Protecting Customers not Corporates

On Twitter, Paul Vincent (@cybersecurer), one of the very few IT Security people I know who can claim their title isn’t Business Prevention Officer, asks this:

[quote]@bankervision If information scarcity is no longer competitive advantage, do the infosec requirements change? I think so #[amazon_link id=”9814351105″ target=”_blank” container=”” container_class=”” ]sidestepandtwist[/amazon_link][/quote]

Paul is referring, I think, to something I said in the book, namely:

[quote]It is not too difficult to imagine the equilibrium price of information is tending towards zero, if it is not there already.

If one has an expectation that the price of an information resource will be nothing, competitive barriers which artificially move pricing upwards causes buyers to find alternatives.[/quote]

In the book, I go on to argue that since customers and competitors always seem to find ways to get around patents, copyrights and trade secrets (Look at the patent wars going on right now in the mobile space, for example), there is little remaining competitive advantage in trying control of intellectual property.

This is the basis of the twist, of course: you should focus on getting competitive advantage by having the most users, and especially in the case where each user incrementally improves the overall value proposition of the product.

But back to Paul’s point.

To be honest, it is something I hadn’t thought about before his tweet, but now I have, there are clearly some ramifications for IT security.

But not as many as you might thing. Firstly, if the point of IT security is to preserve the privacy and security of individual customers and their relationships with a supplier (and each other of course), then, in a [amazon_link id=”9814351105″ target=”_blank” container=”” container_class=”” ]Sidestep and Twist[/amazon_link] world, security becomes one of the most important disciplines there is. You’re hardly going to have the most customers (the basis of a Twist competitive strategy) if you’re not trusted in the first place.

Recent semi-scandals, such as the one Path and others are presently embroiled in (they were uploading people’s address books without permission) would probably not have happened if those organisations had been advised properly by their information security people.

On the other hand, if the intent of IT security is to preserve corporate intellectual property and trade secrets, then investing significantly to keep competitors out is something of a losing strategy.

In [amazon_link id=”9814351105″ target=”_blank” container=”” container_class=”” ]Sidestep and Twist[/amazon_link] , I recount the story of Open Cola, a Coca Cola clone, where principals of open source development were used to reverse engineer the most famous trade secret of all time. Nothing really that the Coke company could do about it, had they tried.

And there are countless other examples of situations where spending millions to preserve some unique way of creating or making have come to naught in our connected new world. Napster and record companies, for example.  Open source clones of Microsoft Office, and the list goes on and on.

So in answer to Pauls question, my view is this: for Sidestep and Twist implementing companies, the role of IT security is protection of customers, not protection of corporates. I am not certain if that is a reversal of the way IT security people think about their roles, or not.

What do you think?

4 Responses to“Protecting Customers not Corporates”

  1. February 9, 2012 at 8:02 pm #

    To expand on the tweet I sent you; I wouldn’t go so far as to say that I don’t agree with you, I think you’re missing the point. you talk as though an IT security department is some autonomous part of the company that does whatever it wants to do no matter what the consequences are and that’s just not the case.

    A companies IT security department is beholden to at least the CEO of the company (or whoever is ultimately in charge) if no-one else and does what they are told. Their job is to look after the corporate interest and most companies have assets that they want secured. Either money, trade secrets, customer details, the controls of nuclear power stations etc. CEO’s, shareholders and customers tend to think that the security of these things is important.

    The CEO may well ask the IT Security department to look at the protection of customers as well and if so, then that’s also their job but it’s a rare/brave CEO who has no concern for company assets. Mind you, if it’s that kind of company, then the people doing the computer based customer facing work of the company (writing websites, programming etc) need to be trained in security techniques anyway. writing secure code is hard, if you’re a bank then you need to make sure that the people writing your website know how to do it properly. the IT security team are probably not the right people.

    If the CEO thinks that the security team are being “Business Prevention Officers” then s/he has the power to tell them to stop or get rid of them and replace them with people who will do the job he wants them to do.

    regarding your example with Path, frankly I don’t think it’s the job of the IT security team to advise away from that either. it’s the job of anyone in the company with a sense of morality to advise against that type of move. If the only people in the company with that sense of morality are the security folk then that’s a sad inditement.

    David

    PS. napster vs record companies: I agree that record companies need to review their business model but I’m pretty sure napster got gutted didn’t it? I don’t think we can say they won.
    MS Office vs OpenOffice: well, OOo is fine enough for individual use, but many organisations think that MS Office is a better organisational solution with much better integration into a broad suite of other tools. Certainly it brings MS over $18 billion dollars a year. I’m not sure that’s come to naught…

    • February 10, 2012 at 4:56 am #

      David,

      Nice to hear from you.

      “you talk as if the IT Security department… does what it wants no matter the consequences”

      I have to admit, that has been my experience on more than one occasion. ‘Tis a rare security professional who will tell you *how* to get something done, rather than inform you why something can’t be done.

      “IT Security is beholden to at least the CEO”.

      Who may or may not have very much idea about security. If the latter, they will naturally take the advice of security people. Unfortuntately, that often leads to a situation where security is actually beholden to noone and can do whatever it thinks is in the best interests of the organisation.

      The problem here is that a security view of the world is very rarely one that allows anyone else to get much done. Security professionals are doing their jobs when they try to stop change. The business has to have change if it is to move forward. The trick is getting a balance between the two.

