Security Experts:

Security is Insurance

Security isn’t sexy. In fact, many people think it’s boring. When it comes to selling security, whether as a concept or in a true “sales” context, the lack of interest in security is compounded by the fact that it’s not urgent (or it doesn’t seem urgent) — until it is.

To grab someone’s attention about security, people sometimes use fear. And fear works. But you can cry wolf one too many times and lose credibility thereafter. There are other ways to present security that don’t focus on apocalyptic scenarios but rather remain faithful to the fact that security is, more than anything, insurance. It protects what can be a company’s most valuable asset: its online presence.

Security Insurance and Risk ManagementSecurity professionals must learn to guide the conversation to ensure security is seen as the valuable business asset that it is. To that end, there are topics that need to be a part of every Internet security conversation.

First, cost. On the Internet, so much is free — or at least presented that way — that paying for security sometimes comes as a shock. And besides, online conduct has for the most part been civil since the Internet evolved into an economy. People usually follow the rules, so what’s the big deal about security?

When it comes to brick-and-mortar businesses, insurance is an easy sell because most people understand the hard costs associated with a building and its contents.

When it comes to online commerce, it’s a dramatically different story. Considering that a domain name can be purchased for less than $20, the cost of keeping that domain name secure isn’t regarded in the same way that insuring a physical building is. Yet, if you lose that domain name, you will lose a uniquely valuable asset. When a domain name is hijacked or a server is attacked, it is the equivalent of a brick-and-mortar building being destroyed. You won’t be able to transact business without your domain name. That’s why insurance and security are analogous: it's not just the rebuilding of the structure — or the recovery of the domain name — that matters; it's the opportunity lost because you cannot conduct business that is equally relevant.

Another challenge: the smaller the online enterprise, the more likely it behaves as an end user rather than a business. Most end users have an unstated expectation that they’re being protected because their service provider is doing the right thing. And most service providers do. But it’s still up to the end user (or the sole proprietor and small business owner) to make sure the service provider is indeed looking after security. But in an age where millions sign into wireless networks in coffee shops and hotel lobbies with no knowledge of who is providing the network, it’s unrealistic to expect end users to have an understanding of the importance of Internet security.

Then comes the topic of complexity. Traditionally, systems administrators manage a company’s security. However, like the Internet itself, the process of keeping a network and its resources secure is much more complex than it used to be. Signing your domain name using DNSSEC, for example, might be better handled by a security professional instead of someone whose training is focused on making sure all the network servers function as designed. Explaining the complexity of the task at hand, and the intertwining systems that must all work exactly so, might provide further justification for investing in enterprise security.

Finally, convenience versus security.

The low importance placed on Internet security has roots in people’s preference for ease of use, even at greater expense. As an example outside of the security world, consider salad. It may be quicker to pick up washed-and-bagged lettuce than to chop it yourself. But if a food-borne illness were traced to bagged lettuce, you’d likely choose to buy a head of lettuce, then wash and cut it yourself. And you’d appreciate that small bit of additional work because you’d then know the salad is safe for you and your family.

In that same way, people tend to take the simplest route with their technology. For example, do you enter a password each time you open your iPhone or wake your computer from a screen saver? Until you’re participating in security – whether it’s locking a phone when it’s not in use or signing into a device with a password or fingerprint swipe – you don’t fully appreciate its value … until you lose your phone or someone steals important information from your computer. Then you’ll be glad about the seconds you spent securing your device. The same applies for Internet security. Nobody will win a popularity contest for making security more laborious, but there will be no better way to help businesses acknowledge the importance of security than by having to participate actively in it.

In the end, not tending to the security component of an online business is like a downtown department store letting its insurance policies lapse. A business-hindering incident may never come to pass, but — if and when it does — you will be glad of the small investment you made in security.

Suggested Reading: How a CISO Can Be a Change Agent Within a Company

view counter
Ram Mohan is the Executive Vice President and Chief Technology Officer at Afilias, a global provider of Internet infrastructure services including domain name registry and DNS solutions. Ram also serves as the Security & Stability Advisory Committee's liaison to ICANN’s Board of Directors and has helped direct and write numerous policies effecting domain name registration and DNS security.