As noted in the title, the assertion of this post is that the most valuable security technologies - many of them, anyway - aren't used to make their users more secure. In fact, a Fortune-50 Chief Information Security Officer (CISO) told me flat out: "my job is not to make my company more secure." He proceeded to explain that in fact, his job was to make his company more productive, within a given security posture. And, I claim, that's the same job many companies are "hiring" security technologies to do.
Consider the tradeoff depicted in Figure 1. You can be perfectly secure if you shut down all your applications, disconnect your network, and send everyone but the guard home. However, that's not terribly productive - hence the rectangle at the lower-right. Trace the diagonal from there to the top-left, and you get to the "anything goes" zone, which is theoretically the most productive, but of course also not a place you want to be.
Fig 1: Security vs Productivity
Advances in security technology allow you to move onto a higher tradeoff diagonal, ie, up and/or to the right from where you find yourself before implementing the new technology.
Now, the typical security-product positioning assumes that customers want to be more secure. The security vendor's presentation always begins with a slide like Figure 2, which shows how whatever-the-vendor-is-protecting-against is Really Scary, and is, in fact, getting Way More Scary every year.
Fig 2: The bogeyman slide: attacks of type "X" over time
The purpose of this slide is to create fear by convincing you that you are less secure than you think you are. Considering our tradeoff again, in Figure 3, the message is: you think you're at circle #1, but you're really at circle #2, which much less secure (further to the left) than you can afford to be operating. And of course, if you pay me some money, I'll fix it for you, and take you to the promised land of circle #3.
Fig 3: The typical fear sell
What my CISO friend said is, that's not how it works. This sell fails on two levels. First, folks aren't completely naive about their current level of security - at least on a relative basis. A CISO may not know the exact prevalence of threat type X, but she has a pretty good idea where X ranks relative to threat types Y and Z.
Second, and most importantly, the organization has chosen to operate at a particular security posture, which is a position along the horizontal axis. A bank or government agency might be very far to the right; a chicken-processing plant might be further to the left. Once the security posture is set, it generally doesn't change much. The CISO's responsibility, then, is to keep the company within its security posture, which is generally accomplished by setting policies that restrict what employees are permitted to do.
For example, a typical policy might be "you can't have Protected Health Information (PHI) on your PC hard drive." That policy enforces the organization's security posture, at the cost of productivity. Now suppose an encryption technology comes along that makes the CISO comfortable with encrypted PHI residing on an individual's PC. The revised policy would say "you may only have PHI on your hard drive if it's properly encrypted." Adopting the technology didn't make the organization any more secure, because without the technology they achieved their security posture another way. The technology did make them more productive, since it allowed them to maintain the security posture in a less restrictive way. In Figure 4, the adoption of security technologies A and B move the company onto better diagonals, and they use these technologies to move up, not right, on the diagram.
Fig 4: Using the higher diagonal to be more productive
Although security technologies are not often sold this way, they are often used this way. Here's some more examples:
- Antivirus - lets you use applications and click on links that you otherwise wouldn't feel comfortable using and clicking.
- Antispam - makes email communication practical. (If 95% of everything in your inbox were spam, you would stop using email and rely instead on other communication technologies, which would be less convenient and less productive.)
- Firewall - allows your employees to make use of Internet applications that communicate with servers outside your premises.
Even some technologies that seem to be only about security and fear can be positioned to enhance productivity. Consider a slightly dated example, just to illustrate the point. Network Access Control (NAC) is a technology that scans your PC before it connects to your corporate network, to make sure you aren't bringing in any malware. Years ago, Cisco ran a Super Bowl ad in which a father brought his laptop home from work, his daughter downloaded a game to play, he brought it back into work the next day and compromised the network. What a perfect "bogeyman" slide: absolutely everything is a threat, even your cute little daughter!
NAC technology had some adoption, but it never became terribly successful, and one of the reasons is that this fear sell often doesn't work.
Here's a possible reframing of NAC for productivity. "Right now you have employees with corporate-issue PCs who are allowed to access network resources, and contractors/consultants with their own PCs who can't access network resources. With this technology you can allow some of your contractors/consultants to access some of your network resources, to get more work done, while maintaining your security posture." Up, not right.
To reframe a fear sell into a productivity sell, look for one of three types of opportunities:
- Enabling the same people (employees, customers, etc.) to do more things than they could do before,
- Enabling more people to do things that only a few people could do before,
- Enabling the same people to do the same things faster or more cheaply.
Now, how does all this relate to Design for Exit for a security startup? Mainly in terms of matching your framing to the framing of a potential acquirer. When you're talking to a large security company as a potential acquirer, learn how they view the world, so you know whether to use a fear-based or a productivity-based frame. Also, by thinking in terms of a productivity frame you may be able to expand the universe of possible acquirers beyond traditional security companies.
I'm not naive enough to believe that security companies will give up on the bogeyman slide - and in fact, there are certain situations where that approach is exactly the right one. But in many cases, security technologies succeed despite their fear framing, not because of it. If you try productivity framing, you may be surprised at how well it plays.
Nice post, Spencer! And I agree with your premise. I don't feel I have the right experience to comment on the exit strategy angle, so I will leave that to others. But from a sales perspective, I think the key is to know when to use the productivity approach and when to pull on the security handle.
ReplyDeleteOne factor that has to be considered today, is what some call "shadow IT". Creating restrictive policies will often lead to employees that find their own IT solution, usually circumventing the policies. The most obvious examples are the easy access to cloud storage solutions like Dropbox to get around data sharing restrictions. LastPass to manage PWs or even pastebin for software developers.
I've always thought of the role of CISO as being primarily one of risk management. As you point out, to be productive you have to accept some risk, but of course too much risk means you increase the chances of getting burned.
Helping customers find that balance can be a successful approach.
@Tim - great point! I remember, early in the days of cloud computing, a bank IT executive telling me that he had been scratching his head over the huge increase in expense reports filed by software developers buying books. Well, it turns out they weren't buying books -- these folks were using their credit cards to rent time on the (then-new) Amazon Web Services, since it was so hard to get development & test servers provisioned within the bank. As soon as he figured it out, he shut down that shadow-IT vector (with extreme prejudice). But he also learned that while you may set an explicit security posture, employees have an implicit "productivity posture," a threshold of inconvenience below which their energy will turn to subverting your careful policies.
ReplyDelete