Perhaps the most challenging and exciting aspect of information security is the need to account for business context when making decisions. One way to do this is to determine the unique strengths of the company—its competitive advantages—so you can frame risk conversations accordingly.
Economic Moats to Safeguard the Business
Gunnar Peterson discussed aspects of this concept using the notion of economic moats. According to Morningstar, an economic moat “refers to how likely a company is to keep competitors at bay for an extended period.” This term is similar to what others might call a sustainable competitive advantage. Just like a moat helps safeguard the castle from attackers, an economic moat contributes towards protecting the business from competitors.
Companies have different economic moats and those without a sustainable competitive advantage tend to stagnate. Gunnar outlined several types of moats highlighted by Morningstar, including: Low operational costs, intangible assets (strong brand, patents, etc.), high switching costs (customers tend to stay), etc.
Relate Security Risks to Economic Moats
What are your organization’s economic moats? If you don’t know what capabilities help the company protect or expand its market share, find out. This knowledge will help you make informed security decisions and will allow you to be a more persuasive participant in risk discussions. As Gunnar pointed out, “the two most important things in infosec are identifying what kind of moat your business has and then defending that moat.”
Information security professionals often complain that executives ignore their advice. There could be many reasons for this. One explanation might be that you are presenting your concerns or recommendations in the wrong business context. You’re more likely to be heard if you relate the risks to an economic moat relevant to your company.
A common approach to emphasizing the importance of information security is based on the notion that a data breach can tarnish the company’s brand. In many cases, the reality shows that the business doesn’t actually suffer in the long term, and in some cases the attention brought by the breach could actually help the company. However, even if the company might suffer in the short term, an argument based on brand tarnishing could fall on deaf ears if the organization doesn’t consider its brand a competitive advantage.
Security in Support of Sustainable Competitive Advantages
A company whose economic moat is its brand, will spend considerable efforts to protect its brand equity. For organizations like that, the brand-tarnishing argument might be effective and could be a good way to justify security funding. However, companies that have other moats, won’t care that much about safeguarding their brands.
For instance, consider a firm whose economic moat is tied to low costs due to its operational expertise and supplier relationships. A good context for making security decisions in this organization might be its efforts to protect proprietary details related to internal and supplier logistics. Threats to this moat will likely capture executives’ attention.
Another organization whose moat is its proprietary intellectual property will want to hear your thoughts on protecting such trade secrets. Alternatively, if a firm sees its time-to-market as a competitive advantage, it will want to know about the security risks that could slow it down and prevent the next timely release of its product.
An economic moat might protect the company from competitors, but it could be eroded by internal factors such as a security breach. Understand your company’s economic moats. Use them to frame security decisions and to ensure that your infosec advice are relevant to the company’s business objectives and strategies.
It’s unusual for information security professionals to work in a group that directly generates revenue instead of being a cost center. Many find working within a cost center hard, in part because when it is time to cut costs, infosec budgets are among the first to go. Product management provides an opportunity for infosec pros to work in a profit center for a change. (There are others, such as consulting and sales.)
From my perspective, the primary goal of product management is to define product capabilities and drive product adoption. Sometimes this view on product management is called product development.
In the world of information security, a product might be a hardware gadget, such as a network tap, a piece of software such as an anti-malware tool, or a service, such as a managed security offering. Sometimes it is a combination of these categories.
Here are the type of tasks a product manager might be asked to perform to support the objectives outlined above:
"The most valuable of all talents is that of never using two words when one will do," proclaimed Thomas Jefferson a few centuries ago. Succinctness seems more valuable in the 21st century, where we’re bombarded by words in spoken and written forms. However, knowing how to be brief is no less critical as knowing when to be brief.
I generally recommend assuming that the audience lacks the time or the inclination to pay full attention to your communication. Some rules of thumb for being brief:
While the advice above might apply to many situations, there are certainly cases where being verbose is preferred:
The biggest culprit in long-winded communications are, perhaps, presentations that last an hour but feel much longer. I was interested to learn about an approach to presentations that caps the presenter’s time at just a few minutes. If you’ll be in DC this December, you can attend a 1-hour event comprised of such “lightning talks” while watching some top minds in digital forensics and incident response present for just 360 seconds. There will also be an opportunity to tune in remotely.
