The Problem With Selling Information Security as a “Business Enabler”

A random, innocent tweet by Gunnar Peterson (@oneraindrop) got me emoting about whether or not Information Security should be viewed/pitched as a business enabler. This is the tweet that got me going:

And I disagree(d).

At that point my friend Ken (@kenotic) got involved and said that the oven mit WAS an enabler because without it you’d hurt yourself and not be able to cook. He essentially argued that security is necessary for business, and it enables business to take place, so it (by definition) IS a business enabler. That’s hard to argue from a technical standpoint; I mean the word is right there in the definition.

My problem with that approach is that it widens the definition so much as to make it useless. If a word means everything then it means nothing. And if everything a company does, including having fire extinguishers and a parking lot, is going to be called a “business enabler”, then there’s no point in pitching infosec as one as well.

But let’s not get too caught up with definitions. Business “enabler” might mean different things to different people, and I agree that it CAN mean everything including free coffee and hand sanitizer. But that’s not what matters. What matters is what it means to those we’re selling it to, i.e. the business. So if you say to a business person, in an attempt to promote information security, that information security “enables” business, I think you should have a more direct link in your claim than one to general supporting infrastructure.

And that’s where Gunnar added to the conversation again with a simple yet powerful quote:

The beauty of the brakes-to-speed analogy is that it transfers nicely to business. So a company could be agile in that they are able to forge new partnerships quickly (speed), but they could be bad at securing their assets when doing so (no brakes), which makes them more likely to crash. As a result, the business will be less likely to move quickly (speed/agility) because they don’t have the brakes (security) to do so safely.

I’ve always liked this analogy, and I’ve used it before when flirting with the whole concept of “business enabling” and “security ROI” in the past. But I no longer believe in such things.

The reason this analogy fails is that it is looking at the speed of the car WITHOUT brakes as a comparison to the speed of the car WITH brakes. This is wrong. The speed of the car is the speed WITH brakes, and improvements to the brakes are improvements to the car. The car as a whole is all that matters. It’s infrastructure. It’s plumbing.

In a CEO’s big picture, there’s no difference between a web application firewall and a fire alarm and sprinkler system. Ultimately they both reduce to one thing: an operating expense. I think IT in general can be an enabler, say through a new VPN system that lets a CEO quickly spin up a workforce, but even then it’s not likely to be perceived, by the business, as the same type of “enabler” as an ad campaign, for example.

I have more to say on this, but the ideas are still brewing. I’d love to hear thoughts in the interim. ::

Related posts: