Sunday, March 21, 2010

Forget ROI and Risk. Consider Competitive Advantage

In my last post, Time and Cost to Defend the Town, I mentioned pondering different ways to discuss digital security with a new executive. This business leader reportedly said "every day, our businesses are competing in a global marketplace. How can we help them?" I thought about that statement and one idea came to mind:

Digital security helps businesses build competitive advantage.

I've decided that competitiveness is the new theme which I will use to justify my team's activities when discussing our mission with management.

It seems simple and accurate to me. Capable digital security teams help businesses build competitive advantage by keeping data out of the hands of adversaries.

Contrast competitiveness with two other popular paradigms for discussing digital security: ROI and risk. Imagine the following conversations. Which do you prefer?


1. "ROI-centric discussion"

Security person: Hello boss. We need to implement our security program because it has a ROI of $1 million dollars.

Boss: You mean if we adopt your program we're going to earn $1 million dollars?

Security person: No, we'll save $1 million.

Boss: Get out of my office. Come back after you've taken a finance class.


2. "Risk-centric discussion"

Security person: Hello boss. We need to implement our security program because I've calculated our risk to be 1.35.

Boss: What does that mean?

Security guy: Hmm, ok I'll leave now.


3. "Competitiveness discussion"

Security person: Hello boss. We need to implement our security program because it will provide a competitive advantage to our businesses.

Boss: That's a new one. Tell me more.

Security person: We have adversaries who try to steal, and sometimes do steal, our data.

Boss: So what. Isn't it just World of Warcraft credentials?

Security person: Our adversaries steal intellectual property like design plans, pricing data, negotiation strategies, and other information which means they might understand our business as well as we do.

Boss: Is that true? You mean we could lose deals because our products are copied, our bids undercut, our positions already known? I wonder if that's why we lost a deal to MegaCorp last month...

Security person: Now that you mention it, here is a report on suspicious computer activity involving MegaCorp last week. Our team managed to interdict their theft attempt, but in the future we'd like to be able to detect and respond faster, as well as make it more difficult for the adversary to have a chance to steal our information.

Boss: Now you're talking. Sit down, let's discuss this.


Notice what happened here. Magazines written for CIOs, CTOs, CISOs, and so on constantly advocate "speaking the language of the business." Unfortunately this "language" has been assumed to be finance. As a result security people tried to shoehorn their projects into ROI or ROSI, to laughable results.

As we've seen during the last few years, "risk" has turned out to be a dead end too. The numbers mean nothing. Even if you could somehow measure risk, it's easy enough for managers to accept a higher level of risk than the security manager.

Competitiveness, on the other hand, is everything to business people. They are constantly looking for an edge. It a tight economy, gaining an advantage over the competition could mean the difference between thriving or going out of business.

Notice that discussing competitiveness also avoids the death spiral associated with ROI discussions: cost. When conversation is ROI-centric, digital security is perceived as being a loss prevention exercise and a cost center. IT in general is often seen in this light. Don't dump money in a cost center -- cut spending instead!

When you turn the focus on the adversary -- you are threat-centric -- and discuss how he is trying to beat you and how you can beat him, you are likely to strike a primal chord in the mind of the business person. The executive is likely to wonder "what else can we do to give us a competitive advantage?" Suddenly the digital security shop is seen as a business partner in a common fight with the competition, not a cost center dragging down the "productive" elements of the business.

This isn't a new idea, but it's largely absent in the mindshare of digital security professionals. (If anyone has an ACM account I'd like to read Using information security to achieve competitive advantage by Charles Cresson Wood, 1991.) In addition to mentioning ROI and risk, it's important to remember that compliance is the other driver that is likely to justify funding. However, I believe we are more likely to see security shops spending resources explaining why their current activities meet regulatory requirements. I doubt new programs are going to be created to meet compliance needs, since compliance is basically a ten-year-old justification at this point.

22 comments:

Anonymous said...

Yup, that is what we have been doing several years - brings the aspect of more peer discussion would benefit for others also.

dre said...

Forget competitive advantage. Remember your customers!

CR said...

True, but known for years.
"Security as a business enabler" is a phrase that's gone around the block for atleast 5 years.

And even ITILv3 has taken your last piece into its new framework.

:)

zqyves said...

hello,

Basically it is not giving a competitive advantage, its protecting against others gaining a competitive advantage over you, or you gaining a competitive disadvantage.

I can see the fictitious conversation with the executive going your way the first couple of times. On the third you'll eventually be asked "and what have you been doing with all that money I have been giving you then ? " so it's a rather short lived argument.

Sadly (for the state of the industry), I think compliance will always be the way to ask money for security.

The only way to be seen as an equal partner is to find a business model where your work can be payed for directly by your customers, such as a service offering. That's when you start making money for the company...

./Z

Chris Blunt (Axenic) said...

I like the idea but I'm not convinced that it will work in all situations. What about organisations that don't compete for market sector? (e.g., Government Agencies)

I've just downloaded and read Charles Cresson Wood's article and he is talking about using security as a differentiator to gain competitive advantage when marketing the organisation's products and services.

