Re: Could InfoSec be Worse than Death?

["Brian Eaton" <eaton.lists () gmail com>]

On 9/25/06, Paul Schmehl <pauls () utdallas edu> wrote:
> I understand that, but I think your trust model is merely a euphemism for
> loss avoidance.  And I don't see how you can avoid being seen as loss
> avoidance - unless you can show the ability to generate revenue.

(My full disclosure for the day: I didn't read the whole whitepaper,
or even most of it.)

I'd actually break down the business case for security technology a
little bit further.  As I see it, there are three different business
cases:

- risk-based loss avoidance: if we don't buy it, we might get hacked,
or a hack might do more damage.  (This seems to be the business
rationale for IPS/IDS.)

- certainty-based loss avoidance: our existing solution is wasteful
and forces us to spend X dollars per year.  If we spend the cash now
to put together a better solution, we'll save money in the long run.
(This is a common business rationale for identity management
solutions.)

- business enablers: if we invest in this new solution, we can do
something we couldn't do before that will make us money.  A VPN that
lets employees work directly from a customer site can make people more
productive.  DRM can let us sell digital music without worrying about
piracy.  SSL can let us process credit card purchases made via a
browser.  Pay-per-sale ads will encourage people to advertise on the
web without worrying about click-fraud.

Some of those business-enablers have more than a passing resemblance
to risk-based loss avoidance (e.g. you use SSL because you are scared
someone might be listening if you use clear-text).  The main
difference I see is that with a business-enabling technology the
revenue generation is tangible.

Regards,
Brian

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/