IT security is a complicated issue. However, the focus on what security can do, can’t do, and how it is perceived, ordinarily is narrow. Generally, managers deal with security in silos. When a threat exists or appears, the manager’s answer is to use a product as a defensive response, or to add a security policy/procedure to mitigate the threat. From an IT perspective, this approach works just fine when dealing with a specific threat, but from a business perspective, it may not provide value to the enterprise.
From a business perspective, security is either considered a cost, with the only benefit being that money, or more likely an intangible asset, is saved through prevention of a security breach or by meeting some compliance requirement. In the case of meeting compliance requirements, security is still considered a cost, and one you just try to minimize, as you do on insurance, electricity or rent. However, security costs should be considered a positive for an enterprise. Security should enable an enterprise to run a function or service that wouldn’t be possible otherwise due to security concerns. Indeed, there is another way to look at IT security that hasn’t been given much thought in the past. IDC, the market intelligence and advisory provider, suggests that security should be approached as a business benefit to the enterprise in competitive environments.
The point is that security can provide a business with competitive advantages. Security allows you to be better than your business competitors. If you and your competitors must meet certain security standards, such as PCI, and if your business can do it more efficiently than your competition, a business can gain a competitive advantage.
Another competitor that an enterprise might not be aware of is an attacker searching for your data. Attackers either want to steal your money, proprietary data, or protected information (e.g. credit card numbers). They are competing for these assets, which you want to protect from disclosure, just as you protect your business specific information. Attackers may want your resources to secretly use your servers, email resources or storage. The reason attackers have become competitors to businesses is that they are no longer independent hackers working alone. Rather, they are business entities motivated by profit. An attacker ecosystem has been established that has divisions of labor and many elements that are being run as a business. This “hacker economy” has the same goal as all businesses – to maximize profits.
IDC believes one reason the attacker ecosystem works is that the security industry perceives hackers by nature as “bad” or “evil.” The security industry should move beyond this idea because this concept makes the security challenge much more difficult. There is no discounting that there are still some people out there who are motivated by malice, but they are becoming rare. Since many people still think of attackers this way, they are giving them much more power than they deserve.
No matter how many systems you put in place, you are not going to deter evil people. They are going to continue to assault vulnerable targets and cause havoc. However, if you think of the attacker as just another businessman (although an immoral one) you can now create a deterrent that is based on risk management, cost-reward and other business concepts. With an evil hacker, you need to put up as many defenses as possible. In contrast, with a competitive attacker you need to implement best practices with a logical security posture that makes the cost of the attack greater than the value of the results.
When security is considered as a competitive endeavor, it’s possible to make logical proactive decisions, and not just be reactive. It’s time for enterprises and security professionals to take on this challenge to use security to provide competitive advantages against all types of competitors. The current economic environment is the perfect opportunity to stop looking for the boogeyman and instead look for a competitor.