      “Most companies have assets they want secured”

      Yes, but the point of my post was these assets are increasingly not the kinds of crown jewels that everyone used to think about. That’s actually the whole argument of my new book. Granted, the controls of nuclear reactor are quite a different matter.

      “The CEO may ask IT security to look after the protection of customers as well…”

      I am sure you haven’t just implied that you think IT security people don’t look after customer interests as their first responsibility. Surely the point of any organisation is ultimately to serve the constituents who buy from it, and therefore, everyone’s job ought be seen through that particular lens?

      “if the only people in the company with that sense of morality are the security folk then that’s a sad inditement”.

      Indeed, but it isn’t really a moral question. It’s a question of working out what serves the best customer interest whilst balancing customer protection with that. Who better to advise on such a subject than those experts who are supposed to be thinking about issues like this every day?

      “napster vs. record companies”.

      Napster was bankrupted, but the model it pioneered has largely destroyed the current business model for recording companies, and P2P remains the biggest threat they’ve ever (not) dealt with.

      “MS Office vs Open Office”

      The point is MS have spent billions trying to outfeature Open Source and though they have the best and brightest brains they have not dealt it a death blow by any means. Since that’s the case, can it really be the case that competitive advantage can be considered to be derived from any intellectual assets they have? Probably not. On the other hand, the reason both Windows and Office have the position they do is they have more users than anyone else.

      Thanks again for your comment.

  2. David Haworth
    February 13, 2012 at 4:29 pm #

    “‘Tis a rare security professional who will tell you *how* to get something done, rather than inform you why something can’t be done.”

    It’s not always their responsibility to do so and I think to insist that someone can only hold up a red flag if they have an alternate solution means that a great number of problems will never get reported. Sometimes a security guy may be able to offer good alternate solutions and a good professional will do so. Sometimes they’ve no idea what the solution is but they can see a big problem and want to point it out. What the senior management of an organisation do with that is up to them. They may decide to go right ahead and ignore that report, that’s their right but if it turns round and bites them then it’s also their responsibility.

    “Who may or may not have very much idea about security. If the latter, they will naturally take the advice of security people. Unfortuntately, that often leads to a situation where security is actually beholden to noone and can do whatever it thinks is in the best interests of the organisation.”

    Then that is primarily the fault of the CEO, He’s not running his company properly. It’s his job to take advice from all his areas and take appropriate decisions based on all the risks at hand. If he feels that he doesn’t know very much about security (and few CEO’s do) then it’s the job of his CISO or CIO or whoever to explain those issues to him and if they won’t or can’t then the CEO should go and get someone who will. If he feels that the security posture of the organisation is a problem and is holding the organisation back, then he has the power to change it. I would hope he would only do so after due consideration and understanding of the risks and issues involved but really, it’s up to him.

    “The problem here is that a security view of the world is very rarely one that allows anyone else to get much done. Security professionals are doing their jobs when they try to stop change. The business has to have change if it is to move forward. The trick is getting a balance between the two.”

    Not at all. Security professionals are not about stopping change, they’re about trying to get it done properly. It is, alas a sad fact that many (but not all) of the interesting and innovative products out there are terribly badly programmed and insecure. The security professional is seeking to point this out. It’s rare that security have an absolute veto over decisions. I certainly never have thus it’s down to a senior officer to take a balanced decision between the advantage of doing this thing and the risk if it goes wrong.

    “I am sure you haven’t just implied that you think IT security people don’t look after customer interests as their first responsibility. Surely the point of any organisation is ultimately to serve the constituents who buy from it, and therefore, everyone’s job ought be seen through that particular lens?”

    That’s like saying that the janitor should be looking after customer interests one clean toilet at a time. It’s the companies responsibility as a whole to look after their customer’s interests (and even then some companies don’t seem to understand that) but how they discharge that through their staff depends on the company, and how they set objectives within different teams. Certain types of companies, ie those with a large web prescence will have multiple security teams, internal security, customer security, fraud, etcetc. In some organisations there will only be one security team who will be responsible for both internal and customer type security. In others, customer security will be entirely moved away from the internal team who have very little to do with it. Some companies will tell one team explicitly not to deal with any customer issues as they must focus on other issues etc.

    A CEO may well deem it wise to make customer interests everyone’s responsibility and indeed, some do, but usually employees do what they’re told to do by the boss.

    Incidentally, I saw this article online over the weekend which I thought was an interesting example of how some companies are still very concerned about keeping hold of intellectual assets: http://www.nytimes.com/2012/02/11/technology/electronic-security-a-worry-in-an-age-of-digital-espionage.html?_r=2&pagewanted=1

    David

    PS. Regarding your footer, not *all* the content on this site is copyright James Gardener… Some of if is copyright me… 🙂

Pingbacks/Trackbacks

  1. Humans are ‘naturally nice’ | Harold Jarche - February 24, 2012

    […] Innovator inside: there is little remaining competitive advantage in trying to control intellectual property: … if the point of IT security is to preserve the privacy and security of individual customers and their relationships with a supplier (and each other of course), then, in a Sidestep and Twist world, security becomes one of the most important disciplines there is. You’re hardly going to have the most customers (the basis of a Twist competitive strategy) if you’re not trusted in the first place. […]

Leave a Reply

Your email address will not be published. Required fields are marked *

(Required)

Proudly powered by WordPress   Premium Style Theme by www.gopiplus.com