Sunday, March 21, 2010

Forget ROI and Risk. Consider Competitive Advantage

In my last post, Time and Cost to Defend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Town, I mentioned pondering different ways to discuss digital security with a new executive. This business leader reportedly said "every day, our businesses are competing in a global marketplace. How can we help cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m?" I thought about that statement and one idea came to mind:

Digital security helps businesses build competitive advantage.

I've decided that competitiveness is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365me which I will use to justify my team's activities when discussing our mission with management.

It seems simple and accurate to me. Capable digital security teams help businesses build competitive advantage by keeping data out of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hands of adversaries.

Contrast competitiveness with two ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r popular paradigms for discussing digital security: ROI and risk. Imagine cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following conversations. Which do you prefer?


1. "ROI-centric discussion"

Security person: Hello boss. We need to implement our security program because it has a ROI of $1 million dollars.

Boss: You mean if we adopt your program we're going to earn $1 million dollars?

Security person: No, we'll save $1 million.

Boss: Get out of my office. Come back after you've taken a finance class.


2. "Risk-centric discussion"

Security person: Hello boss. We need to implement our security program because I've calculated our risk to be 1.35.

Boss: What does that mean?

Security guy: Hmm, ok I'll leave now.


3. "Competitiveness discussion"

Security person: Hello boss. We need to implement our security program because it will provide a competitive advantage to our businesses.

Boss: That's a new one. Tell me more.

Security person: We have adversaries who try to steal, and sometimes do steal, our data.

Boss: So what. Isn't it just World of Warcraft credentials?

Security person: Our adversaries steal intellectual property like design plans, pricing data, negotiation strategies, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r information which means cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y might understand our business as well as we do.

Boss: Is that true? You mean we could lose deals because our products are copied, our bids undercut, our positions already known? I wonder if that's why we lost a deal to MegaCorp last month...

Security person: Now that you mention it, here is a report on suspicious computer activity involving MegaCorp last week. Our team managed to interdict cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ft attempt, but in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future we'd like to be able to detect and respond faster, as well as make it more difficult for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 adversary to have a chance to steal our information.

Boss: Now you're talking. Sit down, let's discuss this.


Notice what happened here. Magazines written for CIOs, CTOs, CISOs, and so on constantly advocate "speaking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 language of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 business." Unfortunately this "language" has been assumed to be finance. As a result security people tried to shoehorn cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir projects into ROI or ROSI, to laughable results.

As we've seen during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last few years, "risk" has turned out to be a dead end too. The numbers mean nothing. Even if you could somehow measure risk, it's easy enough for managers to accept a higher level of risk than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security manager.

Competitiveness, on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r hand, is everything to business people. They are constantly looking for an edge. It a tight economy, gaining an advantage over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 competition could mean cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 difference between thriving or going out of business.

Notice that discussing competitiveness also avoids cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 death spiral associated with ROI discussions: cost. When conversation is ROI-centric, digital security is perceived as being a loss prevention exercise and a cost center. IT in general is often seen in this light. Don't dump money in a cost center -- cut spending instead!

When you turn cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 focus on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 adversary -- you are threat-centric -- and discuss how he is trying to beat you and how you can beat him, you are likely to strike a primal chord in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mind of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 business person. The executive is likely to wonder "what else can we do to give us a competitive advantage?" Suddenly cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 digital security shop is seen as a business partner in a common fight with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 competition, not a cost center dragging down cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "productive" elements of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 business.

This isn't a new idea, but it's largely absent in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mindshare of digital security professionals. (If anyone has an ACM account I'd like to read Using information security to achieve competitive advantage by Charles Cresson Wood, 1991.) In addition to mentioning ROI and risk, it's important to remember that compliance is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r driver that is likely to justify funding. However, I believe we are more likely to see security shops spending resources explaining why cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir current activities meet regulatory requirements. I doubt new programs are going to be created to meet compliance needs, since compliance is basically a ten-year-old justification at this point.

22 comments:

Anonymous said...

Yup, that is what we have been doing several years - brings cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 aspect of more peer discussion would benefit for ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs also.

dre said...

Forget competitive advantage. Remember your customers!

CR said...

True, but known for years.
"Security as a business enabler" is a phrase that's gone around cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 block for atleast 5 years.

And even ITILv3 has taken your last piece into its new framework.

:)

zqyves said...

hello,

Basically it is not giving a competitive advantage, its protecting against ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs gaining a competitive advantage over you, or you gaining a competitive disadvantage.

I can see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fictitious conversation with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 executive going your way cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first couple of times. On cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 third you'll eventually be asked "and what have you been doing with all that money I have been giving you cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n ? " so it's a racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r short lived argument.

Sadly (for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 state of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 industry), I think compliance will always be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way to ask money for security.

The only way to be seen as an equal partner is to find a business model where your work can be payed for directly by your customers, such as a service offering. That's when you start making money for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company...

./Z

Chris Blunt (Axenic) said...

I like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 idea but I'm not convinced that it will work in all situations. What about organisations that don't compete for market sector? (e.g., Government Agencies)

I've just downloaded and read Charles Cresson Wood's article and he is talking about using security as a differentiator to gain competitive advantage when marketing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 organisation's products and services.

