Just like when the human body is exposed to nuclear radiation it dissociates, the environment of a business can create toxicity and eventually damage the business itself. But, I am not going to talk today about the business environment in the sense of bullying employees and not allowing them to flourish and offer their best in the process.

I am talking about an intangible environment which affects the survival of your business. You see, we all live in environments. And each environment has its benefits and limitations which affects the living organisms existing in that environment.

A very simple example is that the conditions of Earth allow humans to survive in contrast with the Sun. In some cases, the conditions within a specific environment can be altered by several factors and affect the survival of the living organisms of that environment.

But you might wonder where I am going with this.

Most of you believe that a system or a series of systems is enough to protect your business but that is far the truth.

If you want effective protection of your business the following elements are essential:

• The system specifications; in other words what was this system is designed for because no matter how good a system is if it is not designed for the purpose that it is going to be use for it is not going to provide effective security.

• The system setup: even the best system if it is not configured properly loses from its effectiveness.

• The physical environment in which the system lives: if the system is secured and cannot be accessed online but we place it in the middle of a field well we make it vulnerable. Do not forget, criminals do not care how they will achieve their goal and do not follow rules. They only care about the result.

• The other systems living in the same environment: even though this is usually a high-level attack even encrypted systems can be broken these days with enough knowledge and the environment for those to flourish. Do not forget that the architecture of our systems is outdated, sophisticated tools are leaked from the CIA and the NSA and everything is connected to the internet.

• The virtual environment of the system also called network: the connectivity of things in combination with a network architecture which is based on physical devices characteristics with leaked compromise approaches is just not …safe

• The relationships of the system with other systems: in security we evaluate the strength of protection by many factors. A major factor are the links between systems and data. In other words, if an encrypted system is connected with a printer it is instantly compromised.

• The behavior of the people using the system: let me see what the best way is to demonstrate this. Having an encrypted system and the password to access it on a post-it note does not make it secure. Having it to a password manager makes it a single point of failure.

• The established rules of use from the users of the system, the other systems and the environment: you see the post-it note with the system password is not only the fault of the user. It’s the fault of the policies and procedures’ maker who did not established the acceptable terms of use of that system.

• The person/team whom designed the system: malicious designers or mistakes in the code allow openings to the system’s security. Additionally, the effectiveness and care of the system owner/s plays an essential role in the time required to discover and patch a vulnerability of the system.

• The person/team whom designed the physical and virtual environment of the system: Just like with the system design any mistakes or on purpose openings in the design of the physical and virtual environment increase the exposure of the system to unauthorized access, use and manipulation.

Want a little help?

Just one of those components to malfunction is enough to compromise the security of your system and eventually your business protection itself because in security everything is co-related and connected.

If you are expecting to hear an alert sound in such an event unfortunately this is not the case. There is no physical alert until it is already too late. Well, not for all the aforementioned factors do you ever have 100% control but for most of them you can be aware when they are malfunctioning with accountability.

Accountability is a silent alarm, but the good news is that it can notify you in time about security malfunctions. Accountability is one of the most essential components of an effective security strategy as it provides real-time uninterrupted visibility.

With control check points which are basically pre-set-up metrics which are placed strategically in order to evaluate, in real-time and with realistic scenarios, the effectiveness of your business protection. Your security is not going to be static. It must be dynamic and adapt with the factors that alter your business environment. Without these control check points its impossible to create a sustainable model of protection which will remain effective, time and budget friendly at the same time.

Thus, accountability is the alarm for protection malfunction. Accountability is your business protection toxic environment alert.

Apply what you learn immediately.

So I am now turning it over to you.

1. Do you have established metrics to evaluate the protection of your business?
2. Which metrics do you consider essential for effective business protection?
3. What are you going to do about it now?

Let’s discuss it below and do let me know if you are interested in an article/podcast about effective protection metrics setup and strategic control check points.

I cannot wait to hear your comments.