The Problem With Selling Information Security as a “Business Enabler”

By Daniel Miessler on March 26th, 2009: Tagged as Information Security

plumbing

A random, innocent tweet by Gunnar Peterson (@oneraindrop) got me emoting about whether or not Information Security should be viewed/pitched as a business enabler. This is the tweet that got me going:

Please remember that security is a business enabler kthxbye

And I disagree(d).

Security isn’t an “enabler”; that line can hurt us. Security is about NOT doing things wrong, as part of overall quality. To “enable” business is to add value above and beyond simply not sucking. So if security is an enabler then so is an oven mit.

At that point my friend Ken (@kenotic) got involved and said that the oven mit WAS an enabler because without it you’d hurt yourself and not be able to cook. He essentially argued that security is necessary for business, and it enables business to take place, so it (by definition) IS a business enabler. That’s hard to argue from a technical standpoint; I mean the word is right there in the definition.

My problem with that approach is that it widens the definition so much as to make it useless. If a word means everything then it means nothing. And if everything a company does, including having fire extinguishers and a parking lot, is going to be called a “business enabler”, then there’s no point in pitching infosec as one as well.

But let’s not get too caught up with definitions. Business “enabler” might mean different things to different people, and I agree that it CAN mean everything including free coffee and hand sanitizer. But that’s not what matters. What matters is what it means to those we’re selling it to, i.e. the business. So if you say to a business person, in an attempt to promote information security, that information security “enables” business, I think you should have a more direct link in your claim than one to general supporting infrastructure.

And that’s where Gunnar added to the conversation again with a simple yet powerful quote:

“Because we have brakes in our cars we can drive fast.” – Robert Garigue

The beauty of the brakes-to-speed analogy is that it transfers nicely to business. So a company could be agile in that they are able to forge new partnerships quickly (speed), but they could be bad at securing their assets when doing so (no brakes), which makes them more likely to crash. As a result, the business will be less likely to move quickly (speed/agility) because they don’t have the brakes (security) to do so safely.

I’ve always liked this analogy, and I’ve used it before when flirting with the whole concept of “business enabling” and “security ROI” in the past. But I no longer believe in such things.

The reason this analogy fails is that it is looking at the speed of the car WITHOUT brakes as a comparison to the speed of the car WITH brakes. This is wrong. The speed of the car is the speed WITH brakes, and improvements to the brakes are improvements to the car. The car as a whole is all that matters. It’s infrastructure. It’s plumbing.

In a CEO’s big picture, there’s no difference between a web application firewall and a fire alarm and sprinkler system. Ultimately they both reduce to one thing: an operating expense. I think IT in general can be an enabler, say through a new VPN system that lets a CEO quickly spin up a workforce, but even then it’s not likely to be perceived, by the business, as the same type of “enabler” as an ad campaign, for example.

I have more to say on this, but the ideas are still brewing. I’d love to hear thoughts in the interim. ::

  • http://jonsnetwork.com Jon

    I look at it like this. If you are a member of one of the companies line functions: design, production, sales, transportation, wholesale and retail, then you are a business enabler. If you are a staff function: legal, secretarial, custodial, PR, training, etc. then you are an expense. I consider security to be a staff function, but I may be wrong.

  • cooperati

    re: Security as a “Business Enabler”;

    i ask what about “risk” as an enabler? enabling is like opening doors, to enable, to make able, to create an opportunity to present your ability.

    so, by opening that door, we enable, and we also take the risk also associated with it. to enable is to stick your head in a guillotine, to one extent or another. enabling is intrinsically risky. the two can go hand in hand.

    security is, in opposition to risk, disabling. it defines limits of risk, specifically by disabling discriminately.

    security does not open doors. it does not present opportunity. it frames ability with rules and protocols, trimming the field with limits and controls. thoughts?

    i lack precision (for precise terms). but, philosophically speaking, security is not enabling.

    so, you might ask, “What if you can't do a project unless security is in place?”

    the project is the ability. security is the limits and protocols. boundaries, whatever you want to call it.

    just saying “the project cannot proceed without security” is the first act of security disabling the action, coinciding with and reinforcing the definition.

    thoughts?

