Skip navigation

Security is a tough and elusive nut to sell.  Everyone wants to be secure, but few can articulate what they want.  It is almost like buying insurance, but not quite.  It can be technical and behavioral.  It exists, but only in a transitive state.  It can be measured, but mostly in a relative way.  History has shown using fear is not the right strategy to sell security.  Customers may not even accept the need for it, if they have never had a security breach.  So how do you sell security?

The answer sounds simple, but it is not.  - Make it ‘Meaningful’.  

In order for security to be meaningful, a problem must be recognized by customers, they must be in the ‘action’ state of mind, the solution must be effective to a desired level, and the economics need to be right. 

If you are struggling, you are in good company.  Right now, the entire industry has problems in all of these areas. 

Making security meaningful to customers:
1. Recognizing a problem exists: Most people don’t recognize the problem, until they feel the pain.  This was true for the longest time in the medical and dental industries.  People only went to the doctor/dentist when they felt pain.  Over time we have embraced preventative medicine.  Security is in the same early stages with people begrudgingly investing when they feel the pain or believe it is imminent.  Basically “security is not relevant, until it fails”.

Recommendation: Timely education and awareness, without propagating false fears, is key.


2. Action state of mind: We are creatures of habit.  We rarely diverge from our mental framework of choices.  In order to make a change, our brains must reach a tipping point to decide a different path.  Here is a great article about key life events which drive changes in consumer spending and how the retail industry targets these moments in our lives to sell products.  In security, the same holds true.  We must be in a proper state of mind to invest in security.  In most cases, it is when we become a victim or are forced to change due to external requirements.

Recommendation: Be in the minds of people at the point when they move into the ‘action’ zone.


3. Effective solution: There is no single ‘fix’ to security, it is a gradient.  Any solution may provide a better level of security to some aspects, but will not solve all potential problems.  In a cost/benefit analysis, it is important to know the benefits.  This is difficult as the threats, environments, and customer expectations are difficult to quantify and will likely change over time.  The key for the user is achieving whatever they believe is the right level of security.

Recommendation: Have a well thought out solution, coupled with accurate/realistic and clear messages of the benefits to users.  Design and sustain with a defense-in-depth model for longevity. 


4. Positive Economics: Security costs.  In one way or another, the customer will pay.  It may be money, time, system performance, annoyance, or any combination thereof.  On the positive side, it also provides some level of benefit, which may include better confidentiality, integrity and availability.  This can lead to a better emotional state and satisfaction.  Measuring the benefit and costs are extremely difficult and as a multitude of factors which contribute are constantly changing in radical and unpredictable ways.  Just because you institute a protection mechanism, it does not mean you would ever be attacked in that manner.  Investing in strong security against one threat, may seem a waste when attacks come from a different direction.  Even if a control does a spectacular job at preventing loss, will you know?  It is hard to measure something which does not occur.  Instituting a security control may make you feel strong today and less so tomorrow.  Right now, the industry does not have a standard for measuring Return on Security Investment (ROSI).  This becomes a difficulty for consumers who want to know they are getting a good value for the cost(s).

Recommendation:  Leverage one of many different methods to determine security value.  Use the best model for the specific security capabilities and user environment/expectations.   Make it real for the consumer, in terms they understand and cherish.

Can you use ONE WORD to describe the biggest challenge facing information security today?


I was asked this very question this morning.  After a few minutes of pondering the vast possibilities with coffee in hand, filtering out inappropriate language choices, and digging deep to find a constructive perspective, I declared my one word which depicts the current challenges in the security industry.


Ambiguity.  In one word it states the grand breadth of the challenges and great diversity of perspectives for those involved.  What security is, what it encompasses (i.e. emotions, beliefs, states, events), what it is trying to deliver (no, not invulnerability), how to achieve it (e.g. technical, behavioral, process), maintain/sustain it, what drives it (threat agents, losses, opportunities, fears, etc.), how to measure it (Risk Assessments, ROI/ROSI, compliance, value across tangible/intangible losses, etc.), who is involved (attackers, defenders, victims, and bystanders) and how/why the landscape and equation changes so drastically over time (complexities of factors which create the ever changing fabric of security)?


There exists both a lack of understanding as well as an overabundance of inconsistent concepts of the above items.


Defining the problem is the first hurdle.

Recently, I read an article on Harvard Business Review, entitled: Look to IT for Process Innovation? - Brad Power -HBR


The blog article poses: Are companies missing out on the product and process ingenuity of IT people? The author thinks many companies are missing out by not including IT in business strategy and process innovation discussions. He provides examples in the blog about what key tools IT organizations can bring to the table. The examples in the blog include: process improvement ("lean") development framework, rapid ("agile") development techniques, as project teaming.

What other IT competencies can help drive process innovation?


And what else are you doing to make sure your IT organization has a seat at the business strategy table so that you can help drive real process innovation?

Filter Blog

By date: By tag: