Wednesday, 5 September 2007

Security as a business

Some of my favourite and most admired bloggers have got into a fairly cyclic argument which is rehashing something we've been over several times in different guises. Mark started with a piece on how security isn't a competitive advantage these days. Isn't this just the old "ROI is not real ROI" argument disguised as something new?

Chris got stuck in as can only be expected these days, saying that there were too many generalisations in this argument, that he wasn't looking at it from both sides, the vendor and the buyer. Each of course looks at security in different ways. But this is a different argument to that which Mark was making I think. What both posts confirm is that security is what Richard B calls "Table Stakes". You don't get to play the game without it. Now I don't always agree with Richard 100%, he comes up with a lot of fresh and sometimes crazy ideas, but this time he has it on the button, and in a very concise way.

Now Rich M has got in between them both with his own economics take on why this is the case. It's true, security doesn't affect consumers in the ways we would expect or hope as security practitioners hoping to make some money from our skills.

I think anyone working in security, especially at a vendor, knows only too painfully well that security and privacy are table stakes. This is why we need compliance to get people off their arses and looking at security in the first place. If security were attractive, PCI, HIPAA, GLBA, SOX, CFR21, etc. wouldn't need to exist. But with compliance, security turns into marketing rather than technical skills. This suits me fine in fact, I've been a sales engineer for many years, and know these arguments inside out, but I think this goes some way to explaining our ambivalence towards compliance.

Compliance does not equal security, we hear that all the time. Compliance is a business driver, and for security to survive as an industry we need to bow to it. Security as a purely technical discipline is no longer viable, yet to hear the amount of complaints about compliance, PCI in particular, you would think it was nothing but. Security as a business is dangerous however, and is taking security a long way from being secure in many cases.

I'm going to continue this in a separate post, because I have plenty to say on it. This may have to wait however as I'm leaving Spain today and have to pack!

No comments: