Security as an Overhead isn't working

We're building a medical app. Of course, Therapy-Smarter isn't collecting deeply intimate data - just basic contact information, some physiotherapist's notes, exercise prescriptions and exercise performance data - but nevertheless, medical data is medical data- it's inherently sensitive, and any company that cares about its reputation needs to take data privacy - and thus data security - very seriously indeed.

So, we've been thinking about it fairly hard - but not in a technical way; it's a specialist domain and we assume that we will need to pay people who know what they are doing to advise us on best practice and  then get them to assess our implementation.

No, we've been thinking hard about security in terms of business culture, because it seems painfully clear that this is where security weaknesses really come from. That's right - I'm saying that security weaknesses have much more to do with business culture than they have to do with engineering.

This is a surprisingly contrarian approach to typical discussions of security in tech. Generally, debates on 'cyber-security' (dreadful term) are framed by technological considerations, often considered to be understandable through the metaphor of an 'arms-race'. Articles are often about new forms of malware, new techniques of detection and defense - there is a huge industry predicated on this approach, and famous experts whose comments are solicited in the press.

Don't get me wrong - I'm not denigrating security technologists, and neither am I suggesting that this isn't a fast-moving field.

What I am suggesting is that the 'arms-race' metaphor is profoundly misleading and unhelpful.

Think about it. The clearest example of an arms-race is the cold-war: two implacable opponents completely convinced that a slight technical imbalance in favour of the other will result in an existentially unacceptable outcome. In this situation each side was prepared to spend a hugely disproportionate amount of its budget on military development of all kinds.

Or consider pharmaceutical companies, or oil companies, or tech companies - in all of these sectors, R&D budgets are pored over by analysts and are considered major indicators of future success.

This is the character of an arms race, and it is patently obvious that spending on cyber-security by non-specialist firms has very little of this character.

On the contrary; security, as far as any ordinary business is concerned, is considered as an overhead - a cost that cannot be directly associated with the delivery of any specific product.

Whether you're running a corner-shop or Sony Entertainment, the cost associated with security (whether it's padlocks and shutters or encryption and real-time monitoring) is viewed as a dead cost - a drag on the rest of the business, like property taxes, insurance, interest on loans, cleaning and recurrent maintenance.

All of these costs are ones that any business wants to minimise - spending money on these does nothing more than keep you standing - it provides no direct financial benefit to the organisation or value to its customers. And so managers in these departments are strongly concerned with keeping costs down, subject to meeting targets - and these targets will not be technical targets - they will be business targets, defined in language that non-technical board members can understand.

If cashflow, margins or profits are under pressure - particularly in the short-term - then any significant expense in these areas will likely be subject to pressure; pressure to review, for cost-cutting, for corner-cutting, for delay.

You see where I'm going with this. If security is treated by the finance department as an overhead, a single figure in the overheads section of the accounts, subject only to queries as to why it can't be reduced, then any financial pressure in the business is likely to result in a reluctance to spend money on security.

Meanwhile, on the other side - the black-hat side - investment in finding ways to defeat security is the price of existence - the sine-qua-non of doing business.

So we have a situation where one team on the playing-field considers security questions essentially as a drag on business, while for the other team, developing security attacks is the foundation of the business itself.

In this situation, no useful progress will be made by debating security in terms of technical implementations. I'm certain that the reason Sony Entertainment's security was so abysmal wasn't because no-one knew how to improve it, wasn't because there weren't people within the firm making strong calls for improvement, wasn't because better security was technically impractical.

No; I feel very confident in asserting (without any inside knowledge at all), that what happened at Sony (and at a hundred other firms) was that non-technical people with financial targets decided that security was an overhead which needed to be kept under control.

Such people will never read the technical articles. It is (entirely properly, some would say) part of their job description not to be captured by the sectional interests of any of the people within 'overhead' departments. They won't be swayed by IT security specialists any more than they will by building maintenance specialists - they are finance people.

Of course, after the fact, the board at Sony (and Target, and all the others) will no doubt have authorised massive spending on security consultants and technology. And with any luck, this will sufficiently 'harden' these companies that they will not soon be breached again. But unless they change their business culture, the respite will only be temporary.

For as long as 'Security as an Overhead' remains the business culture, the black-hats will have an in-built advantage. And desirable characteristics in business culture rarely happen by accident - they need to be carefully implemented and nurtured.

At Therapy-Smarter, we intend to address this by implementing an internal accounting structure that considers security spending, not as an overhead, but explicitly as 'cost of sales'. In other words, we will allocate expenditure on security of data specifically in line with each sale (on top of a sound initial implementation). Thus as the company grows, spending on security will automatically grow.

This isn't considered a 'magic-bullet' that will solve all tech-security issues forever - far from it - it is as vulnerable as any other management decision to revision, complacency, misunderstanding, incompetence and all the other myriad ways in which things go awry.

But it is a clear indicator to the whole business (and to anyone who might invest in it), that security is not an overhead to be minimised; that data-security is a direct part of our service commitment to every customer.

[Header image credit: backgroundcheck.org]