The other day I was subject to the assertion that the only asset an IT security organizations should care about is data. Now being in the application security business, I should have been jumping at this validation but couldn't.

The IT security org needs to understand what threats the business faces from its technology systems. In many cases this is not a direct threat to the confidentiality or availability of data. Some attacks may be focused on other aspects of the systems like integrity or even cost.

Let me give an example. Some systems such as the adhoc sensor networks are deployed as an alternate to existing monitoring systems for the flexibility and cost reduction they offer. I wrote  a research paper with my friend Guillermo Marro detailing attacks on sensor networks.  These attacks focus on the power available to each sensor in the network. By manipulating the protocols, we were able to model attacks that would cause these networks to degrade rapidly. This would mean that the sensors would have to be replaced much before their time resulting in a dramatic increase in the total cost of operating these networks. This attack is not focused on the confidentiality of data but does may make the network too expensive to run.