Hand-picked related posts:
Information security isn’t the only field dealing with safeguards and related compliance challenges. Restaurants are expected to implement measures for safely handling food. Yet, economic realities and other priorities may cause them to priorities other aspects of the business over food safety. Since customers rarely have the visibility into food-handling practices, municipalities often take it upon themselves to enforce compliance with sanitation requirements.
Might the less mature InfoSec industry learn from the practices of overseeing compliance with food safety rules? There’s lots to explore here, but I’ll limit myself to the recent practice of the New York City Health Department to issue public letter grades to restaurants as part of its sanitation inspections.
Grading Restaurants’ Food Safety
Starting July 2010, the New York City began requiring “certain types of food service establishments to prominently post letter grades that correspond to their sanitary inspection scores.” In addition to seeing the grades, restaurant patrons can obtain inspection details on the department’s website.
When assessing compliance with NYC’s food safety regulations, the inspectors assign points for the observed violations, as outlined in the scoring guide. The restaurant receives a letter grade based on the number of points. Passing the inspection requires grades A, B or C. Restaurants that earned a non-A grade can contest the sited violations; during this period, the restaurant can either post the initial grade or the “Grade Pending” sign.
According to the NYC Health Department, those who receive A “will be inspected annually, but those receiving lower marks will get more frequent visits.” The resulting system pays the most attention to low-scoring businesses, which warrant the closest monitoring.
Food Safety Compliance Incentives for Restaurants
The public display of sanitation inspection grades is meant to provide the restaurants with the incentive to improve their food-handling practices. The assumption is that customers will prefer to eat in an “A” establishment, rather than the one that received the “C” grade.
To motivate restaurants to improve their sanitation posture, NYC only issues a non-A grade after a second inspection, which occurs announced about a month after the initial inspection. According to the initial data published by the NYC Health Department, the incentive to improve sanitation might actually work:
"Just 27% of restaurants received A grades (0 to 13 violation points) on initial inspection… But among those scoring in the B range (14 to 27 violation points) on initial inspection, nearly 44% improved to earn an A grade on second inspection. Of restaurants that scored in the C range (28 or more violation points) on their first inspection, 72% improved enough to earn an A or B on the second."
Letter Grades for Information Security
Like restaurants, consumer-oriented services on the web have a customer base that lacks the the visibility and skills to assess the risks of patronizing the website. As the result, the users have to rely on some third-party signal that the desired service may be “secure.”
Presently, the security signals are weak and rarely adequate, as they merely include the presence of SSL or a security seal indicating that the site was scanned for vulnerabilities. PCI Data Security Standard (DSS) offers some help in this regard, yet it only applies to card payment-processing sites and lacks the awareness among non-technical consumers. Moreover, PCI DSS is binary—the site either passed or failed—which encourages some business to fudge facts to achieve compliance, diluting the value of the PCI DSS effort.
We would benefit from having a clear set of bare minimum security requirements that systems processing information need to abide by. In fact, the Twenty Critical Security Controls project comes pretty close to defining such measures. I’d love to see a program that assigns letter grades to consumer sites on the Internet based on the number of such controls that were lacking. Yet, who would assess and enforce compliance? And who would pay for the cost of such a program? It’s not going to happen on the Internet any time soon.
I know I’m asking more questions than I’m answering, yet I think there’s something to the approach of motivating businesses to improve safety through a public display of grades. What do you think?
Update: For more on this topic, take a look at Mike Rothman’s post Incomplete Thought: The Scarlet (Security) Letter.
If you don’t know about Bitcoin yet, you will soon. Just like Friendster was the precursor to today’s on-line social networks and Napster foreshadowed modern online music distribution models, so too BitCoins might be a sign of upcoming approaches to distributed online financial transactions.
Bitcoin has been getting some attention lately in part due to the increasing value of this peer-to-peer currency. Here are a few articles for coming up to speed on Bitcoin and the recent incidents associated with it.
Getting Started With Bitcoin
Recent Bitcoin Incidents
Potential Bitcoin Implications
The notion of Bitcoin as a distributed and anonymous form of currency is capturing the world’s attention. The readers of this blog will find it particularly interesting to consider the implications of the role that such currency can play in the criminal marketplace and online attack activities.
