- Unsecured economies report » »
- « « CFI-CIRT
Security: cost center
Mike Rothman made me LOL very very hard today with this post about McAfee’s attempt to say that compliance is not a cost center. Mike is completely right in saying that many had tried to do that and it didn’t work. Mostly because yes, it is essentially cost. Most of the demonstrations of security as a revenue center are artificially created by getting the benefits from other stuff and justifying it as security benefits because security allows them to materialize. It happens all the time with VPNs. That’s not the VPN that saves money from network connections, it is the Internet! VPNs just make the risk from using the Internet for sensitive communication acceptable.
What impressed me most on McAfee’s post was this particular point:
“Security streamlines and clearly defines roles and responsibilities making information flow more quickly through an organization”
Wow, that was brutal! Security directly and negatively impacts productivity, that’s a fact that we can’t run away from. That’s what makes this job so interesting, trying to make that impact as small as possible. We can’t, however, deny that it is there. As Mike cleverly said, wrong way. That’s that famous ROSI (ugh!) discussion.
Actually no, security many times over does improve the lines of communication and forces companies to completely define job roles and processes. For small businesses it may be an impediment since you have a limited number of people involved in business process but at larger scales many times over poorly designed business processes are discovered during audits and then clearly articulated after discovery. Are you only thinking in terms of requirements and packet blocking. There are those that believe in security as an enabler for business and there are those that believe its an impediment. I believe it is an enabler. If proper security and requirements are performed up front for instance in the Software Development LifeCycle a significant savings is seen rather than fix artifacts at a later date in production, this is a huge savings. If your a software development shop, its even more savings that gets passed on to your customers. With better security comes business enablement, and if you don’t see that maybe you should spend some time trying to change how you think of security. If your telling others that security is an impediment, your just making the sale that much more difficult to upper management. Its a bias, not a truth, and its not black and white like a firewall rule
I love this debate.
February 6, 2009 @ 5:54 pm