Another post has popped up. This time from The Hoff. I think general consensus is that you will probably disagree with him at some stage, but you have to read his blogs.
Anyhow, he posted a question from someone at a conference he was at:
Why can't you InfoSec folks quite simply come to your constituent customers -- the business -- and tell them that your efforts will make me x% more or less profitable?
My answer to this is the following: Please correct me if I am wrong because I am probably very biased.
A modern business is essentially a group of people who know how to do something. A doctor is a person who knows how to cure people. He has studied and has certificates and such but at the end of the day if he loses his memory - he is no longer able to cure people and is not worth very much.
A little larger - a company that makes car tyres. There are some people who handle the books of the business and manage the investments of the company, manage the money etc. There are engineers who design the tyres and make them the best way possible. There are the sales reps who sell the tyres in the best way possible. The real value of the business is not the tyres and buildings and such... it is the information that the people know. Some of it is in their heads, some of it is in databases. Some of it is just a culture. But take all of that information away and you have a bunch of useless people hanging about and some desks.
Business today is quick. A company can close down in a few months and a new one can be built up in days. It is relatively simple to get capital. It is fairly easy to get premises, phones, cars, etc . It is not easy to get staff who know what they are doing. That is where the real value of a business is.
So, essentially a business relies on its information to stay alive and to grow. If you lose information, a part of the business is lost.
Steve Ballmer knew this when he lost Mark Lukovsky to Google - he was losing some of Microsoft.
The American Government knows this which is why there is legislation making sure companies protect their systems. Information loss is business loss.
So, the answer to the question is - how much is your entire business worth? Take away the net value of the desks and coffee machines and that is how much information security is protecting. HR is involved in protecting the information inside the heads of the staff so you may want to minus that.
Everyone in the organisation is either creating information (this CEO, accountants, etc) or using information to build products or perform services (think craftspeople, packers, factory workers). Only Information Security is tasked with making sure that the information is available and stays inside the company.
Where is most of the information contained? What is most at risk? That is not so easy to answer but is important to us doing our jobs. Should business be concerned? I'm not sure, I don't think so. Should infosec be required to cough up figures so that we can do our jobs? I really don't think so.
But I could be wrong. What do you think?