Meet the Bloggers Twitter BTSecureThinking YouTube Channel Blogroll About BT Looking for more?
BTSecureThinking Resources center

SecureThinking > SecureROI

SecureROI

Wednesday, April 11, 2012

NO TRESPASSERS! How to cut out costly and time consuming ‘no value’ calls in your contact centre

By guest blogger Paul Cunningham – ‘Director of International Business Development, Securelogix’

In recent times there have been an increasing number of high profile incidents concerning the security of telecoms systems.

The most obvious is dial-through-fraud with a majority of UK businesses either reporting or suspecting unauthorised and potentially costly use of their telecoms resources from inside and outside their business.

Add to that the increase in nuisance callers, denial-of-service attacks and attempts at social engineering in the contact centre market, and the telecoms security landscape has become a bit of an eyesore.

Even if you feel safe from such high profile threats because you see them as infrequent and unlikely to target your particular business, the chances are that you are being severely impacted by low-level ‘trespass’ on your telephone system.

So, what do we mean by ‘trespass’?

 

If like me you expect to be classified as a ‘knowledge worker’ you will regularly find yourself working either in an office cubicle, a meeting room or — in these days of enlightened work-life balance — at a kitchen table or home office.

Imagine the impact on your productivity (and sanity) of roughly 40 unexpected visitors a day knocking on your door, popping their head over the office divider or just appearing randomly in your garden.

You have no idea who they are, what they want or if they represent any kind of value (or threat) to your business. Yet they have to be dealt with at a cost to you in terms of time, money and distraction from the day job.

Our research shows that low-level ‘trespass’ in your telecoms systems — especially in contact centres — is costing you dearly. How?
Every contact centre has to process large numbers of calls that are not business related.

Non business related calls may be ‘no value calls’ and/or ‘negative value calls’.

No value calls are calls that do not represent any opportunity for the organisation to generate revenue or improve customer satisfaction.

Negative value calls are no value calls that actually take resources away from valuable calls and result in a negative impact to the organisation.

Non business related calls include the following:

 

Telephony Denial of Service (TDoS) calls␣ – attacks involving a high volume of calls directed to a contact centre or IVR for the purpose of traffic generation/call pumping or outright Denial of Service. TDoS attacks can be generated through an automated process or an organised Social Networking attack.

Social Engineering calls — calls to manipulate people in order to cause them to give up personal or proprietary information that the attacker can use for financial gain. These are typically ‘professional’, highly automated and seriously criminal in their origin and intent. They are not random individual acts.

Auto-dialler calls/Harassing calls — automated calls generated in support of telemarketing, spam or similar activities. VoIP’s rapid rise to prominence in the Public Voice Network has made it very easy and cheap to automatically generate any type of call for everything from PPI claim-back sales to outright malicious activity (although many find it hard to tell the difference!)

Handling these types of calls costs you a substantial amount of money and occupies important resources that could otherwise be handling valuable calls, yet a properly implemented telecoms security policy with supporting services and tools can identify, stop and/or reroute these types of calls, potentially resulting in dramatic cost savings

How much could you be saving?

 

Our research indicates that 3.5per cent of inbound calls have no source number — usually through blocking — and that 4.9 per cent of the remaining calls are verifiably spoofed, meaning that they display Caller Line Identification (CLI) characteristics that are falsified to hide their origins.

Assuming that average call handling costs in a contact centre is around £3 per call, a centre handling 2,000,000 calls per annum and using the right mix of policy, tools and services to weed out 95 per cent of the trespassers could expect to save around £1,000,000 over 5 years — an average Return on Investment of around 650 per cent.

Posted at 2:14 PM | No Comments »
Tags: , , , , ,

Bookmark and Share

Friday, March 16, 2012

Guest Post: Firewall Change Management: Achieving a Return on Automation

By Sam Erdheim, Algosec

Looking at IT security through an ROI lens is a hard sell to make. That’s because you don’t really get credit for not having data lost/stolen or for not having a business disruption.  Security is like an insurance policy. You could take the approach of not investing much there, but if something goes wrong which is bound to happen, the business will most likely cease to exist. But if everything is ok, it’s hard to argue a positive ROI.

You can however, put an ROI around how you MANAGE security policy, especially when it comes to managing the deluge of firewall changes. Many organizations struggle with change processes – which is why many go into network freezes during high traffic or high revenue times of the year. It’s because to be successful in today’s business environment, you must be agile. Change is a constant, but too many organizations rely upon manual processes which typically take too long and even still leave some checks and balances to be desired. And the pain only increase with the growing adoption rate of secure web gateways and next-generation firewalls. While greater policy granularity enables organizations to enforce greater control, it also increases the opportunity for change requests to come at a more voluminous and faster pace. 

