Skip to main content


Today I read a blog at NCircle (found via the prolific Adam Shostack) about security as a business enabler. It's an interesting post, but to me it shows that information security people often fail to understand how value it created.

The real goal for Infosec needs to be to show business how we do (at least) one of the following two things:
 - Create revenue
 - Reduce costs
This can't be through sheer loss-reduction. If it is, the "it'll never happen to me" school of thought will always have a way out of making systems more secure.

I have started this blog discussing how companies create value:

  • increase revenue (faster than costs or investment)
  • decrease costs (faster than revenues or investmest)
  • reduce their weighted average cost of capital

Information security investments can contribute to any of these categories, but mostly they fall in the last.

Let me use my favorite example: You are implementing a VPN for remote access. The projected cost savings/productivity enhancements are $100,000 per year (forever - keep it simple). Without strong authentication, the cost of capital for the project is 20% giving the project a value of $500,000.

If you wanted to do strong authentication, how could you justify it? It would reduce the cost savings! I can't take that to my CFO! Ah, but you can. Adding strong authentication reduces the risk of the project, reducing the cost of capital! Say two-factor authentication reduces the savings by $40,000 - ouch - but it cuts the risks in half. $60,000/10% = $600,000! You have just created $100,000 in added value for your company. Ask for a raise (or better - get stock options because you work for a company that understands how value is created!

If it's just about disaster avoidance and recovery, there's always going to be a reason to spend less money on it in difficult times.

Well, that may always be true. The point to make would be "hey, you know that doing this will increase the cost of capital, right?" The problem is that companies don't realize the risks that they are taking, that risks have increased or that they are increasing their cost of capital. Though we are seeing companies interested in switching to WiKID because WiKID is less expensive than SecurID, I fear more companies just stick with passwords. They take on what is an increasing risk (because attackers get better all the time) without thinking about its impact on the cost of capital.

Current rating: 1

Recent Posts







RSS / Atom