An organization exists because it is able to function in its environment. For organizations that provide goods or services, the environment has changed significantly in the past 50 years. Every organization has a structured way to deliver value to their customers. We call this structure the “business model” of the organization.
My favorite framework for understanding business models uses nine common elements.
These include the Customer Segments (CS), the Channels (CH) that allow an organization to reach customers, the Customer Relationship (CR) that enables an organization to serve the customer, the Value Proposition (VP) offered to the customers, and the Revenue Streams (R$) that come from each customer.
Supporting this outward-facing part of the organization are the Key Resources (KR) that allow an organization to perform Key Activities (KA) to offer the value proposition. Key Partnerships (KP) either provide key resources or key activities. Finally, there is an underlying Cost Structure (C$).
Over the past 50 years, computer-based information systems -- symphonic arrangements of people, processes, and computer platforms that manage information -- have become critical to the overall success of an organization’s business model. Let’s do a quick back-of-the-napkin comparison of the use of computer-based information systems in 1960 at Walden Books -- an innovator who pushed bookstores into malls in the 1960’s -- with their use at Amazon.com -- an innovator who pushed bookstores onto the Internet in the 2000’s.
Table: Comparison of Computer-Based Information Systems value to Book Sellers
From this, we can see that the computer-based information system has become a vital business tool. To one degree or another, most businesses cannot survive a multi-week loss of their information systems. This should establish at a visceral level the value of the information system; without it, businesses cannot survive today. Even the late-adopting Amish are using websites to market their niche products.
Well then, given that the impact of loss is significant, what is the likelihood of a multi-week failure? After all, even the simplest risk calculations multiply the Impact of a loss by the Likelihood of occurrence when calculating the Exposure of the business to the risk. While we could find actuarial tables that calculate the risks of fire, flood, theft, vandalism, power outages, mechanical failure, human errors, etc., a simpler measure may be to anecdotally ask how many times you have lost data that required you to redo a significant piece of work. The health of the data backup industry should indicate that computers are not inherently stable. The more complex and interdependent the information systems are, the more likely they are to be vulnerable to abuse or attack.
Information security promises to reduce the organization’s exposure to the twin risks of abuse and attack that are inherent in dependent upon information systems. In 1960, businesses minimized their risk of theft and abuse through the use of double-entry bookkeeping, banks, and the Federal Bureau of Investigation (FBI). Some businesses refused to trust banks and kept their own money safe in physically secure on-site vaults.
When the cash is on the computer, information security provides the a measure of the protection that vaults, books, and G-men used to offer. Some businesses may still choose to stuff their money under the mattress and trust in obscurity for protection. Increasingly, businesses are recognizing the value of common-sense information security. The fact that there is such a thing as common-sense information security is an indicator of a rising level of awareness about the importance of protecting our valuable digital property.
My favorite framework for understanding business models uses nine common elements.
These include the Customer Segments (CS), the Channels (CH) that allow an organization to reach customers, the Customer Relationship (CR) that enables an organization to serve the customer, the Value Proposition (VP) offered to the customers, and the Revenue Streams (R$) that come from each customer.
Supporting this outward-facing part of the organization are the Key Resources (KR) that allow an organization to perform Key Activities (KA) to offer the value proposition. Key Partnerships (KP) either provide key resources or key activities. Finally, there is an underlying Cost Structure (C$).
Over the past 50 years, computer-based information systems -- symphonic arrangements of people, processes, and computer platforms that manage information -- have become critical to the overall success of an organization’s business model. Let’s do a quick back-of-the-napkin comparison of the use of computer-based information systems in 1960 at Walden Books -- an innovator who pushed bookstores into malls in the 1960’s -- with their use at Amazon.com -- an innovator who pushed bookstores onto the Internet in the 2000’s.
Table: Comparison of Computer-Based Information Systems value to Book Sellers
| Business Model Element | Information Systems Value to Walden Books in 1960 | Information Systems Value to Amazon in 2010 |
| Customer Segments (CS) | None - humans read books | Increasing - information fusion where machines are the primary consumers of published data is infrequent; ebook readers are increasing in popularity, and may become critical in the future |
| Channels (CH) | None - distribution of books through physical locations | Critical - e-books outsold hardcover books in 2010; 9% percent of customers say they would not buy a “real” book if digital were not available. In 2009, Amazon became the largest book seller in North America. Amazon has no physical locations. Moreover, computers guide the logistics networks that quickly ship books anywhere in the world. |
| Customer Relationships (CR) | None - sales done in person or self-service at a bookstore | Critical - Amazon uses state-of-the-art algorithms to help people find books among millions and millions of choices. Amazon’s algorithms “know” a customer based on past buying behavior and correlation with other customer behaviors. |
| Value Propositions (VP) | None - buy books; niche stores -- buy books on key subjects or really rare books | Critical - find and buy ANY book, and get it in any available format - new, used, hardcover, softcover, ebook |
| Revenue Streams (R$) | None - payment through check or cash | Critical - payment through electronic forms, including credit card, PayPal, gift card, and automated clearinghouse (ACH) debit cards |
| Key Resources (KR) | None - physical books are the inventory; physical storefront | Critical - the storefront runs on a computer screen, and content is hosted on vast server farms. Inventory is either managed by computer or is digital. |
| Key Activities (KA) | None - the value was increased through the knowledge of customers and books held by the owner and staff. | Critical - the ability to find the right material for the customer based on their interests is done by computer assistance. |
| Key Partnerships (KP) | None - publishers delivered physical books to wholesalers, then to retailers. | Increasing - especially as ebooks gain in popularity, the paper is going out of publishing; the value of a publishing partner is linked to the number of electronic books that they are willing to publish in various e-reader formats. |
| Cost Structure (C$) | None - bookstores cannot afford computers; maybe some major publishers use a computer. | Critical - in 2006, Amazon spent 33% of total expenditures on technology and R&D |
From this, we can see that the computer-based information system has become a vital business tool. To one degree or another, most businesses cannot survive a multi-week loss of their information systems. This should establish at a visceral level the value of the information system; without it, businesses cannot survive today. Even the late-adopting Amish are using websites to market their niche products.
Well then, given that the impact of loss is significant, what is the likelihood of a multi-week failure? After all, even the simplest risk calculations multiply the Impact of a loss by the Likelihood of occurrence when calculating the Exposure of the business to the risk. While we could find actuarial tables that calculate the risks of fire, flood, theft, vandalism, power outages, mechanical failure, human errors, etc., a simpler measure may be to anecdotally ask how many times you have lost data that required you to redo a significant piece of work. The health of the data backup industry should indicate that computers are not inherently stable. The more complex and interdependent the information systems are, the more likely they are to be vulnerable to abuse or attack.
Information security promises to reduce the organization’s exposure to the twin risks of abuse and attack that are inherent in dependent upon information systems. In 1960, businesses minimized their risk of theft and abuse through the use of double-entry bookkeeping, banks, and the Federal Bureau of Investigation (FBI). Some businesses refused to trust banks and kept their own money safe in physically secure on-site vaults.
When the cash is on the computer, information security provides the a measure of the protection that vaults, books, and G-men used to offer. Some businesses may still choose to stuff their money under the mattress and trust in obscurity for protection. Increasingly, businesses are recognizing the value of common-sense information security. The fact that there is such a thing as common-sense information security is an indicator of a rising level of awareness about the importance of protecting our valuable digital property.
Clearly, there is a compelling business case for information security. However, a business case should not be considered the same thing as an open checkbook. Information Security is becoming a critical business function in the same way that accounting has become a critical business function. We would do well to compare the role of accounting and the role of information security in the organization. I think we will find more similarities than differences.
