by Ron Woernerleash

“Seven out of ten companies overspend on IT expenses without improving security or becoming compliant.”  Computerworld

What causes this phenomenon? One would think that overspending on security would be a good thing.  It’s not.  Overspending in some areas causes underspending in others that may have greater value to the business.  This practice often detracts from focusing on those risks that are really the greatest for an organization.

One of the causes is the introduction and promotion of “pet risks” by decision makers.  A pet risk is a threat, vulnerability, or solution that solves an apparent problem in the minds of IT or Security managers.  It’s their favorite risk, which is the center of their attention and therefore is allocated an overabundance of resources.  It’s like a person who’s so fearful of having their car stolen, they spend hundreds of dollars on an anti-theft system even though they’re driving a ’96 Ford Contour.   The cost of mitigation is out of balance with either the asset value or the real risk.

It’s a common occurrence in many large organizations, where decision makers decide that they need a specific solution to prevent an apparent risk.  IT and Security leaders in the organization spend many dollars and staff hours to address their pet risks.  However, the Return on Security Investment (ROSI) isn’t readily apparent and often, the expense isn’t worth the apparent risk.

The decision maker has the position and influence to make it happen.  He or she is able to get the funding and personnel to address their pet risks.  They are a danger for many organizations because they cause an imbalance in the risk equation and often cause undue spending on risk mitigation.  Whether those risks are critical for the organization is debatable.

An example is data leakage protection (DLP).  The risk is that employees could place company information on a USB drive or CD and it could be stolen or lost.  Management may be convinced that they need to stop this at all costs.  They look for a DLP solution to prevent employees from using USB drives or CD burners. In this case, the pet risk is data leakage.   While it may be an issue, data leakage may not be the organization’s biggest problem.  It may be a pet risk of a decision maker and therefore one that’s addressed ahead of others.

How do you solve the problems caused by pet risks? The solution isn’t a product or service that you can buy.  What you need is an honest assessment of risk.  Addressing and quantifying risks allows for their ranking and prioritization based on the needs of the business.  Collaborating on the risk analysis also reduces the possibility of pet risks eating critical resources without increasing security or providing compliance.

Three ways to prevent pet risks from causing you to bark up the wrong “security tree” are:
Conduct a risk assessment;
Collaborate on the results with all stakeholders;
Be open and honest on the best ways to protect the business.

In the DLP case above, decision makers should look at all of their risks and determine where data leakage occurs.  They should address the potential impact and probability of data leakage.  Is it an irritant or could it be a major issue?  How likely is it that critical data can and will leak out of the organization?  They need to collaborate with others on their risk assessment to see how it affects the business.

Pet risks are an irritant caused by closed-mindedness.  Open your mind to address all possible risks to your organization.  Talk to others to get their honest opinion.  Get outside help when needed.  Don’t be the owner of a pet risk.

By working together, we all become stronger.

About the Author Guest Blogger

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.