Why IT security doesn't sell

After a security breach or virus outbreak, companies are always concerned with IT security. But after a few months of normality, the concern fades.

After a highly publicized security breach at a major company or in the aftermath of a global computer virus outbreak, IT security gets its 15 minutes in the spotlight. These stories almost always end with speculation about the next doom-and-gloom scenario and admonishments to lock down networks and load up on security products. Wait thirty days and speak to a vendor that peddles these wares, and he or she will likely tell you how shocked they are that buyers still aren't flocking to their products.

Sorry, but IT security just ain't sexy

These same vendors are more than happy to regale anyone who will listen with a multihour PowerPoint marathon that presents the life of a low-level network admin as an IT James Bond of sorts. According to these vendors, organized criminal gangs in Eastern Europe are conspiring with pimple-faced disgruntled teens, all of whom are hell-bent on global domination; the first step of which just happens to be hacking into your company's network.

The truth is far less sexy. Sure, criminals will always be criminals, and if your company has valuable assets that can be readily sold for a profit like credit card numbers, someone may indeed try and steal them. One need not hunt for international conspiracies, and locking down the "front door" to your network is about as exciting as the alarm system and locks on the front door to your headquarters. At the end of the day, IT security is about as exciting as corporate liability insurance: you don't think about it until you need it; it's more or less a commodity, and the sales pitch of most security companies is about as enjoyable as that of the average life insurance salesman.

Security is an insurance policy, nothing more, nothing less

Most security pitches, either from vendors or IT departments trying to get a budget for internal security projects, revolve around fear. Just as global terrorism was a boon for physical security, the latest high-profile hack will likely be shoved in the CFO's face as justification for a budgetary request. At this point, most executives are tired of the fear-based sales pitch, and decades of IT operations without incident usually do not compel them to write big checks for IT spending. Most individuals immediately tune out an insurance sales pitch that harps on fear of injury, death, or lawsuit.

Instead of pitching fear, determine which technical assets are most valuable to your company and would result in the highest financial impact should they be compromised. With this analysis in hand, you can present options according to price to mitigate each of these risks. If you have solutions that are matched to the risk and at the right price, your pitch will seem far more rational.

The CIA has a small army of well-trained security guards equipped with automatic weapons because they have highly valuable assets to protect, whereas my company does just fine with a lock on the door and an alarm system, because my assets are correspondingly less valuable. Just like an insurance policy with coverage that is grossly under or oversized, if your proposed security solution does not reflect the value of what you are trying to protect, the conversation will likely end very quickly.

In addition to proposing an appropriately sized solution, present an annual review process to ensure the level of protection continues to be appropriate. No one wants to hear about security every month, but they also want to make sure the level of protection expands, contracts, and changes as their business and the market change. If decision makers know that an IT security review is an annual event and that options will be presented that recognize what level of protection is needed, it will create far more buy-in than a quarterly doom-and-gloom session, where the IT equivalent of Q's latest (and most expensive) gadgets are presented as critical.