So thinking about how to show ROI from a firewall change management perspective, here are three attributes to look for, all based on automation:

  1. By automating previously manual processes, you can take the weight off of IT’s shoulders, saving time and resources. And you can significantly improve business agility, which is a competitive advantage in today’s 24x7x365 business environment. Firewall policy management solutions can provide ROI by automatically analyzing the firewall rulesets, the network topology, and your corporate security policy. To put this in numbers, we’ve seen our customers save more than 50% of the time required to process a firewall change – from automatically pinpointing the exact devices that need to be changed, to proactively assessing the risk and designing the change in the most optimal way.
  2. Our research has shown that as much as 30% of requested firewall changes are not necessary, and many others are implemented incorrectly. So if you can automatically identify and close “already works” requests, and also ensure changes are performed exactly as requested, there is a clear return.
  3. In today’s highly regulated environment, IT audits are all too common and all too time consuming – whether to address regulatory or internal security requirements. IT typically finds themselves spending significant time ensuring each change is properly documented to address any questions an auditor may have. So if you can maintain a detailed history of every step of every change request, it saves precious time spent trying to go back and “figure it out.”

Automating the firewall change workflow is about more than just reducing risk and improving your security posture – it’s about creating savings that can be put back into the business and enabling the business to be able to adeptly respond to changing requirements. Looking back at this, maybe we should call it ROA… Return on Automation. Algosec has created this ROI calculator to help you identify the opportunity for your organization. Good luck and enjoy!

 

Posted at 12:29 PM | No Comments »
Tags: , , , , , , , ,

Bookmark and Share

Friday, March 9, 2012

Rationalise Networks – Rationalise Security

By Chris Pickles, Head of Industry Initiatives, Global Banking & Financial Markets, BT

When a major global bank tells you that it is managing over 2,000 firewalls, you realise that the bank doesn’t just have a security problem – it has a network problem.  Over the decades it has built up a legacy of private network and VPN connections not only to deliver its services to its offices and branches and customers but also to receive services from market infrastructures and service providers.  Being a bank, security is hyper-critical.  For a bank, all of that is “business as usual.”

The economic crisis has resulted in banks not having enough cash to carry on doing business as usual: today they need all of their cash and more to meet the new and tougher regulatory requirements for capital adequacy.  That means that their business model is changing, and that in turn means that their IT solutions have to change to support that different business model.

One way of reducing the cost of security and the added-cost of failed security is to reduce the number of access points through which security breaches can occur.  Rationalising network usage can ram down those costs, and that’s one area where a private managed cloud approach can help. 

For example, one financial institution had a separate network connection to each of 300 firms – each connection dualled-up for redundancy, of course.  We found that over 60 percent of those firms already shared the same BT private managed cloud service.  By linking the financial institution to that same cloud we could convert 180 separate connections to a single redundant and secure connection.  That also started to reduce the number of firewalls that needed to be managed.

A  50-percent reduction in TCO of communications with a reduced cost of security – helping to put cash back into the business of making money.

 

Posted at 12:26 PM | 1 Comment »
Tags: , , , , , ,

Bookmark and Share

Thursday, January 5, 2012

Today’s Sophisticated IT Threats Require Organized Defences

by Tara Savage, Senior Marketing Manager, BT Global Services

In our recent article in RUSI’s Defence Systems magazine, we outlined the escalating war between cyber criminals and IT security specialists. As we noted, in addition to escalating attacks, costs are also skyrocketing. In fact, the combined costs of intellectual property theft and protection measures are in the billions in theUK alone.

This escalation is due to the proliferation of criminal “firms” with the main aim of stealing intellectual property – everything from organizational secrets to personal identification. We maintain that this new era of warfare means that traditional IT security measures no longer do the job. We believe that today’s threats require much more sophisticated and strategic IT security defences.

The strategic approach we focus on is centralized, business-driven security that can adapt quickly as threats evolve and change. To get there, we worked with CIOs and information security specialists to design an intelligence-led solution that can pull from a wide range of sources to protect a system.

These centralized processes monitor and correlate feeds from many different systems to identify anomalous behaviour that could indicate an attack. The results give cyber-defenders a real-time view of their systems and the capability to make adjustments to defences in real time, cutting the process from weeks to mere seconds.

