To economists, the term “Broken Windows” refers to the question that if a shopkeeper pays a glazier to repair a broken window at his store, does this deliver an economic benefit to society? Many people would say yes, because it generates demand for glass and work for the glazier.
Have you ever been witness to the fury of that solid citizen, James Goodfellow, when his incorrigible son has happened to break a pane of glass? If you have been present at this spectacle, certainly you must also have observed that the onlookers, even if there are as many as thirty of them, seem with one accord to offer the unfortunate owner the selfsame consolation: “It’s an ill wind that blows nobody some good. Such accidents keep industry going. Everybody has to make a living. What would become of the glaziers if no one ever broke a window?
Excerpt from the 1850 essay “That Which is Seen and That Which is Unseen” By Frederic Bastiat
The majority of economists, however, would say that it is a fallacy to believe that the broken window generates economic good, as it forces the shopkeeper to expend resources to fix something that wasn’t broken and functioned perfectly well before small boys began playing baseball in front of the shop. Paying for repairs reduces his/her business’ ability to spend money on more rewarding alternatives—financing inventory, expanding the shop, etc.
But if, by way of deduction, you conclude, as happens only too often, that it is good to break windows, that it helps to circulate money, that it results in encouraging industry in general, I am obliged to cry out: That will never do! Your theory stops at what is seen. It does not take account of what is not seen.
It is not seen that, since our citizen has spent six francs for one thing, he will not be able to spend them for another. It is not seen that if he had not had a windowpane to replace, he would have replaced, for example, his worn-out shoes or added another book to his library. In brief, he would have put his six francs to some use or other for which he will not now have them.
Society loses the value of objects unnecessarily destroyed, and at this aphorism, which will make the hair of the protectionists stand on end: “To break, to destroy, to dissipate is not to encourage national employment,” or more briefly: “Destruction is not profitable.”
Every so often someone gets up and claims that good IT security pays for itself. Nonsense. Every CEO, CIO, and CFO I have ever met resents every dollar they have to spend to protect themselves from the oversights of system architects, software developers, and product designers. They know that IT security is a wound that never heals, and that while they need to be lucky all the time, a hacker needs only to be lucky once to do serious damage to business processes, balance sheet assets, and/or marketplace reputation.
Realistically, IT security is going to remain a significant budget item as far as the eye can see. But I believe two types of security solution vendors have emerged. While they still make up a majority, Type A vendors sell paranoia. They harp endlessly on the mortal threats of thumb drives, social media sites, and satanic plots spawned by hackers of disparaged nations and ethnicities. Shattered windows are their business and they love the sound of breaking glass. Established type A security vendors simply have too much to lose by helping their customers eliminate or reduce the potential for broken windows events and thereby enabling companies to reduce their IT security budgets.
Type B vendors recognize the market opportunity to help customers reduce the cost and complexity of IT security. Make no mistake. Profit motivates Type B vendors every bit as much as Type A counterparts. It’s just that they mix some enlightenment with their self-interest. Type B vendors are the ones advocating ways to efficiently minimize target surfaces, radically change their security programs, and perform mundane but necessary system management processes as thoroughly and friction-free as possible.
While generalizations are slippery, such vendors will always be in the minority and tend to be the innovative upstarts of the industry. They are not part of the PCI collective, they find it difficult to swim against the rising tide of broken glass marketing, they offer viable alternatives to the current <glass breaks – repair glass – add more glass – glass breaks – repeat> cycle the IT security industry has created.
As I write, the RSA Conference is getting ready to open soon in San Francisco. Hundreds of vendors will convene to spend millions of dollars to convince public and private sector managers to continue to spend billions of dollars on various IT security widgets, left-handed monkey wrenches, and foo foo dust. They will do their best to drown out voices that say it doesn’t have to be this way that there are viable alternatives to the never-ending IT security hamster wheel of pain. What a waste.