A Summary of New Nmap Features from Blackhat/DEFCON 2008

A random, innocent tweet by Gunnar Peterson (@oneraindrop) got me emoting about whether or not Information Security should be
viewed/pitched as a business enabler.
This
is the tweet that got me going:

And I disagree(d).

At that point my friend Ken (@kenotic) got involved and said that the oven mit WAS an enabler because without it
you’d hurt yourself and not be able to cook. He essentially argued that
security is necessary for business, and it enables business to take place,
so it (by definition) IS a business enabler. That’s hard to argue from a
technical standpoint; I mean the word is right there in the definition.

My problem with that approach is that it widens the definition so much as to
make it useless. If a word means everything then it means nothing. And if
everything a company does, including having fire extinguishers and a parking
lot, is going to be called a “business enabler”, then there’s no point in
pitching infosec as one as well.

But let’s not get too caught up with definitions. Business “enabler” might
mean different things to different people, and I agree that it CAN mean
everything including free coffee and hand sanitizer. But that’s not what
matters. What matters is what it means to those we’re selling it to, i.e.
the business. So if you say to a business person, in an attempt to promote
information security, that information security “enables” business, I think
you should have a more direct link in your claim than one to general
supporting infrastructure.

And that’s where Gunnar added to the conversation again with a simple yet
powerful quote:

The beauty of the brakes-to-speed analogy is that it transfers nicely to
business. So a company could be agile in that they are able to forge new
partnerships quickly (speed), but they could be bad at securing their assets
when doing so (no brakes), which makes them more likely to crash. As a
result, the business will be less likely to move quickly (speed/agility)
because they don’t have the brakes (security) to do so safely.

I’ve always liked this analogy, and I’ve used it before when flirting with
the whole concept of “business enabling” and “security ROI” in the past. But
I no longer believe in such things.

The reason this analogy fails is that it is looking at the speed of the car
WITHOUT brakes as a comparison to the speed of the car WITH brakes. This is
wrong. The speed of the car is the speed WITH brakes, and improvements to
the brakes are improvements to the car. The car as a whole is all that
matters. It’s infrastructure. It’s plumbing.

In a CEO’s big picture, there’s no difference between a web application
firewall and a fire alarm and sprinkler system. Ultimately they both reduce
to one thing: an operating expense. I think IT in general
can be an enabler, say through a new VPN system that lets a CEO
quickly spin up a workforce, but even then it’s not likely to be perceived,
by the business, as the same type of “enabler” as an ad campaign, for
example.

I have more to say on this, but the ideas are still brewing. I’d love to
hear thoughts in the interim. ::