For the past several years, I’ve talked about how “fear or compliance” are often the best ways to help justify the need for security. It’s not that I’m trying to convince my readers that security investment is needed in their organization by scaring them or threatening them… They know it is needed. The problem is that they have a hard time articulating the need to executives who have limited time to listen, a whole different mentality around risk and a need to watch the bottom line in the short term. Sometimes pointing out the worst case impacts (e.g. fear) or pointing to regulations (e.g. threats of penalties from non-compliance) are needed, but sometimes they aren’t effective or appropriate. I recently had a conversation with an executive that gave me this idea, to focus on what I call Due Diligence Risk.
Due Diligence Risk
This is a type of risk that IT security professionals understand pretty well, but don’t always use it to their best advantage. The executive I was speaking with understood the need to train his employees on security concepts. His concern was intellectual property. But although there was a real risk to the organization of having their intellectual property from being stolen by attackers or insiders, he also pointed to advice from his lawyers.
They said, essentially, “You can train your staff on security basics, but if you don’t do something to foster a culture of security, and show you really value the intellectual property, you may not have a defense if an employee takes it and uses it elsewhere.”
This means that an executive who is on the fence as to whether or not a security awareness program is worth doing may be swayed by the risk of losing in court if they try to use the employee confidentiality agreement as a basis for their claim of loss. I call this a Due Diligence approach because that’s what the lawyers use as the criteria for testing whether the asset was really valued by the organization. “Did the executives care enough about it to protect this asset in any significant way, other than putting it in an employee agreement or one-time training slide deck?”
I think this can also work in other situations, where courts need to see that the company has done its due diligence in protecting any key asset properly as a basis for their claim that they suffered injury from loss of that asset. Having an ongoing security awareness program that reinforces the value and protection of key assets can also help protect those assets, from the courts’ point of view.
They want to see behavior in protecting assets that’s consistent with their claim that the asset was valuable before the incident occurred.
What do you think?