Intranet security: "spending money" OR "earning money "?

"Who is more worthwhile than 0.5 million of security construction investment and 10 million of product R & D investment? "Some people think that, of course, product R & D is more worthwhile, and the core assets of enterprises are in product R & D. Who can ensure the value of this core asset? First, let's look at an actual case. Company A has invested nearly 10 million yuan and has spent two years creating A product. One month before the product went public, Company B also launched the product on the market. The price is halved when the main parameters are the same. As a result, there were four rumors and suspicion in the company. Is the loss of Enterprise A only tens of millions? What about market share? How about unity? -- It may be both losses and immeasurable losses. In this case, is 0.5 million of the security investment worthwhile?

Zhang baichuan, webmaster of the ranger safety net, agrees with the following sentence: security, achieving value. It doesn't have to create value, but it can help you realize value. The above example is the best description.

When IT comes to security value, this can return to the source of the IT department. In many companies, IT departments are generally considered to be consumers who spend money on servers, PCs, and network devices. However, there is no IT department plan. At present, many information management work needs to return to the original state, such as the paper-oriented office approach. Once we get back to that State, our work efficiency is reduced, our company's performance is declining, and we make less money. Doesn't IT mean IT is making money? "In the same way, I think security investment is a very necessary upfront investment. "Dr. Li Yang, an information security expert, affirmed the value of security investment.

It seems that the security investment is worth it, but it seems that money is spent, but nothing is invisible. This is not a good taste for business operators. Zhou qingxiang, CIO of Zhengzhou sanquan Food Co., Ltd., made an interesting metaphor and said the voice of most companies: Enterprise Information security is similar to "Traffic insurance". If no unexpected situation occurs, I feel that it is a waste of money to buy "insurance". If something goes wrong, I will make a huge profit. From this we can see that security products are actually preventing risks, and although enterprises suffer from risk fluctuations, they must be defended.

The so-called insurance is not afraid of 10 thousand. Even if the situation is one in ten, one loss may be enough to destroy an enterprise. To balance the mentality, first, pay attention to security risks. From the perspective of Intranet security, it is precisely because there are too many uncertain security risks faced by the Intranet, peripherals, networks, personnel, and online communication, all points are accumulated, this may increase information security risks to a very high level. Managers should not think that the security event is far away from their own, just this year, there is a Sony PSN network leaks, South Korea game I network user leaks, Foxconn I-Pad2 drawings leaks and other leaks, there are more events that are not publicly disclosed for various reasons. Second, correctly measure security risks. The impact of a possible security event depends on the probability of the event and the loss that can be caused once it occurs. Assume that the loss caused by an information leakage accident is 10 million, and the deployment of the corresponding security product may require 50 thousand yuan. In this case, if a security product is deployed, the probability of this security event may fall from 30% to 1%. How can you choose? Huang Kai, product director of Yixin technology, stressed: "For organizations with important confidential information in their hands, from the perspective of financial statements, security cannot bring you book profits, but it can protect your core competitiveness. "Sany Heavy industry is one of the enterprises with clear security risks. Tan Junfeng, Information Manager of Sany Heavy Industry Research Institute, said that security investment is absolutely valuable to Sany Heavy Industry. "Security Investment is definitely not money. Technology is invisible. How to embed a business to reflect value should be an issue that managers must consider. "

In general, security is valuable and investment is necessary. To reflect value is a difficult problem. Dr. Huang Pei, an informatization expert in the manufacturing industry, believes that managers must first spend money on different security risk levels. Otherwise, they will be "spending money. "Different enterprises face different security risks. For example, for enterprises with their own core technologies, the security risk is relatively high. For enterprises with simple processing of incoming materials, the security risk is relatively small. For the former, it is very cost-effective to invest a huge amount of money in security, because this investment ensures that the core technology is not leaked and the survival ability of the enterprise is guaranteed, which is to earn money; while the latter is very risky, you only need to do some basic management and protection work. If you invest heavily in security, there is no need to do it. It is money. "

The argument about "spending money" or "making money" is nothing more than discussing the value of security. Looking at the opinions of experts, we can all go back to the first webmaster's sentence: security is not necessarily set to create value for the enterprise, but it can help the enterprise realize value. The author believes that this sentence can be used as a reference for enterprises to think about security, regardless of the IT status quo or insurance. The phrase "Security helps enterprises realize value" can be divided into two parts. On the one hand, security "guarantees" the value of the enterprise, which is the "insurance" mentioned above; on the other hand, security helps the enterprise "CREATE" the value. Security has penetrated into all aspects of the business process of the enterprise. The insecure environment brings many troubles to the enterprise. Viruses and network Disconnection will affect the efficiency of the enterprise, in a limited and efficient work environment, the space for "Creating" value is reduced. In a secure environment, enterprises can reduce these security risks and create value with more energy and time.

Because it can help enterprises realize value, security investment is necessary, and everyone understands this truth. The focus is on how to feel comfortable with the money. As mentioned above, enterprises must pay attention to security risks. This is not a one-in-One probability, but may happen at any time. Second, we need to correctly measure the security risk and check the value it protects. In this case, the security investment is very low. To truly determine whether Intranet security is "spending money" or "earning money", you should choose to invest in the importance of the data to be protected by the enterprise. If the sensitive data of an enterprise has a small impact on the Enterprise, the security investment can be greatly reduced, and too much investment is also a waste. If the sensitive data of an enterprise has a great impact on the Enterprise, if there are more than ten million or all of the enterprise's personal values, even if the security investment is 100,000, it is also 1% investment, eliminating the chance of losing ground in one thousandth. Of course, spending the money is only the first step to reflect the security value. Its value remains to be further considered by managers.

Some CIOs are very cautious about security investment and only deploy encryption products in the core design department. But can this really ensure Intranet security? Please pay attention to the next content.