On 9/25/06, Paul Schmehl <pauls@utdallas.edu> wrote:
I understand that, but I think your trust model is merely a euphemism for
loss avoidance. And I don't see how you can avoid being seen as loss
avoidance - unless you can show the ability to generate revenue.
(My full disclosure for the day: I didn't read the whole whitepaper,
or even most of it.)
I'd actually break down the business case for security technology a
little bit further. As I see it, there are three different business
cases:
- risk-based loss avoidance: if we don't buy it, we might get hacked,
or a hack might do more damage. (This seems to be the business
rationale for IPS/IDS.)
- certainty-based loss avoidance: our existing solution is wasteful
and forces us to spend X dollars per year. If we spend the cash now
to put together a better solution, we'll save money in the long run.
(This is a common business rationale for identity management
solutions.)
- business enablers: if we invest in this new solution, we can do
something we couldn't do before that will make us money. A VPN that
lets employees work directly from a customer site can make people more
productive. DRM can let us sell digital music without worrying about
piracy. SSL can let us process credit card purchases made via a
browser. Pay-per-sale ads will encourage people to advertise on the
web without worrying about click-fraud.
Some of those business-enablers have more than a passing resemblance
to risk-based loss avoidance (e.g. you use SSL because you are scared
someone might be listening if you use clear-text). The main
difference I see is that with a business-enabling technology the
revenue generation is tangible.
Regards,
Brian
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
