Archive for June, 2008

IT Risk, Security and Money

June 19, 2008

I read an extraordinarily good post this week by Bruce Schneier on how to sell security.  Or perhaps more accurately: what thought process IT security buyers go through when deciding to purchase (or not).

I’ve had the luxury in my time of having ultimate responsibility for selling content security (anti virus/spam) products, database security products and now network access security products.

I have observed first hand the “cost of insurance vs. probability of negative outcome” calculus.  No one questions money invested in Antivirus solutions because everyone knows that the probability of a negative outcome without AV is a virtual certainty.  Same with SPAM.  They might wish for more effective insurance for the money.  They might question whether they need yet-another-layer to really solve the problem – I remember arguing that gateway scanning was important and getting almost no uptake until the Melissa virus came out and demonstrated that the next generation of viruses were going to be transmitted by email, not by floppy disk.  But at least a basic level of insurance is a given.

When selling database security solutions in the earliest days of that technology I saw the opposite calculus.  IT’s almost idealistic belief in the impenetrability of the applications they had developed to front-end their databases.  In those cases our best sales tactic was to ask if it was OK if we tried to perform a SQL injection or cross-site script in a lab environment just to “test our tools”.  We could routinely demonstrate that applications were easily penetrated.  Suddenly database security solutions jumped up the priority list a few notches in organizations with a lot to lose.

The Societe-Generale “situation” vaulted insider security into the collective security consciousness.  We’re still working out the risk vs. cost-of-insurance calculation.

But for the most part, as a life-long security solution purveyor I have found that every discussion becomes a risk vs. cost discussion.  And when the risk we’re addressing becomes the next most painful one on the list we will get a serious hearing.  That’s why good sales people learn very quickly to look for “compelling events” or to simply ask, “where does solving this problem rank on your current priority list”.  If your prospect cannot demonstrate that it’s under broader (than just themselves) organizational consideration somewhere in the top 5 (or perhaps 10 if it’s a larger organization) prepare yourself for a long sales cycle.

Now security is starting to become somewhat synonymous with compliance.  And that has given us the idea that if we just say our security product solves a SarbOx problem the budget will be instantly available.  But go to RSA and walk the floor and you will very quickly realize that when 1,000 vendors proclaim that they are solving the compliance problem in subtly different ways, a prospective customer could not be blamed for putting the clutch in for a bit while sorting out what they really need; no matter how dire we paint the consequences of inaction.

I have no end-world-hunger solutions here but I will say that I’m gravitating toward at least one small solution.  Let’s call a spade a spade.  Tag this: “Security is not Compliance”.  And trying to solve compliance problems with a security solution is likely to be kind of like trying to reduce the cost of oil by invading Venezuela (now this post will show up on the NSA radar screen) – there has to be a more cost effective way.  I’m leaning toward this Compliance or Auditing as a Service (CaaS or AaaS).  And in developing a go-to-market model around this I’m starting to think that many things in IT could benefit from at least someone thinking about the problem from an “As a Service” perspective.  The business model might not be there in all cases.  And politics within IT might present too great a barrier in others.  But when you start thinking about all IT problems the way Google and Amazon are likely thinking about them, perhaps we might find ways to offer more security capabilities as a utility.

Which just might make the cost of insurance negligible enough to make good security a no-brainer deal.

Advertisements