« The business view of information security | Main | What about risk? »

The business view of information security, part 2

I wrote about information security as cost control mechanism in an earlier post. This post looks at using information security as a way to add value to the business.

Adding Value

Your customers and business partners want assurance that you are keeping the information and services that they've entrusted into your care safe from unauthorized access. In an environment of identity theft and stolen data, this assurance is valuable. All other things being equal, the business providing the better assurance is more likely to get the customer.

To capture this value, the information security team is going to have to go after polish. The base activities will likely be the same--the team is still out to prevent and detect unauthorized access--but now those activities will have to be refined and honed to a point where they are presentable.

The type of polish depends on the business. For some, white papers describing security features and vetting procedures will be appropriate. For others, tours of security operation centers and meetings that include information security folks will work better. An especially effective approach is to demonstrate thought leadership in security relevant to your business. Microsoft is doing an excellent job in this area. The goal is to polish your security processes until they shine, and then present them to your customers so that they can admire that shine.

Of course, you should not make promises you can not keep or claim security processes that you don't actually follow. The FTC is watching for these sorts of misleading statements and has successfully pursued legal action in several cases.

The decision to pursue a value-add approach needs to be carefully considered. Every dollar you spend on polishing your security beyond the point where it is acceptably functional is a dollar that could've been spent on something else. Will a dollar's worth of polish capture an additional dollar in sales or prevent a dollar from going to a competitor?

Each business will need to determine how sensitive their customers and partners are to security gradations. My suspicion is that initially a little goes a long way, but you soon reach a point where additional effort at security polish does not lead to appreciable increases in feelings of assurance.

Extracting value from an information security program is still fairly new and unproven, but more and more customers and partners are looking for assurance. I've seen plenty of contracts where security requirements have been explicitly baked into the agreement. Many regulations require that organizations ensure that their vendors provide appropriate security. The writing seems to be on the wall--we'll see if it fades or becomes bolder.

Kevin Kenan on January 21, 2008 in Building a Security Program |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83420496153ef00e54ffb8b5e8834

Listed below are links to weblogs that reference The business view of information security, part 2:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

About

  • A blog by Kevin Kenan about technology, security, and the ancient craft of programming.

    You might also be interested in checking out TeXTARIUM, where I chat about fiction, music, and the pursuit of the perfect shot of espresso.

My Book

  • Cryptography in the Database: The Last Line of Defense

    My book on using cryptography to protect information stored in a database. Published by Addison-Wesley and Symantec Press. Read more at the book's site. The source code is available for download.

Categories

Dedication

  • My grandfather had a wonderful shop in his basement. To me, it was a place of mystery and fascination, and I would spend hours wandering through it, looking at all the tools and projects in various states of completion. Not being much of a wood worker, I've never had the need for such a shop (not to mention that I lack a basement), but recently it occurs to me that my gear, computers, and software are my shop. This site is for my late grandfather and everyone else who takes personal pride in carefully executed work.
Subscribe to this blog's feed