ROI: How Security Can Augment New Products and Services

Rob Preston of InformationWeek writes in Down To Business: It’s Past Time To Elevate The Infosec Conversation:

More than 80% of the IT, security, and business executives RSA recently surveyed with IDC “admit that their organizations have shied away from business innovation opportunities because of information security concerns,” Coviello told the RSA audience. The main challenge: Move the internal conversation about security away from fear mongering and worst-case scenarios toward how security can augment new products and services. Or at least don’t get in the way. It’s tantamount to the security pro’s Hippocratic oath: First, do no harm. (emphasis mine)

Virtual Trust describes how this augmenting is possible and demonstrates that security is not always a cost center. Our paper has support from the founder of information security economics Dr. Larry Gordon (bio), Former Watchfire CTO (now IBM) Michael Weider and unofficial support from Microsoft.

In our paper we describe the following:

  1. How information security may be used to create cash flow and new products via Virtual Trust
  2. How information security may be used to cut costs via Virtual Trust
  3. Why Virtual Trust is fully compatible with insurance and risk based approaches to security
  4. Real world examples of Virtual Trust that are currently functioning

Our paper was not without its share of critics. Since our paper was published in 2006, we believe the concepts described in this paper were such an early description of infosec business concepts that the security community who has long held the “security as attacker” mindset was not ready for a change in perspective. One may say that this paper still represents the bleeding edge of infosec business theory.

As the information security field matures into a field that seeks to demonstrate direct business value, we believe the core ideas outlined in our paper are central to this conversation. Today, our field has matured from a strictly defensive position to incorporate a risk-based approach. We believe that the next step will be to incorporate a business paradigm that will demonstrate a higher value than a purely risk based approach affords. The concepts behind Virtual Trust are the foundation for that move from risk management to demonstrating positive ROI from security.

Our motivation for announcing our paper again today is that it is extremely relevant. Whether it’s Information Week, RSA or Ars Technicia, we find our concepts being discussed over and over without the benefit of how our framework solidifies the details discussed.

WARNING: This paper is the grounding and framework for some very substantial ideas so be forewarned: it’s a lengthy paper!

As always, all comments welcome.

One Comment

  1. B. McAninch May 15, 2008 at 4:33 pm | Permalink

    The Sherwood Applied Business Security Architecture (SABSA) makes a very similar contention: that trust is the foundation for all business relationships and it is there where one can best demonstrate security’s value to the business.

    SABSA is business-driven and was developed in 1995; sadly it has taken 13 years for it to be finally recognized in the U.S. as a viable alternative to the old way of thinking about security.

    To learn more, visit

Post a Comment

Your email is never published nor shared. Required fields are marked *