First, we need to admit that all security involves overhead expense. If you are running security software features in the operating system, they take some computing resources to perform access validation routines. When you run additional security validation, such as exit point processing, it adds more processing overhead. For example, requiring users to regularly change their passwords translates to time spent changing their logins to different values. When someone has a security-related problem during the business day, this is additional overhead, not only on the part of the end user, but also by your support staff. No matter how you look at it, good security costs money.
But is there a point where you have too much security and the benefits are outweighed by the security protection deployed? I think the answer is a clear yes in certain circumstances.
Overly-complicated technology inflates security costs
Last year, I did a consulting gig for a large company in North America. This company had a very aggressive security implementation for outside vendors, and they apparently used a lot of outside vendors who need access to their network.
In this case, the costs associated with the security implementation became excessive. I was on the clock for this entire experience and the customer paid dearly for this wasted time. In this case, I'd conclude that either there too much security or the security deployed was insufficiently funded. The whole point was to provide a secure sign on to their System i from a remote location, but there were too many layers to go through.
Security considerations checklist
If normal business transactions are regularly stopped due to security checking, you might consider whether or not you've reached the point of diminishing returns. If people in your organization can't get their day-to-day work done due to security hurdles, there may be too much security and a review of your setup is in order.
Are your support costs on budget or running way over? If you're spending significantly more money on support that can be traced to security issues, that's another red flag that something is wrong in your security environment.
Some security officers out there are going to cringe at this, but security is always a compromise between operating efficiency and data integrity. You need to have a good balance tempered by an honest assessment of what you're protecting.
If you have any questions about this topic, email me at firstname.lastname@example.org, All email messages will be answered as quickly as possible.
ABOUT THE AUTHOR: Rich Loeber is the president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company provides various security products to the iSeries market.