In the past several months, it has become painfully clear that C-level executives are getting tired of buying information security for its own purposes.
There has been a great deal of speculation about the market, and why - in a time of increased threats to national security - infosec spending is declining.
The explanations are numerous, but many miss the obvious point - IT is rarely in the mission statement of any organization. The demise of the capital investment-fed dot-com boom has reinforced this point. Companies are in business to make money, and having IT as a core competency fails to make up for a lack of customers.
If information technology is a cost center, then what does that make information security? From an enterprise business perspective, spending money on information security - while incredibly important - is akin to buying health insurance on a parasite. The ultimate boundary for information security is the true value of any insurance policy. As IT professionals, we may feel otherwise, but IT has a finite value to a company, and their willingness to insure their IT infrastructures is a business decision, not a technical one.
Infosec is insurance
Most of us understand insurance pretty well. We invest in insurance premiums as a way to avoid excessive financial loss when expected and likely events happen: floods, fires, automobile accidents and so forth.
As an industry, we have become skilled insurance salespeople. We talk about loss value and loss probability, and we express concepts like 'expected value.' We build models of risk and expectation to express the reasons why companies should buy security products. We tell them, "you can never have too much insurance."
Insurance for what?
Evidently, enterprise managers don't agree. Information security is a form of insurance to prevent loss or corruption of corporate data and information technologies. As IT professionals, we tend to value information technologies to a far greater extent than enterprise line-of-business managers for whom IT is a means to an end.
Our models show these enterprise managers how much money they would lose if they lost the data relevant to a day's worth of transactions. The mistake we have made is in telling them what that data is worth, in large part because we cannot guarantee that our information security technologies will prevent any loss.
In other words, we're selling insurance (information security) on an asset (information technology) that we tend to value more highly than enterprise managers. Further, we're using a prophylactic all-or-nothing approach that really isn't foolproof.
The true limits
If we think like a business manager, we're clearly willing to buy insurance on a valuable asset like information technology, but the real question is to what degree. Is one percent of the asset value per year too little? Or is it too much?
Corporations exist to mitigate the risk of being in business and to shelter business owners from liability. Understanding this, there are limits to the value of insurance itself, and corporate managers are unwilling to insure their companies more than they have to. Bankruptcy is always an alternative.
I have seen some pretty absurd risk models recently. These models discuss expected loss values in excess of the book value of a company. Working with models like these, we're collectively telling enterprise business managers that at any random point in time, they could experience a loss that would force their company into receivership.
The problem with this is that no companies are actually going out of business because of breeches in information security. Of greater concern to many managers is the poor performance of the stock market and the recent accounting scandals that have cost companies billions of dollars in market capitalization.
Alternative forms of insurance
As a form of insurance for information technology, information security faces tough competition. One alternative is self-insurance. Suppose that we don't secure an IT infrastructure at all but that we hold a certain amount of money to cover the potential losses. Many corporations self-insure other assets, so why would IT be any different?
Third-party insurance is another alternative. If we can assign a probability and a financial value to a loss, then we can buy insurance to cover that loss. We do it for cars and homes and our health, so why not IT?
Outsourcers effectively provide a form of insurance. In addition to liability for a certain level of loss, using an outsourcer helps to distribute the risk to a party that has a lower probability of experiencing such a loss.
The soft market for information security is directly related to the weak market for information technologies, and it is not an indictment of any specific security technology. As an industry, we've created problem by articulating infosec as a form of insurance.
There may be no other way to sell information security, but by saying the infosec is insurance we're asking enterprise business managers to make hard decisions about the value of their IT infrastructure. Information security isn't the only solution. The result is that many companies are protecting themselves from the obvious IT risks and are using a variety of insurance approaches to cover more significant losses.
Dan Taylor founded Giotto Perspectives in 1998 to provide clear, concise research and analysis in the networking and managed IP services marketplaces (www.giotto.nu).