Friday, January 30, 2009
Security Cost Allocation
There is an interesting article on SecurityDebrief.Adfero.com about security costs and security programs in general. Robert Liscouski makes the point that security programs do more than just prevent terrorist attacks. Many of the programs that we work so hard on for that task also prevent loss, stop industrial espionage and even reduce workplace violence. He suggests that if DHS were to emphasize these additional benefits they would have an easier time getting enthusiastic compliance with security rules. Liscouski provides a few examples in his short article of multiple use security measures, but it shouldn’t take a security professional to point out even more real world examples of how security measures designed for CFATS compliance can protect against more than just terrorists. Copper and steel thefts from industrial facilities are frequently in the news. A facility with adequate perimeter security will almost certainly be at reduced risk for these types of theft. Chemicals required for the manufacture of illegal drugs are unlikely to be stolen from a facility protected against terrorist attack. Cyber security measures that protect control systems from outside terrorist attacks will also prevent a whole host of worms, Trojans and viruses from affecting the same computers. Management of change controls on the same systems will help to prevent inadvertent errors in programming from shutting the facility down or ruining chemical processes. Security managers need to keep these dual use measures in mind as the conduct security vulnerability assessments and develop security plans. It will make it easier to justify the cost of security measures to upper management.