To learn more about how we counter today’s sophisticated, organized threats with our Cyber Defence Managed Service, read our article here.

Posted at 11:52 AM | No Comments »
Tags: , , , , , , ,

Bookmark and Share

Wednesday, November 23, 2011

Security in Securities

Chris Pickles, Head of Industry Initiatives, BT Banking and Financial Markets

If you’re in the Securities sector, you’ll know that ‘security’ has a particularly strong importance there.  Whether it’s ‘security’ meaning ‘equities and bonds’ – the most secure financial instruments besides cash – or whether it’s ‘security’ meaning reliable, tamper-proof, or non-repudiable, no market sector has a stronger need for security than Securities.

It’s somewhat strange, and perhaps an anachronism, that the sector’s attention to security is most strongly focused around the lower-volume post-trade space.  A trader can trade and commit his firm to millions or billions of dollars, but super-strength security is only applied after the trade – not before it and not during it.  Investment firms generally rely on the physical security of private networks when it comes to receiving market-moving data and trading: latency is generally treated as a more business-critical factor in the trading room.

At the same time, investment firms need to save money, particularly on infrastructure.  Being able to re-use infrastructure more and more in order to generate economies of scale can make a major difference to a firm’s cost structure – it can help to reduce TCO of communications by as much as 50%.  But that needs to be achieved with security.

Change happens slowly in financial services, typically driven by the search for increased profits, by regulatory pressure and by demands for cost reduction – in that order.  Today there are scores of new regulations in the pipeline from market regulators around the world, as well as massive downward cost pressures.

Financial services is a ‘volume business’, where commercial success depends heavily on economies of scale.  That has to apply to the use of security services and communications services as well.  It’s time for investment firms to carry out deep-dive reviews of how they achieve security and how their communications architecture supports that goal more cost-effectively, before things get even worse.

 

Posted at 2:16 PM | No Comments »
Tags: , , , , , , , ,

Bookmark and Share

Friday, November 18, 2011

There is no ROI for Security

By Toby Weir-Jones, Vice President of Product Development, BT Counterpane

We’ve heard that many times, probably just as many as we’ve seen attempts to prove the statement wrong.  Like car insurance, there is no incremental ROI in the literal sense.  You don’t see your wallet get fatter as a result of buying a policy.  Remember what insurance is for, however:  it provides a fixed payout on a variable risk.  Your premiums pay for coverage up to a certain amount (the fixed payout) which you can access in a wide variety of circumstances (you hit someone; someone hits you; your car is stolen).  There is non-monetary value to be found in the knowledge that your policy is in place and up to date.  You don’t need to squirrel away funds for a rainy day, so you can use that capital for other purposes.

In the information security space, we invest in technologies which hopefully improve our organizations’ ability to respond to unknown threats.  We evaluate their effectiveness by combining increased visibility to the types of things they control with some kind of commercial assessment of how important those things are to our businesses.  IPS tells us what kinds of known exploits or other malicious activities are on our networks; our knowledge of whether our networks are vulnerable to that activity tells us whether it is helpful information or not.

CISOs need to focus on seeing combined benefits across their projects, ideally by having them all feed into a common reporting scheme.  For example:

A large enterprise has deployed various technologies across the estate (PKI, secure messaging, IPS, next-gen firewall, monitoring, scanning).  Each of those activities generates its own reports, highlights benefits/errors/exceptions, and generally chatters away on its own. 

Next year, the Board indicates that budgets need to be trimmed 15%.  How does the CISO respond?

You can’t authenticate 15% fewer transactions

You can’t sanitize 15% fewer messages

You can’t deploy 15% fewer IPS signatures

…etc. 

Historically what we’ve seen is stretching out the lifecycle of deployed technologies, so instead of replacing something on a 3-year cycle, push it to 4 or even 5.  And, inevitably, the plans to increase headcount feel pressure.

But the other area, which is perhaps hardest to measure, is suspending new projects.  So perhaps the original plan had called for replacing the message hygiene, IPS, and FW platforms with new UTM capabilities.  If the budget pressure can be met by suspending that, it’s likely the project would be deferred, even if OpEx increases as a result.

And that’s the crux.  Quantifying benefits derived from security investments is difficult, much like quantifying benefits from auto insurance, if you haven’t had to file a claim.  But continued spend on maintenance as a ratio of technical capabilities realized is unavoidable, and a useful starting point.  You need to be honest about those capabilities, since obviously you could be entirely self-serving in reporting the model, and every firm will have a ratio which is right for them. 

