OK, Tell Me I'm Wrong!

Everyone knows that in business you need to do two things: Increase top-line revenue growth and reduce bottom line cost. Doing both of these is how companies grow profitably. It really is that simple. Now why is it that Information Security Officers have trouble thinking this way? Read my new paper titled Determine The Business Value Of An Effective Security Program — Information Security Economics 101 - developed for the The S&R Practice Playbook.

In the paper, I argue that we need to associate the value of information security with the value of the information assets we protect. How is this value determined, you may ask? Well, ask away, because in the paper I outline a method to determine that value. It’s simple. We live in an information economy and even though we may be a bank, manufacturer, or a retailer, at the end of the day we wouldn’t be in business without information. In many ways information is what we sell.

Think about it; if we associate information security with asset value defined by the revenue these assets produce, we would understand how to prioritize security effort and we would have a lot more productive conversations at budget time.

Join in the debate, and tell me why this approach couldn’t work in your firm. I want to hear from you.


Why are you singling out the Information Security Community

Why are you singling out the Information Security Community? I would argue most of IT ignores the main reasons for business change/value i.e. increase revenue, reduce cost. Of course you will get someone to claim that certain investments will increase revenue or costs but they will have a hard time coming up with measurement, and most likely not because the measurement is difficult (which it can be) but because the benefits are so small that the investment didn't make much sense.

I would also argue that in business you need to manage risk (which one can argue that it would feed eventually into increasing revenue or at least reducing cost).

And then of course there are investments that you don't really have to justify, it's because someone would like to see that implemented and you want to get them of your back.

We don't live in a rational world.

Osama S.

Information Security Community & The Rational World


Thanks so much for the comment. I guess the simple answer to your first question is that I cover the information security space, that's why I care so much about how we as information security professionals conduct ourselves. The message here is more about change, and specifically change of focus. The InfoSec professionals I worked with in the past were all about stopping the breach. In the days of a hard perimeter this made sense because of the perimeter were breached the insides of the company were there for the taking.

Now the perimeter is devolving into multiple smaller bunkers. Here at Forrester we call this the zero-trust-network. Our focus now needs to be on protecting assets and not infrastructure. How much would we spend to protect a worthless trinket? - Not a lot. How much would we spend to protect the crown jewels? - Quite a bit. Information security by its definition must become more selective. Done correctly this will allow us to spend our treasure much more effectively and in a sense get more for less.
In order to do this though we have to understand the value of the assets we protect. Once we understand the value of those assets we can quantify the costs should something happen to those assets. This is the business case for information security.

We don't live in a rational world, I agree, but we do live in one where most decision makers understand money. Monetizing assets, allows us to monetize risk, which allows us the ability to make better decisions on how much we want to spend to protect those assets.
Here’s my challenge. Look at your current information assets. Try to associate those assets to your most important revenue streams. You might be surprised by the results.


Ed Ferrara