At What Price Security?

Competitive advantage is spawning an incongruous trend among insurance companies. To retain and build business, carriers must make it as easy as possible for their suppliers, contractors, business partners and customers to do business. This requires opening their networks and systems to the outside world, making security an increasingly difficult-if not impossible-task to manage.I doubt anyone will argue that security has become the ultimate risk management issue. And, whether referring to insiders or hackers, it's become more than a simple game of cat and mouse. Every second Tuesday of the month, Microsoft announces its latest security patches, and every second Tuesday every hacker knows about them. Even as Microsoft released its beta version of the Vista operating system, hackers had already unleashed viruses that cripple its functionality.

Companies cognizant of the game diligently conduct vulnerability studies and penetration analyses, and some, as a matter of routine, look at process flaws and operational practices that add to risk exposure. The price to pay is often dear.

The host of technology vendors who offer a silver lining represents more than a cottage industry. As the editors conducted background research for this month's cover story on the insider security threat, more than 50 vendors came forward to tout their wares, from iris scanning technology to infrastructure lockdown. Each claims their solution is the absolute. If only it were free.

But it's not free, and the funds allocated to pay for it are not always easy to acquire. During interviews conducted for our cover story, more than one executive told INN that although security is a firm priority, a skirmish typically occurs during the discussion of the business plan needed to justify funding for an amount "appropriate" for the carrier's growing needs. As with most IT departments, security is not considered a profit center, so funding is always an issue, and probably always will be. This makes the case for pitching an "appropriate" amount that much more difficult. How much is enough? How much is unnecessary?

If there has been no breach to date, do carriers have a tendency to, as Ted DeZabala, Deloitte & Touche LLP's principal in its security services group, maintains, "wait until there is a fatality at the traffic light," before making funds available for "appropriate" preventive measures? Are companies that choose a parsimonious approach more vulnerable than those that ramp up with the latest and greatest technology? In this competitive environment, which company is prepared to wait around to find out?

Maybe the question needs to be: What is the cost of not managing security? Because the return on this investment may not be measured in dollars; it will be measured in being able to stay in business. Security management is more than good business; it's essential to survival.

For reprint and licensing requests for this article, click here.
MORE FROM DIGITAL INSURANCE