The broken windows economics of IT security


To economists, the term “Broken Windows” refers to the question that if a shopkeeper pays a glazier to repair a broken window at his store, does this deliver an economic benefit to society?

Many people would say yes, because it generates demand for glass and work for the glazier. The majority of economists, however, would say that it is a fallacy to believe that the broken window generates economic good, as it forces the shopkeeper to expend resources to fix something that wasn’t broken and functioned perfectly well before small boys began playing baseball in front of the shop.

Paying for repairs reduces his/her business’ ability to spend money on more rewarding alternatives—financing inventory, expanding the shop, etc.

Have you ever been witness to the fury of that solid citizen, James Goodfellow, when his incorrigible son has happened to break a pane of glass? If you have been present at this spectacle, certainly you must also have observed that the onlookers, even if there are as many as thirty of them, seem with one accord to offer the unfortunate owner the selfsame consolation: “It’s an ill wind that blows nobody some good. Such accidents keep industry going. Everybody has to make a living. What would become of the glaziers if no one ever broke a window?

Excerpt from the 1850 essay “That Which is Seen and That Which is Unseen” By Frederic Bastiat

IT security has evolved into a classic broken windows business. It exists to repair things that shouldn’t break in the first place.

Furthermore, every dollar that a business spends on Security subtracts a dollar from expenditure on more worthwhile alternatives—product innovation, improved public services, higher salaries, dividends to investors, etc.

Society loses the value of objects unnecessarily destroyed,” and at this aphorism, which will make the hair of the protectionists stand on end: “To break, to destroy, to dissipate is not to encourage national employment,” or more briefly: “Destruction is not profitable.

Every so often someone gets up and claims that good IT security pays for itself. Nonsense. Every CEO and CIO I have ever met resents every dollar they have to spend to protect themselves from the oversights of system architects, software developers, and product designers.

They know that IT security is a wound that never heals, and that while they need to be lucky all the time, a hacker needs only to be lucky once to do serious damage to business processes, balance sheet assets, and/or marketplace reputation.

Realistically, IT security is going to remain a significant budget item as far as the eye can see. But I believe two types of security solution vendors have emerged. While they still make up a majority, Type A vendors sell paranoia.

They harp endlessly on the mortal threats of thumb drives, social media sites, and satanic plots spawned by hackers of disparaged nations and ethnicities. Shattered windows are their business and they love the sound of breaking glass.

Type B vendors recognise the market opportunity to help customers reduce the cost and complexity of IT security. Make no mistake. Profit motivates Type B vendors every bit as much as Type A counterparts. It’s just that they mix some enlightenment with their self-interest.

Type B vendors are the ones advocating ways to efficiently minimize target surfaces, close off vulnerabilities, and perform mundane but necessary system management processes as thoroughly and friction-free as possible.

While generalisations are slippery, such vendors will always be in the minority and tend to be the innovative upstarts of the industry. Established companies simply have too much to lose by helping their customers reduce their IT security budgets.

As I write, the RSA Conference is getting ready to open soon in San Francisco. Hundreds of vendors will convene to spend millions of dollars to convince public and private sector managers to continue to spend billions of dollars on various IT security widgets, left-handed monkey wrenches, and foo foo dust.

They will do their best to drown out voices that say it doesn’t have to be this way that there are viable alternatives to the never-ending IT security hamster wheel of pain. What a waste.

"Recommended For You"

Obama's R&D tax break plan to boost economy Microsoft: Cumulative, conjoined Windows 10 updates are here to stay