On Twitter, Paul Vincent (@cybersecurer), one of the very few IT Security people I know who can claim their title isn’t Business Prevention Officer, asks this:
[quote]@bankervision If information scarcity is no longer competitive advantage, do the infosec requirements change? I think so #[amazon_link id=”9814351105″ target=”_blank” container=”” container_class=”” ]sidestepandtwist[/amazon_link][/quote]
Paul is referring, I think, to something I said in the book, namely:
[quote]It is not too difficult to imagine the equilibrium price of information is tending towards zero, if it is not there already.
If one has an expectation that the price of an information resource will be nothing, competitive barriers which artificially move pricing upwards causes buyers to find alternatives.[/quote]
In the book, I go on to argue that since customers and competitors always seem to find ways to get around patents, copyrights and trade secrets (Look at the patent wars going on right now in the mobile space, for example), there is little remaining competitive advantage in trying control of intellectual property.
This is the basis of the twist, of course: you should focus on getting competitive advantage by having the most users, and especially in the case where each user incrementally improves the overall value proposition of the product.
But back to Paul’s point.
To be honest, it is something I hadn’t thought about before his tweet, but now I have, there are clearly some ramifications for IT security.
But not as many as you might thing. Firstly, if the point of IT security is to preserve the privacy and security of individual customers and their relationships with a supplier (and each other of course), then, in a [amazon_link id=”9814351105″ target=”_blank” container=”” container_class=”” ]Sidestep and Twist[/amazon_link] world, security becomes one of the most important disciplines there is. You’re hardly going to have the most customers (the basis of a Twist competitive strategy) if you’re not trusted in the first place.
Recent semi-scandals, such as the one Path and others are presently embroiled in (they were uploading people’s address books without permission) would probably not have happened if those organisations had been advised properly by their information security people.
On the other hand, if the intent of IT security is to preserve corporate intellectual property and trade secrets, then investing significantly to keep competitors out is something of a losing strategy.
In [amazon_link id=”9814351105″ target=”_blank” container=”” container_class=”” ]Sidestep and Twist[/amazon_link] , I recount the story of Open Cola, a Coca Cola clone, where principals of open source development were used to reverse engineer the most famous trade secret of all time. Nothing really that the Coke company could do about it, had they tried.
And there are countless other examples of situations where spending millions to preserve some unique way of creating or making have come to naught in our connected new world. Napster and record companies, for example. Open source clones of Microsoft Office, and the list goes on and on.
So in answer to Pauls question, my view is this: for Sidestep and Twist implementing companies, the role of IT security is protection of customers, not protection of corporates. I am not certain if that is a reversal of the way IT security people think about their roles, or not.
What do you think?