You can’t go far in the security profession these days without hearing about it. From the meeting rooms of security conventions to almost every issue of the popular magazines; it is everywhere. Do a google search for “security as a business enabler” and see for yourself.

Note how many results in the top ten are large consulting companies or security vendors

Apparently, the security community is being told that this is the way to demonstrate it’s true value to the business. In our opinion, this idea is nothing more than the “concept de jour.” We feel that in order for a function to be a “business enabler” it should directly contribute to the revenue stream of that business, not indirectly participate as part of the total business. Therefore, in order for security to fit into that definition, it would require the product that is sold to be security-centric or the use of security as a competitive differentiator for the product line. Organizations that fall into these buckets are definitely in the minority as far as we are concerned.

Additionally, given our definition above, if security is considered a business enabler then every function within an organization is a business enabler; security just seems the most recent to want to profess it.   Let’s not fool ourselves, security is no more a business enabler than for example, custodial services. In fact, an argument could be made that custodial services is more enabling than security if you consider a healthy, clean work environment a productivity issue.  We do believe in understanding the business, but enabling it is something quite different to us.So where did this concept come from then?  In our opinion, it was created as a sales tool by both security product vendors, large consultancies, security research firms, and the large security magazines.  It is designed to feed the undying need to provide security with a tangible evidence of it’s importance. It is analogous to asking for an ROI on an insurance policy. How many of you have asked your auto insurance representative for ROI on your policy? This whole argument is nothing more than a way to sell security and it’s services, and as far as we can tell, we are all eating it up!

So where did this concept come from then?  In our opinion, it was created as a sales tool by both security product vendors, large consultancies, security research firms, and the large security magazines.  It is designed to feed the undying need to provide security with a tangible evidence of it’s importance. It is analogous to asking for an ROI on an insurance policy. How many of you have asked your auto insurance representative for ROI on your policy? This whole argument is nothing more than a way to sell security and it’s services, and as far as we can tell, we are all eating it up!