Security Is Not Refrigeration

Analogies are not the best way to make an argument, but they help when debating abstract concepts like "virtual trust".

Consider the refrigerated train car at left. Refrigeration is definitely a "business enabler." Without refrigeration, food producers on the west coast couldn't sell their goods to consumers on the east coast. Refrigeration opened new markets and keeps them open.

However, refrigeration is not the business. Refrigeration is a means to an end -- namely selling food to hungry people. Refrigeration does not generate value; growing and selling food does. (Refrigeration is only the business for those that sell refrigerated train cars and supporting devices.)

You might think "security" is like refrigeration. Like refrigeration, security could be said to "enable" business. Like refrigeration, security does not generate value; selling a product or service through a "secure" channel does.

So why is "security" really not refrigeration? The enemy of refrigeration is heat. Heat is an aspect of nature. Heat is not intelligent. Heat does not adapt to overcome the refrigeration technology deployed against it. Heat does not choose its targets. One cannot deter or jail or kill heat.

The enemy of "security" is the intruder. The intruder is a threat, meaning a party with the capabilities and intentions to exploit a vulnerability in an asset. Threats are intelligent, they adapt, they persist, they choose, and they react to their environment. In fact, an environment which on Monday seems perfectly "secure" can be absolutely compromised on Wednesday by the release of an exploit in response to Tuesday's Microsoft vulnerability announcements.

Returning to the idea of "enablement" -- honestly, who cares? I'll name some other functions that enable business -- lawyers, human resources, facility staff. The bottom line is that "virtual trust" is an attempt to "align" (great CISO term) security with "business objectives," just as IT is trying to "align" with business objectives. The reason "IT alignment" has a chance to succeed in creating real business value is that IT is becoming, in itself, a vendor of goods and services. Unless a business is actually selling security -- like a MSSP -- security does not generate value.

Why is anyone even bothering to debate this? The answer is money. If your work is viewed as a "cost center," the ultimate goal is to remove your budget and fire you. If you're seen as an "enabler," you're at least seen as being relevant. If you can spin "enablement" into "revenue generation," that's even better! Spend $X on security and get $Y in return on investment! Unfortunately that is not possible.

Finally, I don't think anyone would consider me "anti-security." I'm not arguing that security is irrelevant. In fact, without security a business can be absolutely destroyed. However, you won't find me saying that security makes anyone money. Some argue that spending money on security prevents greater loss down the line, perhaps by containing an intrusion before it avalanches into an immense compromise. That's still loss prevention. Of course security "enables" business, but enablement doesn't generate revenue; it supports a revenue-generating product or service.

This is probably my last word on this in a while. I need to turn back to my own business!