Navigation

JCI

Lijit

Lijit Search

 Subscribe in a reader



Add to Technorati Favorites


My LinkedIn Profile:

View Kai Røer's profile on LinkedIn

What is first - Business or Security?

Submitted by Kai on Fri, 2007-11-09 00:18.

This is a post I made to a security group I am on. The topic is biometrics and the need for it in a business environment.

--- 

Usually today, the security issues are NOT with identification/authentication - it is the lack of completely understanding the technology - thus implementing a bioscanner to identify / authenticate a user, while sending the data itself over a non-encrypted line.

The biggest challenge with any security is the need for it. Do you REALLY need this kind of security? Will this technology make you are SECURE? Is there any other tool or solution that can achieve the level of security you need - at a lower price (monetary, user acceptability, support)? If you choose this particular technology - what parts will be secure, and what parts are not changed/adequately secured?

Another key challenge is lack of understanding. Business people care more about business - making the profit, ensuring the operations. Security people care more about adding security - less about the business impact. By the end of the day, these two parties have to work together to ensure an adequate level of security for that particular business. Unfortunately, what we see almost every day is the complete opposite scenario (particularly with ICT-security).

The Security guys tries to make a case about how important a new tool, technology or gadget is. And from a single, security minded point of view - they usually are right. BUT - the business do not invest in the tool - they choose to go "insecure" instead. What the security people do not get is that business people are usually equally good at risk assessment and risk management - some even better.

Why?

To successfully run a business - you handle risk and have to manage these on a large scale, continually. You make the decisions - to go or stop - usually with only little knowledge of the outcome. Some say you have to gamble, others prefer to call it risk management. Some don't even know that this is what they do. They will tell you that all they do is maximizing profit while reducing the costs - known and unknown.

So in this scenario, the business people usually win the game - because of their added perspective. They perfectly understand risk - and they are willing to some to gain some. It is a different mindset.

For the security industry, this means they dig up dangerous scenarios, construct hypothetical issues to sell you only parts of what you need. That would be fine - if they'd only tell you that the actual risk is usually much lower than the perceived risk (after their FUD), AND if they'd tell you that they are only part of the solution.

For the business people, a simple equation should be applied:

Value > security measures

Never spend more securing an object than the actual value of the object. Common sense, right? Yeap. But not commonly adopted unfortunately.

On biometrics - they will come. They are already here. A fingerprint scanner is implemented in most business laptops today. A camera is on some, and as mentioned in this thread - almost all laptops do have a mic. The challenges for biometrics, however, are more complex (list is not conclusive):

  • local laws/regulation

EU has strong privacy regulations, that some of the countries use against the Biometrics.

  • MITM/MITB

authentication / identification alone is not enough - you need secure communication too

  • authentication vs. identification

should you authenticate only, identify only, or the both? At what stage? Using what technology and measures?

  • the actual need

What is wrong with a username/password combo? Why do you really need a stronger method? When do you need it? Can you do without? Should you do without?

  • usability

a tool can be as secure as it want, but if users do not like it, they WILL circumvent it. BUT - it may also be the killer app so in demand - use biometrics as a way to simplify the life of the users - no more need for usernames/passwords and devices up and down and back and forth.


This post is not only true about biometrics - this is true about all security. The challenge for the industry is to make relevant solutions, that are needed and that fix real issues. The challenge for the customers is to identify the solutions relevant for them - to fix issues they have. The challenge for (end)users is adopting new security solutions every other day.

In the end of the day - you can never be 100% secure. You can get very close if you really want to (and can afford it) - but fact of the matter is that your job is to secure your business - meaning you are there to make as much profit as possible, or if an NGO - to spend as much time as possible to do your thing. No matter if you are the CEO or the CSO - your job is NOT to invest in security - it is to work towards the business goals of your company. Period.

Post new comment

The content of this field is kept private and will not be shown publicly.

Recent comments

Recent blog posts

more


The blogger is Kai Roer, a European Information security professional.

View Kai Roer's profile on LinkedIn
My status

Resources

www.isc2.org

Proud member of Security Bloggers Network, a FeedBurner Network.





As Featured On Ezine Articles