But that gives us the common reporting scheme I mentioned at the start.  For any given product category, its features will fall into one of a small number of buckets:

1)       Obsolete

2)       Industry-comparable

3)       Unique/vendor-specific

Anything on this list needs to be individually demonstrable.  So if a mail hygiene system has the ability to remove viruses and malware, you have to be able to measure both the number of such items removed, and what percentage of the total that number represents.  If it can’t be measured, it can’t be treated as a discrete feature on the product. 

Each of those will, in turn, have a utility value for the individual enterprise.  I would suggest using a scale of 1-4 would be appropriate, where 1 is the least useful and 4 is the most.

The sum of each feature’s category and utility values gives you a broad view which you can plug into the ratio with corresponding spend.  And it separates you from worrying about how to quantify benefits only when catastrophic events occur.

CISOs are among the best-positioned to drive schemes such as this into the corporate rhetoric.  They can avoid the impassioned defense of individual vendors by focusing on product categories first, and they can frame the results in commercial terms to other members of the senior leadership team.  This isn’t a scheme to provide an exhaustive analysis, it’s a rough-cut sorting mechanism to provide one incremental level of improvement over how to present value equations to peers.

Posted at 10:20 AM | No Comments »
Tags: , , , , , , , , , , , ,

Bookmark and Share

Wednesday, June 15, 2011

Are you wasting money on security?

By the BT Security Think Tank

 

Are you wasting money on security?

It’s a question you need to ask yourself now and then.

Here’s an example of why…

Once, we did exactly the same as all sorts of other organisations. We employed security guards to protect our key premises – at night, at weekends and, in some cases, during the day.

To begin with, they performed valuable roles. When intruders were found, they apprehended them. Then they called in the police.

But things changed. Thieves started arming themselves. Concerned about the guards’ health and safety, we told them to let the professionals deal with any break-ins. All they needed to do was raise the alarm or otherwise call in the police.

And so things continued … for a while.

Eventually, we took a fresh look at the situation. By then, the guards had become little more than expensive monitoring systems. True – their presence reassured staff working on premises out of hours. But when it came to detecting intruders and calling in the police, it looked like a combination of door and window alarms, CCTV cameras and other technologies would do just as good a job and save us a great deal of money.

The question was would it work? Would our premises be put at risk?

There was only one way to find out – to give it a try. So that’s what we did. And guess what? We found that we were right. The result? We employ fewer security guards, but our premises are no less secure. If anything they are better protected than they used to be. Guards can’t be everywhere, after all. Thanks to an imaginative new use of technology, the eyes we employ are now keeping much better tabs on things that matter a great deal to us – our premises and the assets they contain.

What this story highlights is that you need a clear view of the return you’re getting from everything you spend on security.

The problem is that organisations tend to do this on a ‘fire and forget’ basis. They identify the risks they face and put measures in place to mitigate them. They may well go one step further and check they are getting the returns they hoped for. But often that’s it. If nothing untoward happens, they assume their investments are continuing to deliver a good return so they leave them as they are. If it ain’t broke, why fix it?

The thing is that what we’re trying to achieve with security is a balance between the cost of defences on one side and the costs of breaches on the other. Different organisations have different appetites for risk, so they’ll set the balance in different places along the scale. But as any engineer will tell you, once you’ve decided where you want the point of balance to be, you need a feedback system to maintain it.

All too often, this is missing.

At best, organisations end up paying for a greater level of defence than they need. Cash that could have been spent elsewhere goes to waste.

At worse, they end up with a false sense of security – one based on the fact that they haven’t experienced a problem – well, not yet.

Either way, the failure to get the balance right could cost them a great deal.

So, ask yourself again. Are you wasting money on security? Are you sure those defences are right?

Members of BT Security Think Tank include Ray Stanton (Executive Global Head of Business Continuity, Security and Governance), Bruce Schneier (Chief Security Technology Officer), Peter Scott (Director EUT, BT Security), Martin Brown (General Manager, Security Technology & Strategy), Steve Benton (BT Security – Head of Business Operations), Jim Tiller (VP – Operations and General Manager, BT US & Canada) and Theo Dimitrakos (Head of Security Architectures Research, BT Innovate & Design).

