By now, we’ve all seen it: Businesses and organizational leaders are scaling back their internal investments, and are more concerned with surviving the economic turmoil of our time than enhancing (or sometimes even continuing to support) the services and programs that we feel protect the company in the best possible way.
We might consider this a flaw of our businesses and management, but perhaps it’s a flaw of our own making. Consider this: How well do we truly know the risk tolerance of our business? If we know it at all, have we been measuring all our security proposals, purchases and processes against it?

Is Security Oversold?

Security industry growth has been booming for much of the past decade. We’ve witnessed an explosion of security options, vendors, products and techniques, along with no shortage of consultants and organizations offering expertise and opinion, and a plethora of government funding initiatives. But have we really achieved any more security in our places of business and personal dealings? Do we really accomplish more by throwing more resources at a perceived risk or suspected problem?
Has security been oversold? Are we confusing technology with security? Has the fundamental purpose of security been obscured by the desire for perfect security?
The U.S. economic climate may serve as a catalyst for change in our industry. To best accomplish our mission and, more important, to earn general respect within centers of influence, we must stop striving for perfect security and aspire to provide J.A.R. Security: Just About Right.
J.A.R. security does not rely upon fancy titles, obscure initiatives or increased complexity. J.A.R. security is based upon the recognition of the following:
  • Security does not have to be perfect, just suitable to the risk tolerance of the business.
  • Security does not have to achieve the unachievable.
  • Security does not have to rely upon the grandness of the effort.
  • Basic application of trusted and time-tested techniques will mitigate most risk scenarios.
  • Users and stakeholders are comfortable with security solutions, not amazed.
When we evaluate an existing application or assess a future risk, we must recognize that arriving at the “just about right” point will undoubtedly satisfy most of the needs of the business without the encumbrances of mysterious, overly complicated, and expensive solutions. Coming to the “just about right” solution keeps security in perspective and in balance with the overall goal, mission, and economic survival of an organization.
In short, J.A.R. security allows for effective and profitable use of the business’ property, systems, facilities and processes; and in a tough economy, “just about right” is much more appealing to corporate management than flashy and complex.

Making the Case for Better Security

Yet J.A.R. security does more than keep security cost-effective; it often makes for better security. A basic challenge for security practitioners is the changing nature of the threat environment. For years, the security industry has promoted the idea that security threats are dynamic, yet recommended solutions are typically static. Security video, access control and intrusion detection technologies, for instance, are all static solutions engineered for specific applications based upon the present situation. A high level of sophisticated technology often creates an expensive illusion of security at the moment, rather than addressing an ever-changing, multi-risk environment that will remain useful for years to come.
J.A.R. security encourages us to consider the big picture rather than individual, static, expensive solutions that may not easily adapt to dynamic risks. When a doctor treats a patient holistically, the health of the patient overall is improved without the intervention and cost of individually complicated treatments. The security industry needs to similarly view a protected organization in a holistic fashion. By treating security risks “just about right” overall, we address the needs of the whole business instead of a collection of individualized segments. Arguing for complex security technology solutions to mitigate risks coupled with unreasonable proclamations of doom may make for interesting theater, but it has limited value in business operations.
When security is perceived as merely an expense, security solutions need to be “just about right” in terms of financial investment, perceived effectiveness, and future viability. To remain credible and professionally relevant, security professionals need demonstrative results that are “just about right.”