Problem solve Get help with specific problems with your technologies, process and projects.

Business decision making: Trade-offs between security solutions and performance

In a previous response, security expert John Overbaugh addressed the trade-offs between security and performance. Many companies face these trade-offs and struggle with the business decision. In this expert response, he addresses strategies business leaders can use to make the right decisions.

How should executives weigh the trade-offs between security and performance?

Business ultimately operates in terms of return on investment. The easiest decisions to make are decisions which are readily quantified in dollar values -- investment, risk and return are the key input factors to making these decisions. Security is no different in this aspect, except that the concept of risk and return are more difficult to enumerate. Often the decision regarding a security solution is more dependent on application performance rather than on cost.

A key factor in making trade-offs between security and performance is knowing whether the proposed countermeasure will actually make a difference. For instance, implementing SSL is a known performance hit in Web transactions. SSL has been proven, however, to secure Web transactions. It’s a known investment with a sure payoff. Some security technologies are still in their infancy and have yet to prove their value -- they may not be worth a significant performance degradation.

There is also value in approaching the decision based not on the solution being implemented, but rather on the problem being addressed. If SQL injection attacks are the problem being addressed, executives can review the numerous options (intrusion detection solutions, network packet inspection, URL scanning technologies at the server layer, application functionality for whitelisting or blacklisting, or improved code security). Each option can be considered based on performance impact and risk mitigation.

A further approach to weighing security vs. performance is to consider the skill set on the team. When done correctly, for example, good code security is always the best approach. But if the team is under-trained and unfamiliar with secure coding principles, it’s more likely that the solution will have a greater than average performance impact -- not to mention that the code will be less secure than would normally be expected. In this case, it might make sense to take a higher up-front performance impact, and spend time training the team for future secure coding efforts.

By weighing the risk, the performance cost of implementation and the likelihood of success, executive management can make an educated, business-driven decision on the trade-offs of security.

Dig Deeper on Topics Archive

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.