On 9/25/06, Paul Schmehl <[EMAIL PROTECTED]> wrote: > I understand that, but I think your trust model is merely a euphemism for > loss avoidance. And I don't see how you can avoid being seen as loss > avoidance - unless you can show the ability to generate revenue.
(My full disclosure for the day: I didn't read the whole whitepaper, or even most of it.) I'd actually break down the business case for security technology a little bit further. As I see it, there are three different business cases: - risk-based loss avoidance: if we don't buy it, we might get hacked, or a hack might do more damage. (This seems to be the business rationale for IPS/IDS.) - certainty-based loss avoidance: our existing solution is wasteful and forces us to spend X dollars per year. If we spend the cash now to put together a better solution, we'll save money in the long run. (This is a common business rationale for identity management solutions.) - business enablers: if we invest in this new solution, we can do something we couldn't do before that will make us money. A VPN that lets employees work directly from a customer site can make people more productive. DRM can let us sell digital music without worrying about piracy. SSL can let us process credit card purchases made via a browser. Pay-per-sale ads will encourage people to advertise on the web without worrying about click-fraud. Some of those business-enablers have more than a passing resemblance to risk-based loss avoidance (e.g. you use SSL because you are scared someone might be listening if you use clear-text). The main difference I see is that with a business-enabling technology the revenue generation is tangible. Regards, Brian _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/