Richard Bejtlich said...

A few thoughts:

dre: Customers are obviously important. My focus wasn't on protecting customer information.

CR: I dislike cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "business enabler" cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365me. It's too vague. Oxygen is a business enabler too.

zgyves: I like what you said, but I slightly disagree. I think it is a competitive advantage if you protect your information better than anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r company. I guess in your thinking a "pure" competitive advantage means your organization goes offensive against peers. That's illegal for US organizations.

Regarding "what have you been doing" with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 money, that's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 easier part -- at least for my organization.

If you have a "service model" with paying customers, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n you're a MSSP and this debate doesn't apply.

Chris: Thanks for checking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CCW article. Government agencies would have to think at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 level of national security, i.e., is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 US losing its competitive advantages when adversaries disclose/degrade/deny our information?

Jack said...

Some thoughts:

1) I agree completely with your position regarding ROI. Cost-benefit maybe, but not ROI. And even with cost-benefit we're still stuck with figuring out how to measure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 benefit...

2) I also agree completely with your statements about a risk-based approach when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 approach is as lame as some number on an ordinal scale. Ordinal scales for risk are largely meaningless, although I suppose an argument could be made that it can be an effective way to measure progress from measurement to measurement. Still...

3) Compliance has become important for regulated entities, but it doesn't apply to every business and even some regulated businesses pay marginal attention to it.

4) Protecting against cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 loss of competitive position due to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ft of information is incredibly important for some businesses, but not for all. Boeing, yep. Intel, yep. Retail stores, insurance companies, and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r places where high value intellectual property is far less prevalent -- not so much. In those cases, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 business people are every bit as likely to laugh us out of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 room on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "competitive advantage" argument as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are on an ROI argument. Their comments are going to sound something like:

* "Are you kidding? Someone from xyz company is going to risk going to jail over this kind of data? Let alone take cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reputation exposure associated with it? Get out of my office until you've taken a reality pill or a prozac."

Clearly, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re can be exceptions like M&A information and such, but it's not likely to be prevalent enough a concern to base your security program arguments on.

BTW -- how many of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 companies you work for are engaged in this kind of corporate espionage? After all, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 competition to someone else...

5) As for executive willingness to accept more risk than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security manager. You may be right, but it depends on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 business person. Keep in mind though, that it's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir prerogative (in fact it's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir job) to decide on how much risk cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 organization is willing to take on and it's our job to help cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m make informed decisions. The fact that our profession is lousy at helping cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m make well-informed decisions about risk isn't cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir fault.

Thanks

H. Carvey said...

The only problem I see with any of this that in each scenario, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first step is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Security Person going to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Boss. I know that this is something of an idealistic pipe-dream, but in today's day and age, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Boss should be going to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Security Person and getting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m develop a plan.

Given everything that we've seen over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past 10 or more years, it's clear that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bottom-up approach simply does not work. Many organizations do not have IR plans in place simply due to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Boss's priorities are (1) email/IM, (2) servicing customers and (3) getting paid. Nowhere in current business courses does cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re seem to be anything about "what do you do when an outside, third party comes to you and tells you that your customer's data has been exposed", or "why would you want to protect your customer's data"?

Richard Bejtlich said...

From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CCW article:

Four benefits are described below: improved image of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 organization as a conscientious corporate citizen, enhanced customer confidence, new products and services, and new security features for existing products and services.

Unknown said...

What makes me uneasy in promoting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security of a service: The marketing push may lead to more external threats willing to prove it really is not that secure.

Will cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 marketing benefits with customers and partners outweight cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 renewed efforts of attackers to prove cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company wrong and make it a public debacle.

It certainly is an interesting approach and with a solid and mature security focus could be pulled off.

Anonymous said...

Wow,,,,, It is pretty infrequently that I have heard so many people disagree with Richard…And I must unfortunately join cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 choirs. As cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Security Engineer for a medium sized state I fail to see how “competitive advantage” applies to two of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 largest computing environments (State and Federal Government).
It will take a lot of talking to move me from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 point of view that “Security is a Cost ” no different than insurance or your Corporate Counsel. Yes in tough times “costs” are on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 chopping block, but that’s when your CISO needs to step up and defend his/her shop. That’s why you get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 “C” in front of your name…
I have proposed for years that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no ROI for computer security and that it is a waste of time to try and measure it. It’s like asking a soldier to give you cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ROI from digging a good foxhole; I guess cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best you could say is that it offers him cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best possible protection given his current situation. If you were to go offensive cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n it would afford him a good position from which to engage cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 enemy

Mike Chesmore, CISSP

Richard Bejtlich said...

To everyone defending at least national infrastructures: consider what I said about national competitiveness. Our country is engaged in a great contest with ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r world powers, and competitiveness certainly plays a role.

As far as state and local issues, that's probably more about preserving citizen's privacy.

I guess at some point I should do a post contrasting privacy with security?

dearista said...

Brilliant Richard.

gunnar said...

Competitive advantage is a much better way to look at it. I would also include Customers. Customers and customer relationships have tangible, measurable value to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 enterprise.

