Leadership

Why IT security doesn't sell

After a security breach or virus outbreak, companies are always concerned with IT security. But after a few months of normality, the concern fades.

After a highly publicized security breach at a major company or in the aftermath of a global computer virus outbreak, IT security gets its 15 minutes in the spotlight. These stories almost always end with speculation about the next doom-and-gloom scenario and admonishments to lock down networks and load up on security products. Wait thirty days and speak to a vendor that peddles these wares, and he or she will likely tell you how shocked they are that buyers still aren't flocking to their products.

Sorry, but IT security just ain't sexy

These same vendors are more than happy to regale anyone who will listen with a multihour PowerPoint marathon that presents the life of a low-level network admin as an IT James Bond of sorts. According to these vendors, organized criminal gangs in Eastern Europe are conspiring with pimple-faced disgruntled teens, all of whom are hell-bent on global domination; the first step of which just happens to be hacking into your company's network.

The truth is far less sexy. Sure, criminals will always be criminals, and if your company has valuable assets that can be readily sold for a profit like credit card numbers, someone may indeed try and steal them. One need not hunt for international conspiracies, and locking down the "front door" to your network is about as exciting as the alarm system and locks on the front door to your headquarters. At the end of the day, IT security is about as exciting as corporate liability insurance: you don't think about it until you need it; it's more or less a commodity, and the sales pitch of most security companies is about as enjoyable as that of the average life insurance salesman.

Security is an insurance policy, nothing more, nothing less

Most security pitches, either from vendors or IT departments trying to get a budget for internal security projects, revolve around fear. Just as global terrorism was a boon for physical security, the latest high-profile hack will likely be shoved in the CFO's face as justification for a budgetary request. At this point, most executives are tired of the fear-based sales pitch, and decades of IT operations without incident usually do not compel them to write big checks for IT spending. Most individuals immediately tune out an insurance sales pitch that harps on fear of injury, death, or lawsuit.

Instead of pitching fear, determine which technical assets are most valuable to your company and would result in the highest financial impact should they be compromised. With this analysis in hand, you can present options according to price to mitigate each of these risks. If you have solutions that are matched to the risk and at the right price, your pitch will seem far more rational.

The CIA has a small army of well-trained security guards equipped with automatic weapons because they have highly valuable assets to protect, whereas my company does just fine with a lock on the door and an alarm system, because my assets are correspondingly less valuable. Just like an insurance policy with coverage that is grossly under or oversized, if your proposed security solution does not reflect the value of what you are trying to protect, the conversation will likely end very quickly.

In addition to proposing an appropriately sized solution, present an annual review process to ensure the level of protection continues to be appropriate. No one wants to hear about security every month, but they also want to make sure the level of protection expands, contracts, and changes as their business and the market change. If decision makers know that an IT security review is an annual event and that options will be presented that recognize what level of protection is needed, it will create far more buy-in than a quarterly doom-and-gloom session, where the IT equivalent of Q's latest (and most expensive) gadgets are presented as critical.

About

Patrick Gray works for a global Fortune 500 consulting and IT services company and is the author of Breakthrough IT: Supercharging Organizational Value through Technology as well as the companion e-book The Breakthrough CIO's Companion. He has spent ...

18 comments
cj.pace
cj.pace

What about the data??! The short sighted idea that only "technical assets" are important to your business is cavalier to say the least. Data is king, losing it is what gets you fined and in the press. I do agree however that many IT security professionals may have lost sight of what a "solution" is supposed to do and are willing to buy every product going to allay the culture of fear that's been created

nnagir
nnagir

Your article is depressingly presumptuous. IT Security does not sell because of the assumption it is only sold on the "fear" concept. Any company regardless of size contains data on their employees or customers and even research on new products or sales strategy that they need to protect. IT Security is not just about hardware solutions and hackers its about educating users of the dangers out there and taking a proactive approach so you don't end up faced with lawsuits as a result of Identity theft or data loss or bankrupting your own company because you didn't take precautions to protect your breakthrough research. All in all over simplified, presumptuous articles like yours is also a contributing factor to why IT Security does not sell.

mikifinaz1
mikifinaz1

In addition to those reasons mentioned: Security is an ongoing expensive, time consuming process. The other reason is best described by a story from recent history. The world held it's breath when the clocks turned to the new century. In the run up thousands of IT people myself included worked countless hours to squeeze out all the Y2K bugs. AND we found lots of them covering all sorts of issues covering the gamut of problems including security. When nothing happened we were not touted as saviors for fixing all these issues, but castigated as con men, because nothing of note happened. How do you prove a non-event?

