbor’s favorite type of taco?”, “Does your spouse eat corn across or around?”, and “What is the 4-digit number in which the first digit is one-fifth the last, and the second and third digits are the last digit multiplied by 3?” Okay, the last one is from a Mensa practice test (the answer is 1155 which is easily solved using Google). I tried to select questions I could answer but it was impossible. I was also frustrated in not being allowed to answer “42” to all challenge questions.

This is a case where security is getting in the way of customer satisfaction and you probably figured out how this is ending. We just signed with a smaller more friendly (and a lot cheaper) payroll processing company, making my account with the first company ultimately secure by closing it.

The golden rule for security initiatives should be that a customer loss is far worse than a security loss. We intend to address that balance with our new security coverage.