Sunday, June 8, 2014

Security as a business enabler

One thing that business for get is that security is supposed to be an enabler, not an inhibitor. What I mean is that often security gets in the way of doing business, or sometimes even drives business operations. That is why when other business functions see us coming you here them mumble statements like, "here come those security geeks again, what do they want us to do NOW?" instead of, "Hey, here comes the security pros, I wonder what wonderful business enhancers they have for us today?"

There are some security experts that believe that security is NOT a business enabler because according to them, "in order for a function to be a “business enabler” it should directly contribute to the revenue stream of that business, not indirectly participate as part of the total business. Therefore, in order for security to fit into that definition it would require the product that is sold to be security centric or the use of security as a competitive differentiators for the product line."

I have to disagree with this statement. According to an enabler is, "Capabilities, forces and resources that contribute to the success of an entity, program, or project. This definition stated nothing about revenue stream, although I would argue that if security contributes to success, and success in business is earning revenue, then it is indeed an enabler.

I believe that it is about time Security is getting the respect it deserves. For many years security has been treated as the proverbial "step child" of business. Like custodial services, security guards, and other things of this nature, IT security has been regarded as a necessary evil, or a money drainer for businesses. However, business leaders are now beginning to "see the light". They are now recognizing the value of excellent IT security to their reputation, security, and yes, the bottom line, profit.

My detractors argue that "security as an enabler" was a concept "created as a sales tool by both security product vendors, large consultancies, security research firms, and the large security magazines. They say it is "designed to feed the undying need to provide security with a tangible evidence of it's importance. It is analogous to asking for a ROI on an insurance policy." to them this concept is nothing more than a way to sell security and it's services. I say NAY, I will argue that good security processes can help increase revenue up to 10% and you cannot measure the return on investment of good security stopping a security breach and preserving the companies good night...just ask Target EBay, and others. 

No comments:

Post a Comment