Headlines of the security holes in Mac OS X Leopard and a Trojan targeting Mac machines once would have been enough to warrant security VARs and vendors racing to the streets with their fixes and wares for sealing a breach in the castle walls. The conversation usually goes this way: “If something bad hasn’t happened to you, it could if you don’t buy these products.”
Ah, the classic FUD pitch. Instilling fear, uncertainty and doubt was once the cornerstone of security selling. No more, say chief security officers, who are more conscious of corporate and business priorities and only willing to part with precious security dollars for things that they absolutely need.
FUD is about the possible, if not plausible. Bad things may happen, so businesses should take reasonable precautions to protect their infrastructure and data. The key words are “reasonable” and “may.” Bad things may happen, but it doesn’t mean they will and it’s hard to predict when they’ll happen—if at all. Security and business executives are becoming savvier about planning and implementing adequate levels of security rather than planning and implementing for an endless array of threat contingencies. Hence, the end to FUD as a purchasing driver.
At a recent CSO Interchange forum, security executives discussed their security budgets and spending plans. With more than two-thirds of their budgets going to human resources and most of the balance devoted to maintenance and licensing, they don’t have a lot of discretionary funding for excess security. If they’re to go with hat in hand to their chief financial officer or CEO for more money, they need a better rationale than FUD.
What does get them money for security products and projects? Three things:
1. Compliance: An auditor is requiring security changes or upgrades before certifying security worthiness. This is particularly true of businesses that must comply with Sarbanes-Oxley, the Health Insurance Portability and Accountability Act and Graham-Leach-Bliley Act .
2. Mandates: Industries, consortiums and large enterprises are becoming more effective in policing security. Large companies are able to mandate security requirements to their partners and suppliers. And, in the case of retailers and merchants, the credit card industry is mandating security standards for credit card processors through the Payment Card Industry Data Security Standard.
3. Incidents: Yes, the horse has left the barn and you have to clean up the mess. Sometimes it takes an actual incident—particularly one with a significant loss of money or assets—to compel an organization to take action to upgrade and strengthen security. This isn’t FUD; this is reality.
What about security metrics? Aren’t CSO and security planners poring over spreadsheets and workbooks to determine the value of data, infrastructure asset valuation, potential loss expectancies to security threats, annual loss expectancies, recovery time costs and, of course, return on security investment to justify security expenditures? CSOs say security metrics are nice academic exercises, but pretty useless in business practice because they’re ultimately—you guessed it—FUD. Calculations are fine, but no one really knows what’s going to happen or how much it’s going to cost until a breach occurs.
Security requires just as much business justification as purchasing servers, storage or business software. Security teams are being pressed to show a definitive need, which means security solution providers need to adjust their game and show how their products and services will reduce cost, improve compliance and ensure no repeats of security breaches. Fear no longer sells; business value does.
Lawrence M. Walsh is editor of Baseline magazine and regular columnist to Channel Insider. Share your channel views with him at firstname.lastname@example.org.