 

 

Posted at 3:04 PM | No Comments »
Tags: , , , , , , ,

Bookmark and Share

Thursday, December 30, 2010

It’s the Most Wonderful Time of the Year

By Toby Weir-Jones, Vice President of Product Development, BT Counterpane

As the year winds down, IT managers look at their project plans for the past several months and evaluate which ones are finished.  If you’re lucky, you’ve not only completed projects on time, but under-budget, and now you may have the delicious prospect of additional capital you can allocate to purchases that were culled during last year’s fiscal review.

The question is — what should you buy?  Think of this piece as a simple buyer’s guide for the IT holiday season, and feel free to use it whether your fiscal year ends in just a few days, or not until the end of March 2011 or beyond.

Web Application Scanning (WAS):  This is a technology you should explore if you haven’t tried it already.  It’s not perfect, but it provides you with a lot more information than traditional vulnerability scanning; and it’s pretty straightforward to build internal processes your team can use to make use of the results.  If you’re going to go down this path, don’t overlook the need to build in formal feedback loops to the application developers as well.  Ideally, you want management on both sides to agree to remediation targets – because WAS can help everybody do a better job at a reasonable cost. 

Host IDS/IPS:  Many vendors have sold product into companies that ends up collecting dust on the shelf.  But with the renewed integration of endpoint protection technologies into the traditional kernel-oriented HIDS agents, these products are now genuinely powerful and useful.  They not only add policy enforcement capabilities to operating systems which otherwise lack them, but they provide a logging and alerting vocabulary to describe what’s going on, a factor that will make your auditors and IT helpdesk people happy.  They won’t spend nearly as much time chasing down vague alerts and otherwise trying to figure out what really happened; and the policy-oriented management tools offer a simple way to define and deploy policies across the enterprise. 

Behavioral Analysis:  This is more of a technique than a tool, but it’s something you should look for in any general security product category you’re investigating these days.  The idea is pretty simple — build a statistical model of “normal” behavior, and then alert the user whenever actual behavior deviates from what’s expected.  The better tools will also model your “deviant” behaviors and compare them to macro-level views of activity from elsewhere in the world, either in real-time (via a managed service model) or via a local library of problematic behavior patterns.  You can apply this to anything that generates a consistent volume of activity messages characterizing device behavior or performance, and it’s a cheap and useful way to see how you’re doing compared to everyone else.

Botnet and Malware Detection:  The last item on the list has become important enough that not only IT but Finance and Legal have a vested interest in ensuring it’s done correctly.  Any shrink-wrapped product that doesn’t have live updates to its blacklists is going to become a limitation fairly quickly, so look for vendors who maintain live data on the latest research, command and control hosts, and detection techniques.  Make sure you get good, unambiguous reporting that highlights whether or not you have an infected node in your network, and how to confirm positively that you’ve cleaned it up.  Finally, ensure you have suitable policies defined about when to notify those same Finance and Legal folks about botnet exposure on your company’s network.

BT extends best wishes to all our readers at SecureThinking – we hope you have a 2011 full of mitigated threats and proactive notifications!  If you’d like to discuss particular vendors for any of the above solutions, please feel free to provide links in your comments!

Posted at 2:48 PM | No Comments »
Tags: , , , ,

Bookmark and Share

Wednesday, October 27, 2010

NCSM Tips and Myths: It’s Time to Clear the Air – Part 2

By Senthil Venkatachalam, Product Manager, BT Global Services

As I mentioned in my previous post, in the spirit of National Cyber Security Month and to address the theme of shared responsibility, it seems that now is the time to clear the air and take a look at the myths surrounding security solutions.  In the last post, we dispelled the myths around deployment of devices.  Today, we will address the myths around ROI and compliance.

Myth: Here is the product’s Return on Investment…

Security ROI is difficult to compute, simply because it is hard to predict the probability of a true security event and the costs associated with the loss and mitigation of it.  So take vendor driven security ROI analyses with a grain of salt and use them as a starting point for your own analysis of whether a solution is needed and worth the money spent.

Bruce Schneier, chief security technology officer, BT, wrote a great article on the subject that appeared in CSO Magazine:

               Security ROI: Fact or Fiction?     

Myth: Having an MSSP is enough – It will free my team and I’ll be secure

Some of the points discussed in this series of posts suggest that if your organization does not have the security expertise, experience or technology needed for comprehensive security, you should work with a security provider (an MSSP) to help you get there. That is still true. This one’s the corollary — simply having an MSSP does not take away your responsibility to stay engaged.

