Friday, March 6, 2009

Why Do Businesses Buy Security?

Companies from small to enterprise-scale don't just want to run security programs or project. Something drives them to do so. Over the past several years of helping extremely large enterprises and small businesses work through security programs and projects I've noticed that there really are 4 main drivers for this activity.
  1. Compliance - to comply with internal or external regulations
  2. Compelling Event - a response to an incident (typically a breach)
  3. Competitive Advantage - as marketable a to their customers
  4. Due Diligence - demonstrate some effort
I personally find that they break out as so [rough unscientific numbers]:
  1. Compliance --> 50%
  2. Compelling Event --> 30%
  3. Competitive Advantage --> 5%
  4. Due Diligence --> 15%
I've rambled and ranted for and against compliance in past conversations; and I think this illustrates my point even further. Now, I know these aren't scientifically accurate numbers but based on experience most of the customers I've dealt with over the most recent 12 months have been driven to purchasing products & services because PCI says so. They're not actually interested in better security, they just want to do the minimum amount of work that allows them to check the box, and move on.

[Compelling Event]
I have gotten many frantic, panicked calls over the last several months from people who read my blog and figure out where I work and want to evaluate (as an example) web application security tools because they've had some incident they can't tell me about... but it's clear they're about to be audited or fined by some regulatory body and they must demonstrate they're trying to right their ship... like yesterday. This rarely goes well because the intentions here are to fix (as Arian Evans pointed our recently on the WASC mailing list) a single instance of what troubles them.

[Competitive Advantage]
I've had the pleasure of working with 1 (yes, 1... in 12 months...) company who I cannot name that has started a comprehensive security programme to then use that as a marketable competitive advantage. Whether this is will be a straw man dressed in fine clothes... that is yet to be seen.

[Due Diligence]
Doing due diligence work is tough. There is a fine line between being able to say "we've done something" and "we're confident we have mitigated our risks appropriately" - not surprisingly most companies go for the former. Due diligence is all about demonstrating that you've done "what is necessary and proper" - which sucks because it's always left to interpretation. Who gets to say that you've done enough?

In the end you'll probably by now realize that there is no option #5 - "To Be More Secure". Maybe it's today's economic climate, maybe it's that we're still selling life insurance to a reckless youth, or maybe we simply can't measure our own success... I'm going to go with all of the above for a thousand please, Alex.

1 comment:

Anonymous said...

I dunno. I have met some companies that actually do have a plan - not many, mind you, but a few. Part of me wants to be all like "Los, you're so cynical!" but damn, I tend to be too. I just think we HAVE to include that #5 category: the "dark horse" category that does exist in a few places. People who have processes, and are looking to improve them. People who are genuinely trying to adhere to the ever-nebulous "best practices". People who plan their security budgets (slim as they may be right now) intelligently, and buy tools that will actually improve security and reduce risk. I might put this one just above "competitive advantage" in terms of percentage.

Now that I've spread my exuberant optimism, feel free to tell me to STFU. :)