Musings on Information Security :: Security as a core competence

This Month

Month Archive

January 2007
December 2006
November 2006
October 2006
September 2006

Main Page

Photos

Simplified Security: Security 101

Quotable security quotes

BS7799

Guest Column

Interview

Secure Personal Computing

Security Awareness Training

Good Security Customer

Security Initiative

security

RSS Newsfeeds

Main Page RSS

This work is licensed under a Creative Commons Attribution 2.5 License.

Main Page

Previous:	Vulnerability management
Next:	Which security category does your company belong to?

Security as a core competence

by RaviC on Wed 08 Nov 2006 11:37 PM PST | Permanent Link | Cosmos

Security is sold to the upper management in many flavors. Couple of compelling models are:

1. ROI savings model - Security is viewed as a Return On Investment in terms of savings it realizes.

2. Insurance policy model - Security is viewed as a risk reducing instrument.

Though both models are equally compelling, I am more inclined toward the insurance policy model. In both cases we need to do the math to arrive at the cost structure of security, more akin to cooking up numbers.

How about a third model where you don't have to cook up numbers? I would like to call it the "core competence model".

Company-A takes two long years to streamline its processes to implement security checkpoints in order to ensure confidentiality, integrity and availability with its product offerings.

Company-B is a competitor of Company-A. Company-B will take at the least 2 years to replicate Company-A's security competence. This will not only mean time, it will have cost Company-B in terms of lost opportunities due to lack of security competence. Moreover, it is may be hard for Company-B to replicate the security competence.

Security has become the core competence of Company-A and hence its competitive advantage.

Posted to:

Main Page

Comments

Post a comment

Re: Security as a core competence

by djmeier on Sat 18 Nov 2006 09:09 AM PST | Profile | Permanent Link

I read this post linked from McKeay's blog. I agree and disagree with both points. I don't believe that security as a core competence will bring you a competitive advantage based on your target market unless that *is* your target market. With the exception of markets that need to leverage security to sell (i.e. financials, defense, etc...). Take for example defense... I sell an air defense system that is linked to other countries via data exchange protocol. Allies are not always just that and the ability to exploit a local countries system via that link is not an option (I was in this situation -- it's very pertinent to the system, but not it's main operational task). Outside the realm of situations like that I don't believe security core competency (I didn't say security in general) is, much at all, a competitive advantage. At that point the executive level will weigh the cost vs. risk and quantify accordingly. Keep in mind that a core competency costs significant resources and assets and businesses run tight in this day and age. Then again, just my $0.02. :)

Re: Re: Security as a core competence

by RaviC on Tue 21 Nov 2006 07:05 PM PST | Profile | Permanent Link

Hello,
Thanks for an illustrative example. I agree with your view. I am happy that the post generated some debate, that is what I enjoy.