Seth Godin:
Solving the problem isn’t the problem
The problem is finding a vector that pays for itself as you scale.
We see a problem and we think we’ve “solved” it, but if there isn’t a scalable go-to-market business approach behind the solution, it’s not going to work.
Godin’s perspective, as usual, is spot on. Read the entire article; he gives a couple of great examples.
Information security seems particularly prone to this flavour of fallacy.
There is a stubbornly persistent assumption that new technology will be easy to implement; just buy it and plug it in, right? In reality, buying the product is barely the first percent of doing something useful: you’ve got to get it into the environment (across development, test, production and disaster recovery instances), configure it, monitor it and manage its upgrade path. Once in, you then have to actually do something useful with it and successfully integrate it into your other controls. (Perhaps this systematic underestimation is part of security’s notoriously unconvincing business cases, and difficult to quantify ROI.)
Meanwhile, whenever someone suffers a breach, the security community enjoys a round of self-righteous tut-tutting. “How could they miss something so obvious,” we ask, “as an unpatched vulnerability?” What an astonishingly unhelpful waste of energy. In the billions or trillions of lines of code that make up any modern organisation, it’s inevitable that something will be missed. Remember: corporations are required by law to maximise profit; any security beyond cost-benefit is antithetical to our goal, and an organisations’ risk appetite will never be zero.