I understand that, but I think your trust model is merely a euphemism for loss avoidance. And I don't see how you can avoid being seen as loss avoidance - unless you can show the ability to generate revenue.Paul, Thanks for your comments.Unless you can demonstrate concrete revenue generationg directly attributable to security, I don't think you can overcome that perception (and loss avoidance through trust building does not generate revenue.)I believe the purpose of the paper is to move away from the loss avoidance model and describe information security in fashion that demonstrates how security mechanisms have a direct role to play in the creation of assets and business relationships.
Ben Robson writes, 'Firstly, your statement, "After all, information security doesn?t make money?it only spends." in my experience is actually incorrect. An effective information security outcome actually will save a company a significant amount of money.'
Saving money is a form of generating revenue indeed, but even in his description Ben is forced to use the words "reducing the risk" to describe his money saving techniques. That's loss avoidance, plain and simple.
Mind you, I'm not saying there is no merit to couching your argument in the trust model terms. I'm just saying that any PHB worth is salt will automatically translate the model into "loss avoidance". They might make dumb decisions from time to time (or at least what appear to be dumb decisions to us), but most PHBs *are* pretty intelligent creatures, and they excel at cutting through the BS to the bottom line arguments. (That's why, in part, they *are* PHBs.)
Paul Schmehl (pauls@xxxxxxxxxxxx) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Attachment:
p7sguolhQdDr9.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/