Three Approaches to IT Security: The Hard Way, An Easy Way, and The Wrong Way

The hard way to do organizational security: DIY Security, also known as in-house security, IT-security department, "the IT/security guy", etc.

Why is DIY security typically a bad idea? Many organizations don't have a top-ranking executive in charge of IT or cyber security, or that executive is under-informed about cyber security risks. A 2012 Carnegie Mellon survey of the Forbes Global 2000 list found that fewer than 1/3 of the companies surveyed are "undertaking basic responsibilities for cyber governance" at the board and senior executive level.[1]

Because executives don't always take charge of the really tricky subject of cyber/ IT security, security accountability within an organization may be murky. Designated security enforcers can face resistance, backlash, and noncompliance from higher-ups, with no one to stand in their corner when security v.s. convenience debates start to heat up.

Security Vs. Convenience: CONVENIENCE WINS!!

Lack of cyber-security accountability can lead to the "security guy" getting peer pressured into recommending convenient security solutions that band-aid risks but don't result in better organizational security against threats such as insider threats, BYOD hijacking, organizational mobile device hacking, and client-side vulnerabilities.[2]

DIY security can work if your organization can do the following:

1. Hire a seasoned cyber security expert.
2. Communicate regularly with the organization about IT security challenges and countermeasures.
3. Keep ahead of all cyber risks and threats.

If you have a proprietary software product or important company structure or product details that you don't want to share with outside software experts, it may be worth the hassle to create a cyber IT security department with a clean chain of accountability and command, clear communication and compliance enforcement, and a diverse, well-informed security team.

All of the above is not impossible -- it's just hard.

The easy way to do cyber security: Hire professionals.

Why is professional management of cyber and IT security the easy alternative? Even if outside security consultants are expensive, hiring a dedicated firm to safeguard your cyber/IT concerns can work in an organization's favor.

Outside professionals are *fast*. Their business is to know the threats, the risks, and when those risks become a reality. Compromise can result in same-day loss of assets, and their reputation depends on rapid response.

Thanks to the power of the cyber security "assembly line" known as the security update, your security consultants will roll out security updates to your site along with any site they manage that requires protection or updates in response to actual attacks. This means you can get protection even before attacks against your assets occur. In-house security gurus may have to wait for an attack to occur before they are able to spot and fix a vulnerability.

Cyber security firms are vigilant. They look for exploits on a day to day basis, and when they find one, they roll out the fix to you ASAP. While your in-house guru might take a two-week vacation and leave you exposed to attack during that time, your security consultant team has you covered, round-the-clock, 365 days per year.


* Outside professionals are diverse and can respond to a wide array of threats. Typically, a single cyber-IT security expert will have a specialties, such as a content management system that he/she is particularly a whiz at securing. If you have only one security professional on your IT team, you may get a one-dimensional security solution that creates the illusion of security on one attack surface and neglects many unknown but vulnerable attack surfaces. An outside security consultant firm will employ many experts with diverse security skills, giving you much broader protection against short-and-medium-term threats.

Hiring an outside security team can come with just about any price tag, depending on your cyber security requirements, but if you find the right agency that you trust, it can be an easy response to dynamic, unpredictable cyber security threats to your organization and its assets.

Q: What's the wrong way to do organizational security?
A: Do nothing. Roll the dice.

Like paying taxes and setting up payroll, securing any data or systems run by your organizations is a requirement. Small Web operations might ignore security concerns and opt to just use IT products out-of-the-box. These operations are putting their users and owners at risk of data and identity theft. Attacks may occur and result in dramatic, embarrassing loss of data, or they may silently occur and become a slow but steady source of identity-theft material or fraud-fodder for a diligent attacker. Operating an unsecured, unmonitored organization or Web site is like leaving your car running, with the keys in it, while you do your errands. You might get away with it for a while, but eventually someone will be tempted enough to get in and drive away with your car and your valuables.

Organizational cyber security is an emerging discipline. Like locking up a retail store at night, cyber assets need to be locked and monitored as well. The process can be a lot more complicated than setting an alarm, closing a door, and turning the deadbolt key -- but if you choose the right professionals to manage your organization's security interests for you, it doesn't have to be hard.

[1] http://www.emc.com/about/news/press/2012/20120227-02.htm

[2] http://blog.sfgate.com/techchron/2009/09/15/organizations-fail-to-address-top-cyber-vulnerabilities-report-says/