While an MSSP can bring value to the table on their own, they are not you. As a manager of your organization’s security program, *you* are the one who is ultimately responsible for the success of the program:  You set your organization’s policies and priorities, and you know your organization’s IT infrastructure the best.  While a security solutions provider can provide best practice advice and consult with you, it is ultimately your organization that makes these key decisions.

So the key point here is that even if you employ an MSSP or other security provider, you or your security staff will need to stay fully engaged with the security provider to gain the program’s full benefit.  In our experience, organizations that stay engaged with their security solutions provider can extract the full value from the services provided.

A Related Myth: We have contracted with an MSSP to help us become and remain compliant.  What more can you ask of me?

This is a popular myth and probably the easiest to debunk. Compliance is not security; it is a low bar to cross, indeed.  Staying compliant is good, but it does not mean that you are fully secure at all.  Customers who buy a managed security service only to check a compliance box are doing themselves a disservice (no pun intended) and will not get the value for their security investments.  Engage, engage, engage!

Myth: Log retention is equal to monitoring

Log retention is an important component of security. In many cases, you don’t have a choice. Organizations in regulated industries, for example, banking and healthcare, have log retention requirements they need to meet.  

Log retention is also particularly useful in forensic analysis of a security event and its mitigation. However, let’s be very clear: Log retention is NOT monitoring.  Log retention complements a security monitoring program, but it does not replace it.  You still need to monitor your IT assets in real-time to be fully aware of all security activity on your networks.

Posted at 2:15 PM | No Comments »
Tags: , , , , , , ,

Bookmark and Share

Thursday, January 21, 2010

Is Free really Free in the online world?

By Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global Services, CISSP, CISM, CISA, PCI QSA

One of the challenges for Internet companies is to make a profit by providing content and services to a community that largely expects those services or content to be free. There was a time when organizations charged for providing email.  Remember MSN and AOL? Fast forward a few years to an unlimited number of free email services.  Not only is the expectation that the service be free but users moved to other e-mail providers when storage limits or functionality was restrictive.  Free and unlimited is just what our community expects.

Last year, Rupert Murdoch announced News Corp. will start charging for online access to its news services.  It will be interesting to watch how this fares for consumers who are used to receiving free services.  News Corp. is also suggesting it will charge search engines for the ability to crawl through its sites.  Services that are not free need to distinguish themselves as being remarkable to ensure a community that is used to no charge will be willing to pick up a tab.

Similarly, there has also been a shift by almost all of the free online services to start charging for premium services to reduce dependence on online ad revenue. For example:

  • LinkedIn has introduced a paid tool that can be used by recruitment companies
  • Skype is now started charging for voice mail
  • Panadora has introduced a paid online radio service with no advertisements

There is no doubt during the next two years, we will see many more companies actively moving towards a paid model with earnings supported by advertising revenue. However, even as companies look for ways to earn direct revenue for some aspect of service, the question becomes, “What should we expect for the free services that are used to reel consumers in?”

The loss of our SecureThinking blog this past month, which was being hosted for free, brought forward these questions of what our right to availability really is.  What does our loyalty and presence entitle us to?  What are fair expectations for free services?  It appears that free entitles us to a service without support.

Organizations that provide services like blogging, social networking and online applications are all mostly free.  Consumers expect these services to be reliable, secure and constantly available. But is this expectation too high?  Are we losing high value services because we do not want to pay for Internet services and content?

Certainly our desire for free services and content is negatively impacting notable TV, entertainment and newspaper companies.  When we have no more credentialed journalists because we did not want to pay for their time, I wonder if the value of the content we will be accessing will decline.  Is our lack of desire to pay actually killing the golden egg?  After all, there is an intrinsic cost in supplying a product.

If you are providing a product and building a business model around charging for additional services, I believe the service you are supplying must be indicative of the quality of the product you paid for.  The product must provide its users with confidentiality, integrity and availability. How will we know that the paid product has these qualities?  Organizations that provide a multi-level service model, service levels for paid services and no service level for free are at risk of alienating the community they initially attracted by providing the service in the first place.

In our situation, our response has been to move the SecureThinking blog to a new platform that we host and pay a small fee to use.  There was a misalignment between our expectations and the supplier’s product, but that is often the case when a product is free. 

I’d be interested to hear your feedback on whether you think free services should be held to the expectation of secure and reliable.  What do you think? 

http://www.btsecurethinking.com/2009/11/integrating-web-2-0-tools-securely-into-the-business-environment/

Posted at 4:20 PM | 1 Comment »
Tags: , , , , , , , , , , ,

Bookmark and Share
« Older Entries