No CSO has “veto power” explicitly stated in his job description. But security is one of the few things other than money that can bring a project to a screeching halt.Are there circumstances where a security veto should be wielded? And what are the hidden costs of a security veto?Clearly there are circumstances where security overrides business utility: “No, you can’t load 200,000 of our customers’ credit cards onto your son’s iPod for testing purposes!” Such situations are usually just a matter of policy and compliance. A real veto is where there is a strong business case for the use of a technology, strategy or application and it is overridden because of an overwhelming risk. And very rarely is there no technology, process or control to mitigate the risk.Perhaps then, the use of a security veto is an indication of either an insufficient “return on risk” or an insufficient security investment. In the former situation, we are making a wise business decision. In the latter, we are merely hiding a bad decision behind the unassailable excuse of security. To determine which it is, we have to assess not only the risk and the cost to secure it, but also the opportunity cost—the potential upside of taking the risk. This evaluation becomes very relevant when we are looking at new, innovative and untested technologies or applications. With new technologies it is hard to evaluate potential risks, and there may not be any well-established controls or countermeasures. It is even harder to foresee the potential upside of new technologies. Technology will be applied in unanticipated ways, yielding unanticipated benefits. It is precisely these risks that have the potential for the biggest competitive advantage and return. And it seems it is precisely these risks that are subject to veto.I had the opportunity to benchmark this observation during my recent security research. Fully two-thirds of the responding companies had decided against using a technology or service because of security concerns. Many were forgoing investments in collaborative tools (instant messaging, wikis and so forth). Our research shows these tools can have a direct impact on top-line performance, when used by sales, for example. Insufficient investment in security can therefore lead to competitive disadvantage. When we wield the security veto, we must consider the cost of a missed opportunity. With sensible, controlled risk comes reward. —Andreas M. Antonopoulos, Network World (US) Related content news SpecterOps to use in-house approximation to test for global attack variations The new offering uses atomic tests and in-house approximation in purple team assessment to test all known techniques of an attack. By Shweta Sharma Sep 28, 2023 3 mins Penetration Testing Network Security Security news New Trojan ZenRAT masquerades as Bitwarden password manager A report by Proofpoint identifies the new Trojan as undocumented and possessing information-stealing capabilities. By Lucian Constantin Sep 28, 2023 4 mins Cyberattacks Hacking Data and Information Security news UK Cyber Security Council CEO reflects on a year of progress Professor Simon Hepburn sits down with broadcaster ITN to discuss Council’s work around cybersecurity professional standards, careers and learning, and outreach and diversity. By Michael Hill Sep 27, 2023 3 mins Government Data and Information Security Security Practices news FIDO Alliance certifies security of edge nodes, IoT devices Certification demonstrates that products are at low risk of cyberthreats and will interoperate securely. By Michael Hill Sep 27, 2023 3 mins Certifications Internet Security Security Hardware Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe