Stick or carrot?
In the kick-off keynote, Doug Merrill, who has worked for everybody from EMI to Google, essentially proposed hacking the business world by finding ways to get a a return on investment from security. Instead of scaring the CEO into raising your budget, try asking yourself, "How can I be the good guy generating revenue?" This is something you don't hear much at security conferences.
His reasoning: IT budgets are going down, but security budgets are still going up, even if only modestly, mostly because you can scare your CEO. But in this scenario no one's happy. Supposing, he said, you could turn your security budget into things that are good for the business as well as for security. His example, from his time at Google, was Google Checkout, which a) improved the security for consumers' credit cards by limiting the number of places their information was stored, b) helped Google's shopping partners by reducing the rate at which users abandoned their shopping carts at checkout from two in three to one in three, and c) netted Google income. Wins all round.
What are the top two concerns about security breaches? One: loss of reputation. Two: loss of productivity. Merrill: "I worked for a record company. We didn't have a reputation." Plus, he said, how is lost productivity measured? What if the breach that stops the New York Stock Exchange happens at 3am New York time? What if it stops it at 11am and traders have to revert, grumbling, to the system of pink slips and writing stuff down that they used until the 1980s? What metrics do we use?
There is, he said, a mismatch of motivations. Security people frequently tell you that the biggest driver within companies is regulatory compliance. But for a CEO the bigger concern is business continuity. Yes, 80 per cent of CEOs are terrified of security breaches and data leaks – but that's not necessarily because it's the biggest risk. They name it because it's the one they read about in the papers, so when they are asked about risks it's what springs to mind. Yet a study from Verizon showed that 90 per cent of security breaches were pretty trivial – and fully 27 per cent of them are dumb stuff like stolen laptops and computer printouts taken out to the curb for collection instead of being shredded. Make it easy for users to do the right thing, while still using the technology they want, instead of locking them in so they're motivated to work around your policies. Sounds like a plan even the let's-break-it folks could live with.
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