Perhaps Bitcoin might be ahead of its time and maybe its design and implementation is flawed—we will know soon enough. Regardless, it is an idea that will inspire creative thinking in the space of online payments. In the words of Edward Z. Yang, “The future of Bitcoin depends on those who will design its successor. If you are investing substantially in Bitcoin, you should at the very least be thinking about who has the keys to the next kingdom.”
It’s exciting to read about the numerous Internet companies popping up, getting VC funding or preparing for an IPO. Many observers are quick to point out that these dynamics are reminiscent of the dot-com bubble of late nineties. As more companies rush to take advantage of the entrepreneur-friendly market, can we expect the new market entrants to pay attention to information security? I doubt it.
The New Tech Bubble
A recent article in The Economist notes that “irrational exuberance has returned to the internet world,” making Silicon Valley feel like a boomtown:
"Corporate chefs are in demand again, office rents are soaring and the pay being offered to talented folk in fashionable fields like data science is reaching Hollywood levels. And no wonder, given the prices now being put on web companies."
The latest crop of hot start-up seems to incorporate buzzwords such as personalization, mobile, cloud, geolocation, cloud and social media. Many of the new companies fuel growth through private investments; some have sights set on IPOs.
Information Security and Tech Startups
A startup derives its energy from the desire to manifest its founders’ ideas into reality. The culture associated with such activities is about creating the product as quickly as possible. It focuses on features that will drive growth. None of these attributes encourage a proactive approach to information security.
Furthermore, information security is a luxury that few startups may be able to afford. When a company is short on cash, the available money needs to flow towards paying software developers, acquiring customers, looking for more funding and covering the essential expenses to keep systems and applications running.
Even if the company recognizes the need to protect sensitive customer data, it will likely do the bare minimum just to get its product off the ground. It will also look for ways to minimize the need to implement its own security, perhaps by adopting cloud-based services that include some element of security or outsourcing sensitive transactions such as payment processing.
This is not irrational. There might be a chance that a data breach will put the startup out of business or will otherwise derail the company from its pass. Yet, there is a chance that this won’t happen. In contrast, spending money on security has a much higher certainty that a crash-strapped startup won’t have the money for other critical expense.
A Ray of Hope?
Fortunately, information security is more accessible to today’s startups than it was to the participants in the original dot-com bubble. In part, this is because cloud makes security more affordable to small companies. Also, security is easier to incorporate into products now than ten years ago, because many programming frameworks include modules security modules.
Information security not outside of the startups’ reach. However, whether they will have the incentives, money, time and knowledge to take advantage of security products and features is another question.
The notion of market segmentation emphasizes the importance of viewing one’s customers as belonging to different groups. The grouping can be based on the organization’s size, budget, locale or other factors that result in one market segment being meaningfully different from the other. Computer attackers are paying attention to this concept, too.
Market Segmentation by Legitimate Businesses
Market segmentation is regularly used by legitimate businesses. For instance, airlines price tickets differently for leisure and business travelers, due to the differences in these customers’ priorities and willingness to pay. Similarly, Starbucks sells a number of beverages to suit the preferences across the spectrum of its clientele.
By understanding the differences between the segments, the company may be able to develop slightly different products or services for each type of customer, and may be able to price its products in a way that extracts the most surplus from the market.
Market Segmentation by Computer Attackers
Market segmentation also increasingly employed by computer attackers. They do this in several ways—the most common involving grouping potential victims by organization size. I wrote about this trend in an earlier post Evolving Threats: The Long Tail of Potential Data Breach Victims, where I outlined 2 distinct market segments:
Other ways in which computer attackers segment the “market” is by the geographic location of the victims. For instance, malware distribution (e.g., pay-per-install) services pay the affiliates more for infecting a system in North American than the one in Asia. Industry (e.g., the type of data processed) is yet another way that attackers can perform market segmentation.
Data from the 2011 Verizon Data Breach Investigations Report
Among the many observations in the the 2011 Verizon Data Breach Investigations Report, is the increased number of breaches that occurred in small businesses:
"Typically, such organizations represent smaller, softer, and less reactive targets than, for instance, financial institutions. Criminals may be making a classic risk vs. reward decision and opting to ‘play it safe’ in light of recent arrests and prosecutions following large-scale intrusions into Financial Services firms. Numerous smaller strikes on hotels, restaurants, and retailers represent a lower-risk alternative, and cybercriminals may be taking greater advantage of that option."
Commenting upon this trend, Rich Mogull pointed out, “Using automated systems against weak targets and riding the associated economies of scale can be very lucrative, and it’s not surprising to see these targets multiply.”
The Internet Threat Hierarchy
[Update to the original post.] Dan Guido discussed the different types of computer attacks in his SOURCE Boston talk The Exploit Intelligence Project. I especially liked his illustration of the threat hierarchy:
Implications for Computer and Data Defenders
Information security professionals need to better understand the way computer attackers view market segmentation. This will help us understand the differences in threats across various industries, organization sizes and other potential victim groupings. In turn, having this view will lead to defenses being more in line with the actual threats and, perhaps, to security products that are better aligned with the corresponding market segments. (For more on this, see my earlier post Security Products and Services: The Long Tail of Customers.)
The maturing antivirus industry exhibits several dynamics reminiscent of the cold medicine sector. This isn’t a criticism of antivirus products, but rather an observation that AV vendors can refine their business practices by learning from the more experienced pharmaceutical companies.
Consider the following similarities between cold medicines and antivirus products:
A paper by Zahra Ladh points out that during the 1980’s and 1990’s, “the pharma industry enjoyed success over an extended period achieving double-digit growth consistently. The success of the industry depended on strong R & D, the use of patents and a powerful sales force.” With the growth rate slowing down, the industry increased its investment into marketing and branding strategies.
Similarly, with the antivirus industry becoming crowded with vendors and with the standard AV products exhibiting commodity-like characteristics, the antivirus vendors are focusing on stronger branding for their products. Marketing for the mass-market is expensive, which is why large AV companies have an edge in this respect over the smaller vendors.
Understanding the similarities between antivirus products and cold medicine (and pharma) industries can help AV vendors learn from the business development and marketing approaches utilized by pharmaceutical companies. At the same time, users of antivirus products should look more closely at the effectiveness of the tools they are purchasing and should demand that the vendors provide more details about the products’ capabilities than talking using general terms like “cloud antivirus” or “most powerful solution.”
When organizations undertake IT projects, including those related to information security, they often underestimate the effort of getting the work done. This might occur because we don’t understand the complexities of completing projects or because we underestimate the time and money needed complete tasks. We also tend to exhibit wishful thinking, fooling ourselves regarding the risks of projects going awry and the cost of mitigating such risks.
Reminder: Total Cost of Ownership
Gartner’s Bill Kirwin popularized—and probably coined—the term Total Cost of Ownership (TCO) to highlight the need to account for 2 types of costs associated with owning and managing IT infrastructure. One of the cost categories is direct costs,which are often comprised of labor and capital costs. The other category is indirect costs, which are harder to perceive; as the result, they are often underestimated.
"It might seem like a sensible ‘direct costs’ decision to reduce costs by spending less on contract negotiations, or hardware purchases or staff development and retention programs. However, if the result of such action is to deliver services with inappropriate service level agreements, or less reliable hardware that fails more often or longer waits for less effective support, the ultimate outcome might be to shift the comparatively meager savings from the direct side into comparatively significant increased costs in the indirect side."
We can learn from the concept of TCO to look for “hidden” costs in not only IT components that organizations lease, but also in the services it purchases and in the work it conducts internally.
Often-Forgotten Security Project Costs
Here are the costs that I frequently see underestimated and unaccounted for in the realm of information security. These costs might take the form of actual money being spent on products or services, and might also be less direct, such as the work effort exerted by employees that are already on payroll:
Be sure to consider both obvious and “hidden” costs when preparing to undertake a security project, be it an internal effort or a purchasing decision. Putting on the TCO hat might help in the process, because the concept acts as the reminder that some costs are hard to perceive until you experience them yourself.
If you found this post useful, you might like my take on using Return on Investment (ROI) for justifying information security expenses.