Still on "security as a cost"
Lawrence Pingree, from McAffee, was kind to comment my post about his post on McAffee's blog on "security not being a cost". Well, I must say that what he expressed on that comment didn't change my mind at all.
As he said, security can be an enabler. I understand this statement as saying that it allows us to do something under an acceptable risk level. We could still do the same things without security and get the same savings (like using Internet connections instead of dedicated circuits). The difference is that most people won't do that without mitigating the risks. However, in order to do that, there is a cost. That's security. You can keep a single person submitting a transaction, that will certainly be the lowest possible cost. But, in order to reduce the risk from that person abusing the system, you add an approver. That's a cost. The action is still the same (the transaction), but now it happens under a reduced risk and with a higher cost.
That being said, it doesn't mean that's something bad! There are lots of things that are costs, like insurance, fire extinguishers or employee health insurance. It's not bad to expend that money, but you always try to find how to get the better results expending less money. If you go this way on the budget discussions, you will be following the safe way.