Dr_Zinj
Dr_Zinj

Firewalls, anti-malware, encryption, passwords, multiple-authentication methods, compartmentalization are all tools to accomplish the process. But the one thing you need is active involvment of people to manage and monitor those tools, and analyze and investigate attacks and problems that are revealed by those tools. Most employees don't know how to use those tools, or only know how to use one of them; so you're going to need to hire a specialist (I.T. person). And you're going to have to buy, or rent, the tools needed. It all comes down to what Patrick said in the article, determine what's of value in the company, how much value each thing has, the odds of loss, and the cost of reducing those odds. I know of some small businesses where that equation comes down to a simple firewall and anti-virus program with periodic updates. And I work in a business where each unauthorized access comes with a potential $25,000 penalty; and we have an entire I.T. department of several dozen people dedicated to supporting the system and preventing those accesses and losses, and well worth every penny.

tom
tom

The comparison to an insurance policy address only one aspect of the security issue, It is akin to saying that dancing is a mechanism for getting from one point on the floor to another, It misses the essence and ignores the involvement of people. An insurance policy is a commodity, In most cases, after you pay the premium, it is effective with no further action on your part. When you buy a security product or service, you are only buying only the potential for risk avoidance. To be effective, there must buy in and intelligent action from people in the company. That is, someone must lock the lock the front door every night. This human, non-commodity component of security, is the essence of most security problems and the source of its greater potential to be a positive activity within the company. Security training becomes a vehicle for establishing and strengthening the organization's value system and helps to define corporate culture. When management understands this, security becomes more than a cost center. Thomas Ianuzzi CPP, CISSP, CFE, CCE http://infosecurityconsult.com/blog/blogs/index.php?blog=2

robo_dev
robo_dev

and has less to do with how to successfully introduce appropriate security measures into an organization. I agree, to some extent, that sales reps are guilty of over-hyping their products, and it seems that slide #2 in every security sales pitch has a bullet about the Heartland security breach, SQL Slammer, and the TJ Max security incident. For example, everything from my Anti-virus software to my USB cable, it seems, will help my organization be SOX and HIPAA and PCI compliant. When in fact, those regulations have much more to do with process and people than with a silver-bullet security solution. A recommendation, though perhaps rather obvious, would be that those who provide security solutions need to understand their customer's requirements and business needs.

Tony Hopkinson
Tony Hopkinson

Fear has everything to do with why to invest in being secure. Fear of losing money if you are not... What's the risk and what's the impact. Encrypt a bank manager' portable. Valuable data, lots of thieves, relatively inexpensive. Car insurance firm religiously protect it's clients contact details. Why? They'll go somewhere else next year for the 10% new customer discount... Businesses o the minimum they can afford based on a balance of fears. Now how you get to that level, well a security awareness course so the bank mnager would know that an unencrypted portable was a significant risk has the potential reduce the fear factor considerably.

tbmay
tbmay

...one I've been trying to figure out for years.

Jessie
Jessie

looking at the alerts. You can have the best security system in the world, but if one of your employees lets in some guy just because he's wearing a toolbelt and has an official maintenance uniform on, you lose...

elrico-fantastica
elrico-fantastica

if you are looking to pick an apple, the one within reach is easier than the one at the top of the tree... the same thing applies with security... yes the serious hackers of the world have greater interests than your company but they arnt the concern. the threat to the small/medium enterprise comes from the script kiddies downloading pre-written exploit code and looking for targets to "pwn with their leet skills" they will go for the low hanging fruit.. this is why most IPS systems work on the auto-block list principle. you port scan or send a chunk of data the firewall doesnt like and it blocks you for 20mins.. this to the un-educated looks like the IP address is no longer in use and they move on to other low hanging fruit.. so yes claims that super criminals are in league with super nerds with the goal of bringing down you 1mil turnover outfit are ridiculous but to downplay security requirements because of the fear tactics used by salesmen in the field is equaly as ridiculous.

Tony Hopkinson
Tony Hopkinson

They refuse more claims than they pay out. They also operate with the huge advantage that a lot of insurance is made mandatory through legislation. Cthulu help the IT industry if security was... Unless there is commercial pressure to do it (competitive advantage or some legistative burden), it will get binned long with any other quality initiatives apart from what colour the buttons are because we are a cost centre.

tbmay
tbmay

...even with the recognition that it's all about people and process, there has to be buy-in from the people working at whatever place you're trying to secure. Otherwise, it won't sell. Assuming there really is a need, they will have to make changes in their habits and a lot of folks resist that like a plague. The unfortunate reality is many employees don't care and many of their managers just want someone to blame. Those things don't bode well for successful security efforts.

robo_dev
robo_dev

Life would be easier if we could predict the future, but so far we cannot. Security incidents are not typically done by some hacker in some apartment in Ratzvanistan. Most cyber-attacks are automated. Software does not pick it's target, software exploits what's weak. Automated tools do not differentiate between a mom-and-pop bakery website and that of the Pentagon, it just looks for vulnerabilites, launches exploits, and does one of three things: uses the server to launch other attacks, steals any information of value on the server, or crashes the server as a mean prank (or all three combined).

Tony Hopkinson
Tony Hopkinson

That particular methodology encourages all sorts of classic business driven short sighted blunders. Usually the myopic types grab the easy low value stuff, and then move on or chop the tree down....

tbmay
tbmay

Looks like things aren't really any different on your side of the pond than they are here.

Tony Hopkinson
Tony Hopkinson

is only paid lip service. Surge of draconianism every time it goes well wrong, until it gets in the way of someone important then back to laissez faire until next time. Security should be a process not a reaction.

robo_dev
robo_dev

are often considered our enemy :) The paranoid individual would assume that the one who advises him not to worry about security is the one trying to break in. My profession is IT security, so I believe I know how attacks happen. My point is that it's dangerous to think you know exactly how and when your head will be handed to you, or to assume that you're safe because you are not a valuable target.

bergenfx
bergenfx

to know the enemy; and if not their motives, at least their MO. I think "Know Thine Enemy" is great advice. I typically don't even know they are mine enemy until I have had my head handed to me, though, so I am not giving advice.