The previous article started a discussion of security.
Let’s take a look at the bigger picture, starting with a somewhat philosophical perspective: Why do companies have computers? Why do they have IT?
As a starting point, companies are looking for business value. Business value can be defined as quantifiable ways to make money or save money. Systems need to be judged on their ability to produce business value.
Perhaps surprisingly, computers have no inherent business value. Computers may be part of a system that generates business value, but by themselves they are just a tool.
Consider an ERP system – by itself it has no business value. The value of an ERP system comes from having the right materials at the right place at the right time to build and ship products. The value of an ERP system comes from having accurate cost data that allows setting prices that are profitable yet competitive.
Similarly, email has no inherent value. (Many people will agree with this assertion!) The business value of email comes from having the right information available to the right person at the right time, enabling effective communication between people, and providing an archive of business information. As an added benefit, email provides an audit trail and often provides an explanation and context for decisions.
I propose that the generation of business value through IT has three components:
- People performing value added tasks.
- The information that is needed to support these tasks.
- Applications that apply value adding transformations to this information and make it available to users
Computers run the applications and host the data that is used by people to create business value. The sole reason for IT is to support the applications and data and make them available to users.
What is the connection to security? The corollary to this view is that anything that interferes with a users ability to use applications and access data to generate business value is a problem. In too many cases security is focused on preventing threats, even at the cost of impacting the creation of business value. We will look at several different ways to approach security while balancing security concerns with business issues.
Next: User Needs
I like your ‘business value’ angle of assessing security in IT.
My only minor quibble is that I would argue that the hardware *does* have a certain intrinsic value, given that – as you mention – it is a tool! A piece of wood and a lump of iron ore may be of lesser value in the raw, but once you transform the wood into a handle, and the ore into a hammer head – combine! – that tool has immense value when viewed *prospectively* at all the potential work that can now be done that could not before.
I would say the same holds true for IT hardware. Its intrinsic value lies in the potential for delivery of even greater value by the transformation of information. The real world business value will be determined by exactly how that IT is put to use.
Therefore, the value of ‘security’ (writ large) lies in its ability to reduce/eliminate harm to the overall business value of IT.
The trick to appreciating this value is in being able to fully articulate every aspect of the business value in question, and how it may be diminished.
I would argue that computers are assets. They can be used to produce business value, but they don’t have any business value (which we defined as making money or saving money) by themselves. The value comes from using computers to perform value added transformations on data in response to a business need.
The interesting question here is how to place a monetary value on security. To do this you have to be able to place a monetary value on the potential losses, the probability of these losses, and what are the alternatives for mitigating these risks.
Needless to say, these are hard problems! Do you have any thoughts on how to articulate this?
If they have no value, how do you _evaluate_ competitive IT solutions to find the best ones for your business?
Somewhat academic, I know 🙂 I understand the sense in which you are using the term “value” for the purposes of your discussion.
You are hitting the crux of the matter – the point I’d like to explore. The key pieces are:
Business Value can be measured – and is measured in money. Quantifiable and verifiable amounts of money.
Business Value, for our discussion, is generated by people using IT to apply value-added transformations to data.
Evaluating competitive IT solutions is an excellent question. What do you think of evaluating IT systems by looking at them in terms of: