How do you “SELL” security?

Security is a tough and elusive nut to sell.  Everyone wants to be secure, but few can articulate what they want.  It is almost like buying insurance, but not quite.  It can be technical and behavioral.  It exists, but only in a transitive state.  It can be measured, but mostly in a relative way.  History has shown using fear is not the right strategy to sell security.  Customers may not even accept the need for it, if they have never had a security breach.  So how do you sell security?

The answer sounds simple, but it is not.  - Make it ‘Meaningful’.  

In order for security to be meaningful, a problem must be recognized by customers, they must be in the ‘action’ state of mind, the solution must be effective to a desired level, and the economics need to be right. 

If you are struggling, you are in good company.  Right now, the entire industry has problems in all of these areas. 

Making security meaningful to customers:
1. Recognizing a problem exists: Most people don’t recognize the problem, until they feel the pain.  This was true for the longest time in the medical and dental industries.  People only went to the doctor/dentist when they felt pain.  Over time we have embraced preventative medicine.  Security is in the same early stages with people begrudgingly investing when they feel the pain or believe it is imminent.  Basically “security is not relevant, until it fails”.

Recommendation: Timely education and awareness, without propagating false fears, is key.

2. Action state of mind: We are creatures of habit.  We rarely diverge from our mental framework of choices.  In order to make a change, our brains must reach a tipping point to decide a different path.  Here is a great article about key life events which drive changes in consumer spending and how the retail industry targets these moments in our lives to sell products.  In security, the same holds true.  We must be in a proper state of mind to invest in security.  In most cases, it is when we become a victim or are forced to change due to external requirements.

Recommendation: Be in the minds of people at the point when they move into the ‘action’ zone.

3. Effective solution: There is no single ‘fix’ to security, it is a gradient.  Any solution may provide a better level of security to some aspects, but will not solve all potential problems.  In a cost/benefit analysis, it is important to know the benefits.  This is difficult as the threats, environments, and customer expectations are difficult to quantify and will likely change over time.  The key for the user is achieving whatever they believe is the right level of security.

Recommendation: Have a well thought out solution, coupled with accurate/realistic and clear messages of the benefits to users.  Design and sustain with a defense-in-depth model for longevity. 

4. Positive Economics: Security costs.  In one way or another, the customer will pay.  It may be money, time, system performance, annoyance, or any combination thereof.  On the positive side, it also provides some level of benefit, which may include better confidentiality, integrity and availability.  This can lead to a better emotional state and satisfaction.  Measuring the benefit and costs are extremely difficult and as a multitude of factors which contribute are constantly changing in radical and unpredictable ways.  Just because you institute a protection mechanism, it does not mean you would ever be attacked in that manner.  Investing in strong security against one threat, may seem a waste when attacks come from a different direction.  Even if a control does a spectacular job at preventing loss, will you know?  It is hard to measure something which does not occur.  Instituting a security control may make you feel strong today and less so tomorrow.  Right now, the industry does not have a standard for measuring Return on Security Investment (ROSI).  This becomes a difficulty for consumers who want to know they are getting a good value for the cost(s).

Recommendation:  Leverage one of many different methods to determine security value.  Use the best model for the specific security capabilities and user environment/expectations.   Make it real for the consumer, in terms they understand and cherish.

Published on Categories Archive
Matthew Rosenquist

About Matthew Rosenquist

Matthew Rosenquist is a Cybersecurity Strategist for Intel Corp and benefits from 20+ years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.