Saturday, 15 December 2007

More statistics and security confusion

When this report came across the wire yesterday:

Report: Security becoming business tool

I was reasonably happy. Until I read the tag-line that is:
Compliance, privacy and data protection, and meeting business objectives are top three drivers for security
"Strange", I hear you say, "for a security vendor to dislike business drivers in the press..."

And you'd be right. With my vendor hat on, this is great news for me. This story was sent to me by the Senior PM at Ingrian in fact, and he knows a good driver when he sees one. But, take the hat off, and there's a security guy underneath it banging his head on the table.

But why? This is all positive for the industry isn't it? Yes... and no. It's all true, and it's all relevant and it's right that security gets publicity, but this is what I object to:
"Eight out of 10 organizations said security has helped improve IT and operational efficiencies, and six out of 10 said it helped with the organization's strategic initiatives. And compliance has played a bigger role than a checkbox: Eighty percent of the respondents say compliance has improved their organizations' security."
First off, security and compliance do not make easy bedfellows. Ask your dyed-in-the-wool security guy what he thinks of compliance, and that isn't the only c-word you'll hear. 80% of respondents may say that compliance has improved their security, but then they would, they're probably being filled in by the marketing department, sorry, Executives.

And of course they're going to say it has helped improve IT and operational efficiencies, for the same reason, but this is the thing: SECURITY IS IMPROVED IT AND OPERATIONAL EFFICIENCIES. This annoys me because it is the one thing that anyone in security should understand from the moment they sign up - security is not just encryption, not anti-virus and not some worthless device, for firewall's sake (sorry to use the F-word and the C-word, but I'm angry).

Security is confidentiality, so yes, encryption and everything that comes with it, but also physical protection of the same. Security is integrity, making sure processes don't have to be repeated because information is lost or incorrect. And security is availability, making sure that processes work the way they are supposed to, access to information. This is what security has always been. Just because businesses have only just realised what it is doesn't mean that it is suddenly a magical driver, it just means we're all putting the same name to it.

I look forward to making a few easy sales now the budget will be available. 80% you say...

No comments: