Forever blowing bubbles.
I got all excited by this neato bubble chart by Hoff:
and really wanted to take it out for a test drive in my own organization ... until I realized that I had no idea what “impact” meant.
What is “security impact”? Does this mean the ability to make things “more secure”? How do you decide whether your firewall has more “security impact” than your antivirus? (Will the Ghost of Metrics Future please go back to haunting Ebenezer Jaquith? Thank you.)
What is “business impact”? Does this mean how visible your security measures are to your business users? Does it mean how fundamental it is to whatever application your business is using? Does it mean how much it would screw the business if it didn’t work right? Or does it mean how much your business thinks it is helping them accomplish their goals (as opposed to just keeping Bad Things From Happening)?
A firewall might not have any business impact if users don’t know or care that it’s there. But it sure as hell would impact the business if it went down. You could argue that it “enables” the business to connect with external parties, but they’ll come right back and argue that they could communicate with them better if that firewall wasn’t in the way.
The bubble chart there shows antivirus as having a high “business impact.” According to whom? Is it helping the business get the job done, or is it saving the users from themselves at a higher rate than the other security products in the portfolio?
I’d like to hear what you all would define as “impact.” Other than the medical term, that is.
Posted by shrdlu on Tuesday, December 18, 2007
(9) Comments • Permalink •
