No one wants to short-change their security plans. Still, like any business program, there is a balancing act to find the best fit for your risk appetite, user adoption and budget.

Working with some of our 30,000 global customers, I’ve sketched out a “Security Triangle” as the basis for data security initiatives. It should be somewhat familiar to anyone who has worked under the scope, time and cost constraints of the “Project Management Triangle.” Each of the three factors represents a constraint and they’re all reliant on each other. The measurements and metrics around security can be vague compared with other IT plans like supply chain management. In financial services and banking, for example, data-centric protection often leads the discussion. Industries like retail increasingly have users working remotely on tablets and can’t have security measures that block access to sales figures or presentations. Government departments are tied to budget cycles and standards.

Regardless of industry, this “triangle” has proven to be a solid foundation for finding a balance with your data security plan. The constraints in the Security Triangle can be listed as "Protection" "Usability" and "Cost." Here are a few considerations and questions when filling out your own Security Triangle:

Protection: Increased data and systems protection can result in changes to usability and increases in cost. If an organization wants to write their own security system to protect all their sensitive data to make it as secure as possible without sacrificing usability, then they are going to pay a fair amount of money to develop this security. How is data secured as it moves across and outside of your organization? Does security planning start with a fear of the auditor? Are you factoring in uses of public cloud and mobile device management?

Usability: A program centered on end-user adoption and ease could mean increased costs and reduced security. Take a hint from what other data initiatives are effective in other areas of your organization. Find out how employees use data in and out of the four walls of the office. Make sure to get input from the C-suite. Is there a security option that can be embedded or streamlined into your processes? Are employees able to side-step security safeguards?  

Cost: A tight budget could cut usability and aspects of your security program. Of course, like with most IT initiatives, there are plenty of outlets vying for your dollars. The key here is to start with your business need and a few “known-knowns” like your existing security budget. Getting a realistic view of your budget may even provide an opportunity to refine the scope of your security planning. On top of that, find out what resources are already in place. Are upgrades less expensive than additions or replacements?

In the best of all possible worlds, everyone would find an easy, repeatable path to that Goldilocks “just right” spot for their security programs. We live in the real world though, and have to balance countless aspects around risk, cost and functionality. I’m interested to hear how you’re finding that balance – or not. 

Watch Webinar:

Mainframe Data Encryption