Is security really a business enabler?

The title of this blog is the subject of a presentation I gave yesterday to the IISyG. I took a deliberately provocative stance, making a point that security is not there to enable the business, it’s there to mitigate risk. That is not the same thing: it’s cost, expense, and time and we only do it because we have to.

What was interesting was the vociferous counter-argument, especially from those present from the financial services industry who made the point that many of their services would not be publicly acceptable nor acceptable to their regulators without solid built-in security and so in their case it’s an enabler. Yes, I agree, however, doing something because you have to is not the same thing as doing something because you want to. The financial services industry is the same as other industries in that profit is the driving force and if they could get away without the additional cost and expense of designing stronger and better security then they probably would.

I don’t think there is anything wrong in admitting that we “do security” because we have to. The trick is in the way the work gets sold within the business. Too often security professionals try to justify costs by presenting vague ROI figures or metrics such as firewall logs showing the number of intrusion attempts. The problem with this is that the finance director will laugh your ROI data out of his office and nobody outside of the IT department is going to be a) interested or b) able to understand the significance of a pie charted extract of the firewall logs. If you want to convince the business then you have to cut out the techie chat. The key points I made are that we need to

– Take a risk based approach

– Focus on business needs

– Talk the language of the business

– Don’t make wild statement about cost savings and ROI

– Work to reduce costs

– Put risk assessments into context

– Present a decent set of meaningful security metrics

One of the interesting notes that came out of the discussion was the impact of using the word “security.” This seems to be the passion-killer. Talk about “risk” and “compliance” and “governance” and the view is that it’s much easier to get business buy-in. Talk about “security” and it’s considered to belong in the IT department or checking passes at the main entrance.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

We tend to misuse the English language. The dictionary definition of "Enabler"( is: 1. to make able; give power, means, competence, or ability to; authorize: (This document will enable him to pass through the enemy lines unmolested.) 2. to make possible or easy:(Aeronautics enables us to overcome great distances.) 3. to make ready; equip (often used in combination): (Web-enabled cell phones.) I believe that we take the second part of the second definition (to make easy) as our definition of enabler. Given the proper definition of enabler it is clear that security is a business enabler because it makes possible many aspect of business.
I would say that we 'do security' to make functionality possible inline with our compliance requirements and to reduce risk to an acceptable level, thereby 'enabling' the business units to do business in a more controlled fashion. On another note that hasn’t been highlighted yet, we also 'do security' to protect the companies we work for from adverse publicity and financial penalties and so the proof of this pudding is in the lack of notoriety. I do also have the opinion that to businesses the word ‘security’ congers up images of geeky folk in sandals tinkering away with their firewalls and IPSs rather than the professional individuals diligently working in the background with nothing but the knowledge that they are doing their jobs well and for a reason to keep them enthused.