I was listening to one of the TED conference talks and one of the speakers said something that was very interesting and yet obvious at the same time.

He said that, within the US, thousands of automobiles are stolen every year, but none of them are post office trucks. Why is that? Because there is no market for them. Also, in S. Africa, no white Volvos are stolen. Same reason.

This reminds us about the obvious, that when addressing risk you can either mitigate the risk or eliminate the data that the market demands. Why spend money on protecting a system if you can eliminate the need to protect it in the first place?

When looking at how best to protect information systems, security professionals will turn to the technology as a solution, in the same way some people look at “encryption” as the savior of data security. The mindset should instead be to examine the black and grey markets for what information is in high demand and eliminate it first, before pouring tons of money into protecting it.