Postmodern Security

A few months ago I came across an article by Nicholas Carr called, “IT Doesn’t Matter.” It was published by the Harvard Business Review in what seems like the Paleolithic era of 2003, but I was shocked by its relevance. At the time, it caused quite a controversy with many mocking Carr’s predictions, but with ever-increasing outsourcing and the commoditization of compute, it seems even more relevant. If you’re working in any sector of IT today, then you’ll find many of his ideas shockingly prescient.

In the article, he manages to call out IT on it’s over-inflated ego, its annoying self-importance and tunnel-vision with regards to the rest of the business. Twelve years later, IT still manages to create an idolatrous following among staff, convincing senior leadership that it’s central to an organization’s strategy, even as it continues to fail the business.

It’s a reasonable assumption, even an intuitive one. But it’s mistaken. What makes a resource truly strategic – what gives it the capacity to be the basis for a sustained competitive advantage – is not ubiquity but scarcity. You only gain an edge over rivals by having or doing something that they can’t have or do. By now, the core functions of IT – data storage, data processing, and data transport – have become available and affordable to all. Their very power and presence have begun to transform them from potentially strategic resources into commodity factors of production. They are becoming costs of doing business that must be paid by all but provide distinction to none.

…as their availability increased and their cost decreased – as they became ubiquitous – they became commodity inputs. From a strategic standpoint, they became invisible; they no longer mattered. That is exactly what is happening to information technology today, and the implications for corporate IT management are profound.

However, the part of the article that really caught my attention was where he points out that IT actually increases organizational risk.

When a resource becomes essential to competition but inconsequential to strategy, the risks it creates become more important than the advantages it provides. Think of electricity. Today, no company builds its business strategy around its electricity usage, but even a brief lapse in supply can be devastating (as some California businesses discovered during the energy crisis of 2000). The operational risks associated with IT are many – technical glitches, obsolescence, service outages, unreliable vendors or partners, security breaches, even terrorism – and some have become magnified as companies have moved from tightly controlled, proprietary systems to open, shared ones. Today, an IT disruption can paralyze a company’s ability to make its products, deliver its services, and connect with its customers, not to mention foul its reputation. Yet few companies have done a thorough job of identifying and tempering their vulnerabilities. Worrying about what might go wrong may not be as glamorous a job as speculating about the future, but it is a more essential job right now.

Sound familiar?  Consider some of the recent breaches such as Target, Home Depot and Sony. This presents an odd contradiction, as IT becomes less relevant to business strategy due to its ubiquity, information security becomes more critical.

But Information Security will only deliver value if it understands context. I consider this as I recall recent conversations I’ve had with other security professionals in which they lament how misunderstood they are and how little the business appreciates what they do. The problem is that many don’t respect the people who generate the revenue allowing them to have jobs. Often they’re so busy focusing on the minutia of finding vulnerabilities and exploiting them, that they can’t pull back to understand that this only delivers value if it helps to reduce overall risk to the organization.