Saturday, October 07, 2006

Security Is Not Refrigeration

Analogies are not the best way to make an argument, but they help when debating abstract concepts like "virtual trust".

Consider the refrigerated train car at left. Refrigeration is definitely a "business enabler." Without refrigeration, food producers on the west coast couldn't sell their goods to consumers on the east coast. Refrigeration opened new markets and keeps them open.

However, refrigeration is not the business. Refrigeration is a means to an end -- namely selling food to hungry people. Refrigeration does not generate value; growing and selling food does. (Refrigeration is only the business for those that sell refrigerated train cars and supporting devices.)

You might think "security" is like refrigeration. Like refrigeration, security could be said to "enable" business. Like refrigeration, security does not generate value; selling a product or service through a "secure" channel does.

So why is "security" really not refrigeration? The enemy of refrigeration is heat. Heat is an aspect of nature. Heat is not intelligent. Heat does not adapt to overcome the refrigeration technology deployed against it. Heat does not choose its targets. One cannot deter or jail or kill heat.

The enemy of "security" is the intruder. The intruder is a threat, meaning a party with the capabilities and intentions to exploit a vulnerability in an asset. Threats are intelligent, they adapt, they persist, they choose, and they react to their environment. In fact, an environment which on Monday seems perfectly "secure" can be absolutely compromised on Wednesday by the release of an exploit in response to Tuesday's Microsoft vulnerability announcements.

Returning to the idea of "enablement" -- honestly, who cares? I'll name some other functions that enable business -- lawyers, human resources, facility staff. The bottom line is that "virtual trust" is an attempt to "align" (great CISO term) security with "business objectives," just as IT is trying to "align" with business objectives. The reason "IT alignment" has a chance to succeed in creating real business value is that IT is becoming, in itself, a vendor of goods and services. Unless a business is actually selling security -- like a MSSP -- security does not generate value.

Why is anyone even bothering to debate this? The answer is money. If your work is viewed as a "cost center," the ultimate goal is to remove your budget and fire you. If you're seen as an "enabler," you're at least seen as being relevant. If you can spin "enablement" into "revenue generation," that's even better! Spend $X on security and get $Y in return on investment! Unfortunately that is not possible.

Finally, I don't think anyone would consider me "anti-security." I'm not arguing that security is irrelevant. In fact, without security a business can be absolutely destroyed. However, you won't find me saying that security makes anyone money. Some argue that spending money on security prevents greater loss down the line, perhaps by containing an intrusion before it avalanches into an immense compromise. That's still loss prevention. Of course security "enables" business, but enablement doesn't generate revenue; it supports a revenue-generating product or service.

This is probably my last word on this in a while. I need to turn back to my own business!

5 comments:

Paul Schmehl said...

Glad to see you addressing this, Richard. I confess, my thoughts are quite similar to yours. As I pointed out in the discussion on the full disclosure list, any PHB smart enough to be in a leadership position in a company isn't going to be fooled by the "business enabler" argument any more than you were.

hosting said...
This comment has been removed by a blog administrator.
LonerVamp said...

You can tackle the concept of business enablement as well. I hate to pick on analogies, and hopefully I am not taking it too far (take any analogy far enough and it breaks down...), but refrigeration is necessary for the business to expand to those markets. Without it, the ice cream will melt before it can get to the customer.

Security, on the other hand, is not always necessary. A business can still choose to do something like, say, run an online store, without bothering too much with security. Granted, regulations are slowly changing that, but still...things CAN be DONE without security.

Maybe security is more like a sleep enabler? It enables more people to sleep at night. Then again, that is not much unlike insurance and loss prevention...

Carlos Ribeiro said...

Talking about analogies... I'm a lifelong IT professional who by chance happened to run a food business for a couple years. Although I agree with you in the general sense, I would like to point another analogies that can be useful here.

Although important, refrigeration is only one tool for food safety. There's a huge knowledge base, a good part of it encoded under the HACCP umbrella. HACCP means Hazard Analysis and Critical Control Point, and -- much like security was supposed to be -- is a framework for food safety. HACCP starts from the principle that the food chain (with its associated processes) is inherently unsafe. From this starting point, HACCP starts to define limits to manage the security level. There's no such thing as "pure" and "safe" food. There is, on the other hand, food that is safe for consumption under a given set of conditions, including temperature, time, and other environmental variables.

Looking at IT security from the same perspective the food industry achieved with HACCP would be really great. HACCP is a requirement, by power of regulation, in several places. Nobody in the food industry can sanely call it a enabler, but this does not mean, in any sense, that it is less necessary than anything else in the production chain. Things that are mandatory have to be done, regardless of being costs or profits. Talking about security in this sense only weakens the argument.

Kenneth F. Belva said...

Microsoft gets it!

http://www.bloginfosec.com/?p=83

Ken