The Security Standard: Pendulum swings back
I'm here at the Security Standard conference and I'm seeing the pendulum starting to swing back. What pendulum? The pendulum that swings like a metronome between security as a defense and security as an enabler. It seems to swing back and forth every 4-5 years or so. Of course, this is a "business" oriented security conference, so Black Hat it ain't. But business folks are trying to figure out how to pitch security as an enabler, that much is clear.
I'm a bit disturbed as to this trend because we've all seen this movie before. So I'll make it very very clear. Security is not a business enabler. It is a cost of doing business. You cannot do new things because of security. You do open up new revenue streams and add value to customers via new applications that reflect new (or updated) business processes. It may be ill advised to put these new business processes on the web without adequate security, but you CAN do it.
I know. Once again, I get to play Mr. Wet Blanket. Or maybe I'm just playing off of semantics. But I think the nuance is important. The first presentation by Cathy Allen, the CEO of BITS (a Financial Services roundtable group) solidified things for me. Financial sector CEOs and CIOs want to believe that security will help them get new customers and open up new revenue streams. I don't think so.
I can tell you that organizations, especially financials will LOSE customers if they have continual publicized security problems. But is that defense or offense? I say defense. E*Trade was the first to start marketing security (remember the tokens?) and that has had arguably no impact. We've seen Bank of America and Wells Fargo make statements as well. Again, I'm skeptical that there's been any impact thus far.
What about other businesses? Is anyone trying to differentiate on being "more" secure? Retailers, no. Manufacturers, no. Utilities, no. Now that I'm thinking about it, is there anyone? That doesn't mean it isn't happening, but it's not making an impact yet.
Maybe I'm just over-reacting. Or the scar tissue that I have from trying to sell PKI as an enabling technology in the late 90's is aching. Whatever it is, I am very respectful of history. And history says that when money gets tight, these "enabling" initiatives get tossed over the side.
But defense persists - which is why security became all about defense during the tech nuclear winter (2001-2003) and during the AV renaissance that drove the security business from 2003-2005. And I don't think that this time is any different - but tell me why I'm wrong. That's what comments are for.
Mike,
Here are some examples of non-security vendors using security to add more revenue or differentiate:
1) Banks and credit card companies have created revenue streams with anti-fraud/identity theft bolt-ons
2) ISPs are now attempting to differentiate on basis of security
3) Some computer companies (e.g., Lenovo) bot on security packages (TPM, whole-disk encryption, etc.)
Your point, in some respects, is well-put. Security is a cost, which is why TCO is a more credible evaluation measure than ROI; however, defense enables revenue generation:
Example: security/defense enables retailers to store private customer information and use it to generate revenue while minimizing opportunity for brand-killing customer data exposures.
There are an infinite number of examples like this that show security as a cost that allows positive revenue generation. "Good enough" is necessary, and in some verticals, like Financial, consumer technology, and online retail, it can be a real difference-maker in influencing the buying decision and in building loyalty.
Granted, at some point over-the-top security turns the customer off as it damages the customer experience and proves too costly - there's a reason air-gap firewalls never made it to the commercial market.
You should alter your position - some costs ARE business enablers. It's a rare case when a definable revenue stream comes from better security, but there are many instances when good security becomes a key factor in a buying decision.
It's as if companies are saying they are now more qualified to do more, when in reality, the new security measures being implemented are a given. Every company should require such standards and not market themselves as better or able to DO MORE just because they are now "secure", whatever that means.
What the real problem seems to be isn't so much that people aren't aware of the security issues that exist, the idea of risk in business is a well known concept. It's more a matter of evaluating where the business is currently at, and identifying all the security gaps and holes. But this process in itself is new and unfamiliar leaving business too continue floundering.
If business want to empower themselves, they should EDUCATE themselves. Keeping company reputation should be top priority, and the goal should be to NOT get on the list of companies who have experience data loss.
http://www.securityfocus.com/archive/1/444735/30/0/threaded
http://www.ftusecurity.com/pub/VT-belva-dekay-final.pdf
Sincerely,
Kenneth F. Belva, CISSP