Compliance is SO a Cost Center
February 5, 2009 - Volume 4, #13
Good Morning:
Another quick intro because I found such a "compelling" post on
McAfee's blog that I just had to vent a bit. Enjoy.
Have a
great day.
Technorati: Information
Security, CSO,
Security
Mike, Internet
Security
 |
The
Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com |
Compliance is SO a cost center
Holy crap, I thought the idea of position security and/or
compliance as a "profit" center died along with the dreams of millions
Internet entrepreneurs during the .com implosion a few years ago.
Evidently I was wrong. Check this out on McAfee's
blog:
No. Absolutely and unequivocally not. I am drawing the line in the sand. Business leaders need to understand there is no more need for proper security to justify itself over and over again. It saves you time and money (period).
OMG. I figured a big company like McAfee would have a drug testing policy, but evidently not. I want some of what this guy is on. But it gets better. Here are the justifications the author (Lawrence Pingree) uses to justify his position.
Normally I would excerpt an entire post, but this is too good to let it go. Check this out.
Business process improvements
* Security streamlines and clearly defines roles and responsibilities making information flow more quickly through an organization
* Security separates duties so decisions that occur are more accurate and accountable
* Security provides checks and balances reduce internal risks thus saving costs
* Security reduces business impacts of change
* Security background checks eliminate the need to wade through candidates that cannot be trusted for sensitive positions saving on hiring costs.
* … and much more
Technical Improvements
* Firewalls clearly reduce un-needed load on the network saving bandwidth costs
* Anti-Virus software has clear cut costs (that happen to be measurable) in saving response times from IT helpdesk personnel
* Anti-Malware saves individuals and companies by reducing the threat of identity theft and having to disclose a breach
* Data Loss Prevention software clearly enhances control of data for eDiscovery legal processes, managing information and backup/recovery of that data into single repositories not to mention enforcement of where that data goes (saving intellectual property)
* Encryption clearly reduces costs by enabling collaboration with third parties (in fact it enables all businesses on the internet to do payment processing) something we sometimes forget.
* Virtual Private Networks (VPN) enable remote access which means workers can work after hours or remotely while traveling (FOR FREE!)
* Banks offer employees online access directly from work (the old days you had to leave work to go to the bank)
* Risk & compliance means that systems are patched and maintained all in a similar fashion with similar configurations which leads to huge troubleshooting time saved since systems are less customized individually.
* Customers are now able to interact with companies quicker and more efficiently than ever when these security controls have been put in place.
* …and much more
Threat Reduction
* Lower reporting costs for disclosure laws
* No bad PR to respond to
* Lower liability to your customers
* Less outbreaks of worms/viruses (less system damage repair/replace)
* … and much more!
It's hard to know even
where to start. My first comment would be that a
"Compliance Driven Company" is the next Heartland or TJX. Listen I've
been trying to position security as a benefit and "revenue center" for
the better part of my career. I'VE FAILED MISERABLY. And the rest of
our industry has as well. Because of a very simple truth, which hurts
my ego, but is absolutely true in the real world:
CEOs don't care about security or compliance.
Period. They only care to the degree that they 1) end up in an orange jump suit, 2) end up on the front page of the Wall Street Journal. Other that than, they don't care.
And even better, they don't want to spend money on avoiding either of those cases because it's not going to happen to them. Seriously. They see the headlines, they ask some questions about whether they are "secure," the CSO lies to them, and they go back to their mahogany conference room and check on the sales numbers.
All of the points in the post are not really false, but they are irrelevant. Most of that stuff is simple business common sense, but is still like pulling teeth - especially in a down economy. For instance, "Security separates duties so decisions that occur are more accurate and accountable." That's actually false because security doesn't separate duties. A business process (which is usually driven by Sarbanes-Oxley) may be defined to require separation of duties, but that requires more people. That costs more money, no? And there is no guarantee that the decisions will be either more accurate or accountable. It just means you have more cooks in the kitchen.
How about this one: "Anti-Malware saves individuals and companies by reducing the threat of identity theft and having to disclose a breach" Spoken like someone that works for an anti-malware company and hasn't really read the paper lately. Or even worse actually believes the crap in the marketing slicks. The best way to reduce the threat of identity theft is to fire all your employees or take away their computers. And even if this were true, how does reducing identity theft make security less of a cost center?
Like I said, Little Red needs to check what's in this guy's water bottle. It ain't water.
I could literally dismantle almost every statement in the post, but you get the picture. Folks like me have been trying to position security as revenue positive for a long time and it's not going to happen. So we sell using fear, uncertainty and doubt and we try to convince the buyers (whether you work internally or for a vendor, it's all the same) that it's cheaper in the long run to do the right thing. But you never go in trying to position squishy security benefits. CEOs and CIOs will slice you into little pieces and feed you to the fish.
OK, off soapbox. And part of me appreciates Lawrence's
idealism. But I've just seen too much through the years to believe this
will really change. So, click the link, get your chuckle
for the day and get back to work fighting the good fight to convince
your senior executives to do the right thing and accept the reality
that we ARE a cost center.
I've always favored the analogy of insurance when explaining the business purpose of IT security. Both cost money and are unlikely to turn a profit, but both are needed to manage risk.
The process of getting insurance is, much like security and compliance, a process that uncovers the real risk underlying operations. Many organizations are compelled through industry and governmental regulation to have both insurance and security in order to operate. Given the costs associated with the realization of many risks managed using insurance or security it is fiscally irresponsible to operate without either.
And the biggest difference between insurance and security? Most insurable risks are less likely to occur than IT security risks.