Imagine a world free of criminals where every single soul would obey the "law" and never resort to manipulate or break it. If there were no criminals, there would be no crime and hence the world would never think of having the need of security. But unfortunately, that is not the case in the real world as we know it. We all need security, right from having a password on our cell phones to building the most sophisticated defense system through Air force, the Navy or the Marines to protect the nation from internal and foreign threat.

Same is true in our cyber society, but there are more in numbers who wished security should be less of an overhead than those who genuinely feel that its beneficial to build a robust secure architecture. The cyber society is again divided into, let’s say, different castes or religion and they can be termed as the Administrators, Programmers, Consultants, Hackers, Spammers and the End Users

The "Admins" feel that implementing security and compliance make them do all the not-so-important and unnecessary work that would otherwise have no impact to the organization's performance but rather a more burden and overhead of having to do needless things to accomplish a task. The recently published report, Second Annual Cost of Cyber Crime Study, by the Poneman Institute, a U.S. based information security policy research center states that "over the past year, the median cost of cyber-crime increased by 56 percent and now costs companies an average of $6 million per year." Clearly, there is a need for administrators to ensure they beef up their security.

The "Programmers" don’t care about security. They would only focus on functionality and meeting their development deadlines. They want business to start ASAP and once it is started, only then they would worry about security not knowing the universal truth that security must be built into the code throughout the Software Development Life Cycle. Below is an excerpt from the 2011 Global Security Statistics and Trends by Charles Henderson from Trustwave that gives an idea for why and how important it is to encourage programmers to learn and maintain secure coding practices.

This habit gives advantage to "Consultants" like us who make their bread and butter consulting, auditing, reporting and sometimes helping corporates fill security holes or give new ideas on how to transform technology in an organization into a business enabler. In the world of Information Technology (IT), one thing that needs to be in common is knowledge and technical know-how of how the system works to be even qualified for consulting corporates in the right direction. While most consultants have a bachelor's degree in IT or computer science and relevant experience, few hold industry standard certifications such as CISA or CISSP. According to the Bureau of Labor Statistics (BLS), in addition to computer-networking and IT skills, security consultants would also need to have qualities like ingenuity, initiative, stress tolerance, attention to detail, persistence, self-control, adaptability, leadership skills and the ability to work independently.

The source of all problems and the only reason why security exists are due to the bad guys called "Hackers" who wants to either bring harm to systems and networks or make profit by exploiting vulnerabilities that system creators are unaware of. Stuxnet is an example of the first weapon made entirely out of code that has the ability to crash power grids, destroy oil pipelines or change pressure inside nuclear reactors. The biggest threat to a nation's economy comes from Advanced Persistent Threats (APT) which are highly sophisticated and often government sponsored or funded by large organizations. Cisco's 2011 Global Threat Report revealed that the overall cost of targeted attacks to organizations worldwide is $1.29 billion annually and many of these breaches resulted from advanced persistent threats.

The most irritating of the lot are "Spammers". You may almost get convinced that you have won a Billion dollars just because some rich dying old man liked your face and thought of writing his entire property in your name, but in the end you lose your own money. They try to sell you all kinds of things through spamming as it is an economically viable option because advertisers have no operating costs beyond the management of their mailing lists, and it is difficult to hold senders accountable for their mass mailings. Last year, the estimated figure for spam messages was around seven trillion and almost 60% of Internet traffic were reported to be spam. From the 2011 Cisco Security Annual Report and according to Cisco Security Intelligence Operations (SIO), spam volume dropped from more than 379 billion messages daily to about 124 billion messages daily between August 2010 and November 2011 mainly due to spammers preference for targeted campaigns. Cisco SIO estimates that the cybercriminal benefit resulting from traditional mass email-based attacks declined more than 50 percent (on an annualized basis) from June 2010 to June 2011—from US$1.1 billion to US$500 million.



The report also highlights spam volume by country as shown in the below figure.

It is in interesting to note however that the report did not mention which country ranked in the 6th position. Comment if you know the answer and I will tell you who gets the prize

It seems like “Security” is now the fourth item after food, clothing and shelter in the list of basic necessity without which the innocent “End User” could be left vulnerable to Hackers or Spammers because the Admins were lazy to do their job or the Programmers forgot to encrypt his passwords in the database and the Consultant was not able to detect a fake social engineering website that was setup to capture his banking credentials. When it comes to security, a proactive approach is preferred over reactive. Having said that, installing anti-virus software, firewalls and intrusion detection/prevention systems is not all it takes secure IT assets but a lot more than that.