Security can be an emotional topic, especially if you have been victim or sit on the front lines of the battle as either the attacker or defender. Discussions can be wrought with moral implications of right and wrong, social opinions of justice and fairness, financial explanations of costs and value, and personal experiences of those who have been impacted. These perspectives can cloud the cold logic behind the purpose of information security.
Setting all emotions aside, in the end, determinations involving security spending comes down to a set of value decisions. Should investments in security be made, if so, how much and to what level of risk should be sought and sustained?
Security prevents or minimizes losses. It may seem counter intuitive, but if the risk of loss is acceptable or the cost and negative impacts of security is too high, then additional controls are likely not warranted. In most cases some controls are desirable, to keep losses in check. The amount, type, and manifestation may differ based upon the needs of the user and situation.
But shouldn’t we deploy security everywhere, crush every vulnerability, close all the exploits, and make the computing environment impervious? NO! Even if it were possible, it would be far too costly, both in the expense as well as the residual impact of those tools and processes on the productivity of the environment. It just does not make sense to overspend on security. The goal of a healthy security system is to find the right balance of security.
In most situations some level of security makes a whole lot of sense. The average consumer and enterprise computing environment needs security to manage the risks of loss to an acceptable level. We will never eliminate all loss but we can get to a level where we feel comfortable in the tradeoffs of security and the residual risks. This balance, which changes over time, is the optimal point of security which we should continually be striving to achieve and maintain.
Many see security spending as a necessary evil, others as a potential life preserver. My perspective is security is an investment in the prevention of loss. Good decisions around any investment involve making valuable tradeoffs for what is right over time. Security at the appropriate level is a necessity, but not evil. It is an investment to manage the losses to acceptable levels.