Dropped through my door last week was the flyer advertising Infosecurity Europe 2014. The theme is “Security as a business enabler – are you fit for 2014?”
It is an unfortunate choice of words, reflecting a profession that is hopelessly out of touch with reality. There is nothing remotely new about this idea. Thirty years ago we regarded security as a business enabler in defence and intelligence circles. But this is not the case in a modern business environment where enterprises do not invest in unproven leaps of faith. Security as a business enabler is no more than wishful thinking. The slogan reflects an immature business perspective, quite the opposite of the impression sought.
There is nothing wrong with Infosecurity’s marketing. They will have consulted the usual suspects, our long-standing professionals and pundits. The flaw lies with the community which promotes this nonsense. Business enablement might be a great line to sell to executive boards. It sounds very impressive. But it is no more than an illusion. The reality is that compliance, not business, drives security.
Compliance is a powerful driver but it is hopelessly inefficient. Without it however there would be no proactive security functions. Instead security programmes would swing wildly from under-manning to over-investment, driven primarily by major incidents.
In the absence of incidents no sensible business manager would invest in security. It costs money; it slows down development processes; it restricts sharing and exploitation of customer data; and it reduces system agility. Security cannot guarantee a solid return on investment. The business case for it has to rely on the fact that is an essential, inescapable business requirement. Get it wrong and you might end up in jail.
Unfortunately security has become a growing overhead. Many large enterprises now have more than 300 security staff and there may be many more times this number policing compliance. We need to manage the solution space more quickly and efficiently. But we are prevented from doing so by so-called best practices demanding increasingly detailed analysis of the problem space through risk assessments, gap analyses, form-filling and audits.
Compliance has hijacked the security agenda and, left unchecked, its demands will continue to grow. It is not logical to expect that any business with a proliferating security overhead would wish to experiment with theoretical visions of business enablement. Instead security needs to get real and grow up.