Posted by:
admin
15 years, 3 months ago
Today I read a blog at NCircle (found via the prolific Adam Shostack) about security as a business enabler. It's an interesting post, but to me it shows that information security people often fail to understand how value it created.
The real goal for Infosec needs to be to show business how we do (at least) one of the following two things:
- Create revenue
- Reduce costs
This can't be through sheer loss-reduction. If it is, the "it'll never happen to me" school of thought will always have a way out of making systems more secure.
I have started this blog discussing how companies create value:
- increase revenue (faster than costs or investment)
- decrease costs (faster than revenues or investmest)
- reduce their weighted average cost of capital
Information security investments can contribute to any of these categories, but mostly they fall in the last.
Let me use my favorite example: You are implementing a VPN for remote access. The projected cost savings/productivity enhancements are $100,000 per year (forever - keep it simple). Without strong authentication, the cost of capital for the project is 20% giving the project a value of $500,000.
If you wanted to do strong authentication, how could you justify it? It would reduce the cost savings! I can't take that to my CFO! Ah, but you can. Adding strong authentication reduces the risk of the project, reducing the cost of capital! Say two-factor authentication reduces the savings by $40,000 - ouch - but it cuts the risks in half. $60,000/10% = $600,000! You have just created $100,000 in added value for your company. Ask for a raise (or better - get stock options because you work for a company that understands how value is created!
If it's just about disaster avoidance and recovery, there's always going to be a reason to spend less money on it in difficult times.
Well, that may always be true. The point to make would be "hey, you know that doing this will increase the cost of capital, right?" The problem is that companies don't realize the risks that they are taking, that risks have increased or that they are increasing their cost of capital. Though we are seeing companies interested in switching to WiKID because WiKID is less expensive than SecurID, I fear more companies just stick with passwords. They take on what is an increasing risk (because attackers get better all the time) without thinking about its impact on the cost of capital.
Share on Twitter Share on FacebookRecent Posts
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
- WiKID Android tokens had their data deleted over the weekend by Google Chrome bug
Archive
2024
- January (1)
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)