Let’s take a look at the bigger picture, starting with a somewhat philosophical perspective: Why do companies have computers? Why do they have IT?
As a starting point, companies are looking for business value. Business value can be defined as quantifiable ways to make money or save money. Systems need to be judged on their ability to produce business value.
Perhaps surprisingly, computers have no inherent business value. Computers may be part of a system that generates business value, but by themselves they are just a tool.
Consider an ERP system – by itself it has no business value. The value of an ERP system comes from having the right materials at the right place at the right time to build and ship products. The value of an ERP system comes from having accurate cost data that allows setting prices that are profitable yet competitive.
Similarly, email has no inherent value. (Many people will agree with this assertion!) The business value of email comes from having the right information available to the right person at the right time, enabling effective communication between people, and providing an archive of business information. As an added benefit, email provides an audit trail and often provides an explanation and context for decisions.
I propose that the generation of business value through IT has three components:
- People performing value added tasks.
- The information that is needed to support these tasks.
- Applications that apply value adding transformations to this information and make it available to users
Computers run the applications and host the data that is used by people to create business value. The sole reason for IT is to support the applications and data and make them available to users.
What is the connection to security? The corollary to this view is that anything that interferes with a users ability to use applications and access data to generate business value is a problem. In too many cases security is focused on preventing threats, even at the cost of impacting the creation of business value. We will look at several different ways to approach security while balancing security concerns with business issues.