eIQviews

eIQ is at the RSA conference this week (Booth #2058) and in watching the first two keynote speeches, where RSA’s Art Coviello and Symantec’s Enrique Salem alluded to “winning” over the fraudsters, I wanted to comment a bit on that entire concept. These CEO’s are positing that by collaborating as an industry and embedding security into the infrastructure, we can “win” against the bad guys/gals.

Is that the right goal? Let’s look a bit a history. Have we “won” against traditional crime? No. Have we beaten terrorists? No.

So what makes us think we can beat cyber-crime? Though I’m sure trying will result in a good amount of product sales and even more services. I guess I run the risk of sounding like a broken record, but it’s not about winning. We can’t invest enough and there really isn’t an economic driver to win. We are just trying to NOT be the slowest gazelle in the herd. As long as there is someone slower (meaning an organization more at risk than you), investing incrementally more money to eliminate the last vestiges of risk isn’t worth it.

The banks assign a certain amount of money to cover “shrinkage.”. So do the retailers. It’s not worth the investment for them to totally eliminate fraud. They are trying to keep it at a manageable level. We (for the most part) adopt the same approach, though I’m not sure it’s intentional.

We need to stay focused on the objective of our security efforts. To keep cyber losses to a manageable level, within a reasonable amount of investment. Once we let go of the need to win, we can get back to doing our job. Which is to protect the information of our organizations and make sure business systems remain available.