Mitigation versus Real Security

Of the many different ways of classifying security types, one seems to me to be of increasing importance in how an organization sets up and structures its security. The two types, which we will call mitigation and real for the purpose of this discussion, are important paradigms to distinguish for an organization to accurately allot funds and resources to the proper locations and will enable them to properly understand the effects they wish to achieve before heading out and buying the most expensive security gadget which turns out to be ineffective as the intent of the system was not understood.

Mitigation security (not to be confused with mitigation strategies) focusses on the concept that nothing is secure forever. The aim of this type of security is to present to interested parties, namely insurers, legislators and interested members of the public, that proper precautions were taken to secure that which requires security. In other words, it allows an organization to claim that all that could reasonably be done was in fact done, and a security breach occurred as an extraordinary occurrence which was not reasonably expected. This involves things like physical assets, unencrypted cloud data, product launch details and really anything which tends to be insured against loss or the loss of which, while damaging, will only expose an organization to potential financial loss or exposure to lower level litigation.

Real security on the other hand, is the paradigm which focusses on actual no fail security measures. Failures in security of this type result in real harm, major financial losses and litigation exposure, as well as public backlash and loss of confidence and possible adverse legislation. Organizations involved in this type of security tend to be government agencies, weapons and energy manufacturers and hi-tech organizations. Losses of this type vary, however they tend to involve cutting and bleeding edge technologies, personal and financial data losses, state secrets and significant intellectual property losses.

The difference between choosing one or the other does not need to be mutually exclusive, quite the contrary. Choosing the appropriate paradigm to put into practice in various areas of your organization shows that proper thought has gone into your security plan, and has the benefit of tailoring costs so that proper levels are used where they are needed. This runs contrary to the plans that many security sales folks may identify, however the truth of it is that high security comes down to planning appropriately rather than spending on the most expensive gadgets.

When you begin your planning for security measures, here are a few quick rules I like to use when planning for my clients:

• Start early in the business life cycle. Starting to think about security hen you are still a small to medium business will allow you to think about how your plan can and should evolve as you get bigger
• Establish what effects you want to achieve rather than what you want to secure. This will give you a better understanding of the variables you need to account for
• Consider everything, not just the gates. I always tell someone the best way for me to breach your data systems if the IT security folks are doing their jobs is to get some dirt on a staff member and blackmail them and have them get it for me, making those expensive IT security plans worthless.
• A plan is never done. Make amendments whenever a breach occurs and regularly as technology and organization changes occur.
• And finally, a security plan is useless unless staff are aware of the plan. Make sure they are aware of your plan, and refresh them on a regular basis (annually as a minimum).

Blog post is courtesy Elemental Investigations: Private Investigator Edmonton, an Edmonton, Canada based private investigator agency. They can be found online at www.elementalpi.ca