  • http://www.intrusionlabs.com/ joej

    If you don't perform basic “good health” engineering and development, then sure … security is not an enabler. Security is one of those dumb, slow-you-down, “cross your Ts and dot your Is” anal retentiveness.

    However … if you worry about produce reliable, error free systems or software, then you include good practice, techniques, double-checks, etc as part of the dev/eng processes (called; “security”) and you bring in some testing/external checks to ensure you didn't make obvious mistakes.

    Looking at the Top-25 CWE list, repeated, low-level, obvious-to-spot and remediate (and abuse) flaws in systems and software … I'm thinking this:

    … The perception that security is a burden, comes bad practitioners: either security or the eng/dev folks on their team. Security is (again) not the problem, its a people problem.

  • http://dmiessler.com/ Daniel Miessler

    I think this is in line with what I'm saying; it's a matter of quality ultimately, and security is a component of that, yeah?

  • http://www.intrusionlabs.com/ joej

    Definitely. I'm with you on this.

    I really do believe that, if infosec/security folks are doing a good job, then there is a gained efficiency (not just robustness, resilience, etc.)

    One recent example:
    Moving to field a DoD system to the field, we coordinated with the defense contractor to leverage Fortify SCA — a manual code review would have been VERY costly.

    This was focused only on the information assurance/security necessity (requirement, policy, etc.) – but they ended up loving its strength, got over their embarrassment at the kind of flaws that were in the code base and, in the end, moved to integrate this as part of their normal development & build practices.

    End result: we saved (literally) millions of dollars (or) pursuing a waiver and fielding known-flawed code — and we both got what we really can value:
    - my organization gets improved quality/security and can oversee/audit a practice
    - they get something that moves them forward more efficiently and keep us out of their shorts :-)

    Nice win — money and a practical, sustainable practice that dramatically affects what we produce.

    ==> I'd love to hear other, real-world examples of security + engineer/dev collaboration to produce successes.

  • Pingback: What is Information Security and How Does it Help? « Completosec Channel

  • http://completosec.wordpress.com/ Matt McCright

    Analogies are tough. I have to build an “elevator speech” that can generate some productive attention from executives, but have had little success. It seems like there is still no effective replacement for building relationships with leaders, so that we reduce the need for one or another security ad campaign.

    I believe that the most effective information and technology operations risk management today happens because of the joint efforts of serious information security professionals and leaders (formal and informal) across the various organizations that make up modern corporations in most fields today. Sure, execution of the day-to-day information and application security operations are still critical. But are they more noise without leadership and “connectivity” with the rest of business operations? Depending on the given corporate culture, this is less or more process-driven.

    * Sometimes it is strictly a matter of personal relationships (a risk-elevating situation).
    * In other situations, project processes link these communities for long enough to work out understandings and plans that may often facilitate effectively dealing with risks.
    * Some organizations have broad and deep formalization of their organizational relationships, and the processes and information flows to maintain a shared understanding of threats, risks, controls & mitigations, current state, etc.

    I believe that the first two situations above dominate, and that the third is an exception. As a result, what ever we do to support creation of a “risk-based enterprise website security strategy” or to find a new broad description of what about information security is valuable, it needs to be useful in those organizations that depend heavily on cross-domain relationships between serious professionals to prioritize risk management investments.

    Get a new model for “selling” information security as an enabler, or a new enterprise website security strategy into their hands, and I believe that you will begin to get traction.

    I wrote out a more fleshed out discussion of this notion at: http://completosec.wordpress.com/2009/03/28/what-is-information-security-and-how-does-it-help

    Thanks

  • Bob

    I have worked with a company that took security very serious. One of the selling points to potential clients “government” was they took the time to put infosec as part of the whole process in which they operate. I asked several clients what are some of the reasons they chose this company and a focus on security was a factor.

  • http://www.plumbingsanrafael.net San Rafael Plumbers

    Very well said, thanks for sharing your insight and I believe you all the way!


Top

Popular

Information Security / Technology

Politics

Philosophy & Religion

Technology & Science

Culture & Society

Miscellaneous

Arguments

Projects

Collections

Twitter

What I'm Reading

Favorite Books and Essays

Top Blog Categories

Inputs