Friday, February 6, 2009

Security: cost center

Mike Rothman made me LOL very very hard today with this post about McAfee's attempt to say that compliance is not a cost center. Mike is completely right in saying that many had tried to do that and it didn't work. Mostly because yes, it is essentially cost. Most of the demonstrations of security as a revenue center are artificially created by getting the benefits from other stuff and justifying it as security benefits because security allows them to materialize. It happens all the time with VPNs. That's not the VPN that saves money from network connections, it is the Internet! VPNs just make the risk from using the Internet for sensitive communication acceptable.What impressed me most on McAfee's post was this particular point:"Security streamlines and clearly defines roles and responsibilities making information flow more quickly through an organization"Wow, that was brutal! Security directly and negatively impacts productivity, that's a fact that we can't run away from. That's what makes this job so interesting, trying to make that impact as small as possible. We can't, however, deny that it is there. As Mike cleverly said, wrong way. That's that famous ROSI (ugh!) discussion.