Compliance is SO a Cost Center

Submitted by Mike Rothman on Thu, 2009-02-05 10:52.
Today's Daily Incite

February 5, 2009 - Volume 4, #13

Good Morning:
Another quick intro because I found such a "compelling" post on McAfee's blog that I just had to vent a bit. Enjoy.

Have a great day.

Technorati: , , ,

The Pragmatic CSO

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

Compliance is SO a cost center

Holy crap, I thought the idea of position security and/or compliance as a "profit" center died along with the dreams of millions Internet entrepreneurs during the .com implosion a few years ago. Evidently I was wrong. Check this out on McAfee's blog:

Is information security compliance a cost center?

No. Absolutely and unequivocally not. I am drawing the line in the sand. Business leaders need to understand there is no more need for proper security to justify itself over and over again. It saves you time and money (period).


OMG. I figured a big company like McAfee would have a drug testing policy, but evidently not. I want some of what this guy is on. But it gets better. Here are the justifications the author (Lawrence Pingree) uses to justify his position.

Normally I would excerpt an entire post, but this is too good to let it go. Check this out.

A compliance driven company GAINS these:

Business process improvements

    * Security streamlines and clearly defines roles and responsibilities making information flow more quickly through an organization
    * Security separates duties so decisions that occur are more accurate and accountable
    * Security provides checks and balances reduce internal risks thus saving costs
    * Security reduces business impacts of change
    * Security background checks eliminate the need to wade through candidates that cannot be trusted for sensitive positions saving on hiring costs.
    * … and much more

Technical Improvements

    * Firewalls clearly reduce un-needed load on the network saving bandwidth costs
    * Anti-Virus software has clear cut costs (that happen to be measurable) in saving response times from IT helpdesk personnel
    * Anti-Malware saves individuals and companies by reducing the threat of identity theft and having to disclose a breach
    * Data Loss Prevention software clearly enhances control of data for eDiscovery legal processes, managing information and backup/recovery of that data into single repositories not to mention enforcement of where that data goes (saving intellectual property)
    * Encryption clearly reduces costs by enabling collaboration with third parties (in fact it enables all businesses on the internet to do payment processing) something we sometimes forget.
    * Virtual Private Networks (VPN) enable remote access which means workers can work after hours or remotely while traveling (FOR FREE!)
    * Banks offer employees online access directly from work (the old days you had to leave work to go to the bank)
    * Risk & compliance means that systems are patched and maintained all in a similar fashion with similar configurations which leads to huge troubleshooting time saved since systems are less customized individually.
    * Customers are now able to interact with companies quicker and more efficiently than ever when these security controls have been put in place.
    * …and much more

Threat Reduction

    * Lower reporting costs for disclosure laws
    * No bad PR to respond to
    * Lower liability to your customers
    * Less outbreaks of worms/viruses (less system damage repair/replace)
    * … and much more!

Get me some of that crazy....It's hard to know even where to start. My first comment would be that a "Compliance Driven Company" is the next Heartland or TJX. Listen I've been trying to position security as a benefit and "revenue center" for the better part of my career. I'VE FAILED MISERABLY. And the rest of our industry has as well. Because of a very simple truth, which hurts my ego, but is absolutely true in the real world:

CEOs don't care about security or compliance. 

Period. They only care to the degree that they 1) end up in an orange jump suit, 2) end up on the front page of the Wall Street Journal. Other that than, they don't care.

And even better, they don't want to spend money on avoiding either of those cases because it's not going to happen to them. Seriously. They see the headlines, they ask some questions about whether they are "secure," the CSO lies to them, and they go back to their mahogany conference room and check on the sales numbers.

All of the points in the post are not really false, but they are irrelevant. Most of that stuff is simple business common sense, but is still like pulling teeth - especially in a down economy. For instance, "Security separates duties so decisions that occur are more accurate and accountable." That's actually false because security doesn't separate duties. A business process (which is usually driven by Sarbanes-Oxley) may be defined to require separation of duties, but that requires more people. That costs more money, no? And there is no guarantee that the decisions will be either more accurate or accountable. It just means you have more cooks in the kitchen. 

How about this one: "Anti-Malware saves individuals and companies by reducing the threat of identity theft and having to disclose a breach" Spoken like someone that works for an anti-malware company and hasn't really read the paper lately. Or even worse actually believes the crap in the marketing slicks. The best way to reduce the threat of identity theft is to fire all your employees or take away their computers. And even if this were true, how does reducing identity theft make security less of a cost center?

Like I said, Little Red needs to check what's in this guy's water bottle. It ain't water. 

I could literally dismantle almost every statement in the post, but you get the picture. Folks like me have been trying to position security as revenue positive for a long time and it's not going to happen. So we sell using fear, uncertainty and doubt and we try to convince the buyers (whether you work internally or for a vendor, it's all the same) that it's cheaper in the long run to do the right thing. But you never go in trying to position squishy security benefits. CEOs and CIOs will slice you into little pieces and feed you to the fish.

OK, off soapbox. And part of me appreciates Lawrence's idealism. But I've just seen too much through the years to believe this will really change. So, click the link, get your chuckle for the day and get back to work fighting the good fight to convince your senior executives to do the right thing and accept the reality that we ARE a cost center.

Photo credit: “crazy bus” originally uploaded by bunchofpants

Submitted by Lawrence Pingree (not verified) on Thu, 2009-02-05 15:34.
Nope, don't do drugs, actually I don't even drink. :) But I wanted everyone do debate it out a bit so my article has its desired affect. Agree that for the accountants of the world it is absolutely a cost center and that will never change. But try doing online purchases without security... Well... rather than spell out my thoughts here.... Watch for my next post. I'll elicit my feelings on what the world would be like without security :)
Submitted by Chris (not verified) on Fri, 2009-02-06 21:44.
...for the accountants of the world it is absolutely a cost center...
And conservation of angular momentum only exists for the kind of momentum physicists care about. Unless you want to get paid with some kind of "non-accountant money", I think when it comes to profit and loss (or revenue and expense), it makes sense to use the accountant definitions.
Submitted by Dan Philpott (not verified) on Fri, 2009-02-13 10:25.

I've always favored the analogy of insurance when explaining the business purpose of IT security.  Both cost money and are unlikely to turn a profit, but both are needed to manage risk.

The process of getting insurance is, much like security and compliance, a process that uncovers the real risk underlying operations.  Many organizations are compelled through industry and governmental regulation to have both insurance and security in order to operate.  Given the costs associated with the realization of many risks managed using insurance or security it is fiscally irresponsible to operate without either.

And the biggest difference between insurance and security? Most insurable risks are less likely to occur than IT security risks.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.