Answering A Very Difficult Value Question Regarding Information Security
We had a really diverse set of speakers and customers in attendance.
When you can pool the input and output from very large financial institutions to small law firms against the presentations from business innovation experts, security folk, workforce futurists, industry analysts and practitioners, you’re bound to have some really interesting conversation.
One of the attendees really capped off the first day’s discussion for me whilst at the bar by asking a seemingly innocuous (but completely flammable) question regarding the value that Information Security brings to the table against its ability to provide service and not stifle agility, innovation and general business practice.
This really smart person leads the innovation efforts at a very large financial institution in the UK and was quite frankly fed up with the "No Department" (InfoSec group) at his company. He was rightfully sick of the strong-arming speedbumps that simply got in the way and cost money.
The overtly simplified question he posited was this:
Why can’t you InfoSec folks quite simply come to your constituent customers — the business — and tell them that your efforts will make me x% more or less profitable?
In his organization — which is really good at making decisions based
upon risk — he maintained that every business decision had assessed against it an
acceptable loss figure. Sometimes those figures totaled in the
He suggested then that things like firewalls, IPS’s, AV,
etc. had a near zero-sum impact when measured in cost against these
acceptable losses. Instead of the old axiom regarding not spending $100,000 to protect a $1,000 asset, he was actually arguing about not spending $100,000 to offset an acceptable loss of $1,000,000,000…
I smiled as I tried to rationalize why I thought for the most part, nobody I knew could easily demonstrate the answer to his question. Right, wrong or indifferent, I agreed that this was really a fundamentally crappy topic to bring up without something stronger than wine.
It turned into quite an interesting conversation, during which I often found myself putting on various hats (architecture, security, operations, risk management) in an attempt to explain — but not justify — the status quo.
I demonstrated what I thought were some interesting counter-questions but for the most part found it increasingly uncomfortable each time we ended up back at his initial question. The more complex the answers, the more divergent from the concept he was focused on became.
Imagine if you were the CSO and were being asked this question by your CIO/CFO/CEO as the basis for the on-going funding of your organization: "We can comfortably sustain losses in the hundreds of millions. Why should I invest in security when you can’t demonstrate that you enable my business to achieve its business goals in a way which can make us more profitable or offset my acceptable losses?"
It’s why businesses exercise any option to swerve around the speedbumps IT/Security are perceived as being.