If a farmer grows cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same high yield crop every year, looking only at short term profits, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y do well for awhile but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n burn cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fields out over time.

A longer-term focused farm rotates cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 crops and invests in tools and techniques to build cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 soil and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r assets over time. Maximizing value over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 long haul.

You can look at security this way, your security budget is in part predicated on building security on your customer's behalf by investing security organization, processes and tools that build current and future value for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.

Looked at from this perspective, you can measure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 value of customers and target security resources accordingly.

So maybe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 outcome looks like this

Security person: Hello boss I have identified our top 10 customers, and assessed where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are gaps in our security around cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 assets that we store and process on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir behalf. If we want to continue to do business with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m, here is a practical plan to secure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir assets.

Chris Clymer said...

Wouldn't a blended argument work a little more effectively? I would expect most CXO's to be looking for some data on how likely this industrial espionage situation is for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir company...in ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, to some degree, you're still talking about risk.

Obviously cost will always be something discussed as well. Not making it your leading argument sounds sensible to me, but any CXO is eventually going to come back to ROI.

I understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 approach though...with your focus on improving competency at incident _detection_ cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 more successful your team is, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 more incidents your company has reported. Its very difficult to get some folks heads wrapped around cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 idea that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se things were already happening, all you did was look harder. And if you're given more resources to look even harder, you're only going to find more incidents. Many CXO's are going to recoil and wonder if life might be easier if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y just didn't know. And once again you're back to risk...how do you explain to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CXO cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 potential loss?

Putting risk in arbitrary numbers without context isn't good for anyone. Security risk has no choice but to be qualitative most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re aren't reliable metrics for most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 factors we're accounting for, anyone who feels ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rwise is eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r a lot smarter than I am, or a little detached from reality. But we all make decisions based on risk, both in business and in security...its just a matter of how formal we are about it.

extantproject said...

People don't do business with companies that don't give cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y pay for or that treat cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m poorly. The biggest "competitive advantage" is giving a shit about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 people that buy what your company produces. Isn't cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 extent to which security problems cause customers to not get what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y pay for (directly or indirectly) or causes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to be mistreated (directly or indirectly) cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 extent to which cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y're problems at all?

A company dies unless cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y receive money from people in return for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 things cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y create or do, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365refore everything a company does must center around those people (customers). Maybe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best way to justify having (or increasing) security operations at a company to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 people that 'run' cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company is by asking how security operations helps get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 customers what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y pay for and treats cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m well?

Frame it around people; wallets and checkbooks don't make decisions.

Anonymous said...

Fear is always cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 motivator in business. But, nice packaging.

Colin Watson said...

The three example dialogues are an excellent way of discussing alternative approaches.

In a recent report from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 UK Information Commissioner's Office, four alternative aspects of personal data value were presented:

- its value as an asset used within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 organisation’s operations;
- its value to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 individual to whom it relates;
- its value to ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r parties who might want to use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information, whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r for legitimate or improper purposes;
- its societal value as interpreted by regulators and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r groups.

These values, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 related benefits can be useful in building business cases for CXOs. The report is:

The Privacy Dividend, March 2010, ICO


(I am a joint author of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 report)

Anonymous said...

I totally buy this position on security as competitive advantage when you're combatting espionage from your competitors.

Unfortunately, in any ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r case I really think it gets too close to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nasty "business enablement" argument.

I really think business in general is more like what zqyves said: avoiding competitive disadvantage.

Will security make money? Not unless that is your industry.

Will security give you an advantageous position over your competitors? Perhaps from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 org's perspective (ala I just have to outrun you, not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bear), but I would suspect most customers will respond more strongly to security breaches than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y would in a positive manner to good security. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, will your security make me choose you, or will your breaches make me move away from you? Which really just gets back to risk.

This almost feels like hijacking a term executives use just so we can be talking in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir terms. But we haven't really brought anything new.

Actually, wouldn't this discussion at some point cause an exec to ask, "Well, why don't we go on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 offensive and attack and perform espionage on our competitors? Now *that* could be a competitive advantage!"

-LonerVamp

dagerm89 said...

Consider this a thank you for keeping this blog up!

Here's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Wood article you were looking at from 1991 :)

http://www.yousendit.com/download/bFFPT204NnkwVW52Wmc9PQ

Unknown said...

What about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 infosec maturity level approach?
Maturity Level can demonstrate process efficiency, level of automation, visibility and reachability in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company environment, control efficiency.
In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 boss to sec guy talk we will be able to show cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target level we want to achieve, which risks it can mitigate and for residual risks: how prepared cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company is to respond to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.
Thoughts Richard?

LowLatency said...

Sweet, delicious Irony. I just read this post after sending an email to a client's "Security Officer" (SO, not CSO) justifying my sense of urgency in implementing a password policy. Currently cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 client's password policies are weak enough to represent almost no obstacle to even unsophisticated attackers, let alone APT. I went with competitive advantage as my justification. I also used cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 argument that National Security is a competitive advantage, as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 client works with technologies that are targeted by both commercial and governmental entities.