Kenneth F. Belva

A Clarification For Shostack

In response to “Security Advantage: I don’t buy it:” while it’s true that Dr. Gordon wrote that “distinguish itself as having much better information security than its competitors, then that organization may well derive a “competitive advantage” that was not the intent of the post.

In “Dr. Gordon: Information Security can have a positive return“, I asked the reader to not judge until the end of the correspondence. The intent of the post was whether or not we can understand information security mechanisms as business enablers — and to not just view information security as “loss prevention” — from an economic perspctive. This would lend support to the Virtual Trust paper published in 2006.

Although the Virtual Trust paper does not discuss deriving competitive advantage though distinguishing one’s information security program from another’s security program in the public eye, separately I published an except from a draft of the VT paper that addresses this point.

That said, due to the Visa media campaign, I am now moving from a hard line perspective into neutral territory. I cannot spell out why in a sound byte other than to say that it seems to me that the more the public becomes familiar with information security through mainstream media, the more relevant the differentiator will become.

The question raised by Adam, ” How can a potential customer make a decision about security?” is, and will remain, valid. I agree with him that the current marketing material is not sufficient to accurately assess a business’s security posture. If there is more transparency, I’m sure the tag line that “past performance is not an indication of future results” will be applied to corporate information security practice disclosures.

One Comment

  1. Adam Aug 27, 2007 at 7:37 pm | Permalink

    So firstly, I would love it if security was really an enabler of business.

    That said, I don’t think your examples actually show enablement. Your examples were technology-focused, not business focused.

    What business has succeeded where others have failed because they added more information security to the mix? The only one I can think of is the iTunes music store, but I can make a case that ITMS worked despite DRM, not because of it.

Post a Comment

Your email is never published nor shared. Required fields are marked *