Richard Bejtlich said...

A few thoughts:

dre: Customers are obviously important. My focus wasn't on protecting customer information.

CR: I dislike the "business enabler" theme. It's too vague. Oxygen is a business enabler too.

zgyves: I like what you said, but I slightly disagree. I think it is a competitive advantage if you protect your information better than another company. I guess in your thinking a "pure" competitive advantage means your organization goes offensive against peers. That's illegal for US organizations.

Regarding "what have you been doing" with the money, that's the easier part -- at least for my organization.

If you have a "service model" with paying customers, then you're a MSSP and this debate doesn't apply.

Chris: Thanks for checking the CCW article. Government agencies would have to think at the level of national security, i.e., is the US losing its competitive advantages when adversaries disclose/degrade/deny our information?

Jack said...

Some thoughts:

1) I agree completely with your position regarding ROI. Cost-benefit maybe, but not ROI. And even with cost-benefit we're still stuck with figuring out how to measure the benefit...

2) I also agree completely with your statements about a risk-based approach when the approach is as lame as some number on an ordinal scale. Ordinal scales for risk are largely meaningless, although I suppose an argument could be made that it can be an effective way to measure progress from measurement to measurement. Still...

3) Compliance has become important for regulated entities, but it doesn't apply to every business and even some regulated businesses pay marginal attention to it.

4) Protecting against the loss of competitive position due to theft of information is incredibly important for some businesses, but not for all. Boeing, yep. Intel, yep. Retail stores, insurance companies, and other places where high value intellectual property is far less prevalent -- not so much. In those cases, the business people are every bit as likely to laugh us out of the room on the "competitive advantage" argument as they are on an ROI argument. Their comments are going to sound something like:

* "Are you kidding? Someone from xyz company is going to risk going to jail over this kind of data? Let alone take the reputation exposure associated with it? Get out of my office until you've taken a reality pill or a prozac."

Clearly, there can be exceptions like M&A information and such, but it's not likely to be prevalent enough a concern to base your security program arguments on.

BTW -- how many of the companies you work for are engaged in this kind of corporate espionage? After all, they are the competition to someone else...

5) As for executive willingness to accept more risk than the security manager. You may be right, but it depends on the business person. Keep in mind though, that it's their prerogative (in fact it's their job) to decide on how much risk the organization is willing to take on and it's our job to help them make informed decisions. The fact that our profession is lousy at helping them make well-informed decisions about risk isn't their fault.

Thanks

Keydet89 said...

The only problem I see with any of this that in each scenario, the first step is the Security Person going to the Boss. I know that this is something of an idealistic pipe-dream, but in today's day and age, the Boss should be going to the Security Person and getting them develop a plan.

Given everything that we've seen over the past 10 or more years, it's clear that the bottom-up approach simply does not work. Many organizations do not have IR plans in place simply due to the fact the Boss's priorities are (1) email/IM, (2) servicing customers and (3) getting paid. Nowhere in current business courses does there seem to be anything about "what do you do when an outside, third party comes to you and tells you that your customer's data has been exposed", or "why would you want to protect your customer's data"?

Richard Bejtlich said...

From the CCW article:

Four benefits are described below: improved image of the organization as a conscientious corporate citizen, enhanced customer confidence, new products and services, and new security features for existing products and services.

Francois said...

What makes me uneasy in promoting the security of a service: The marketing push may lead to more external threats willing to prove it really is not that secure.

Will the marketing benefits with customers and partners outweight the renewed efforts of attackers to prove the company wrong and make it a public debacle.

It certainly is an interesting approach and with a solid and mature security focus could be pulled off.

Anonymous said...

Wow,,,,, It is pretty infrequently that I have heard so many people disagree with Richard…And I must unfortunately join the choirs. As the Security Engineer for a medium sized state I fail to see how “competitive advantage” applies to two of the largest computing environments (State and Federal Government).
It will take a lot of talking to move me from the point of view that “Security is a Cost ” no different than insurance or your Corporate Counsel. Yes in tough times “costs” are on the chopping block, but that’s when your CISO needs to step up and defend his/her shop. That’s why you get the “C” in front of your name…
I have proposed for years that there is no ROI for computer security and that it is a waste of time to try and measure it. It’s like asking a soldier to give you the ROI from digging a good foxhole; I guess the best you could say is that it offers him the best possible protection given his current situation. If you were to go offensive then it would afford him a good position from which to engage the enemy

Mike Chesmore, CISSP

Richard Bejtlich said...

To everyone defending at least national infrastructures: consider what I said about national competitiveness. Our country is engaged in a great contest with other world powers, and competitiveness certainly plays a role.

As far as state and local issues, that's probably more about preserving citizen's privacy.

I guess at some point I should do a post contrasting privacy with security?

dearista said...

Brilliant Richard.

gunnar said...

Competitive advantage is a much better way to look at it. I would also include Customers. Customers and customer relationships have tangible, measurable value to the enterprise.

If a farmer grows the same high yield crop every year, looking only at short term profits, they do well for awhile but then burn the fields out over time.

A longer-term focused farm rotates the crops and invests in tools and techniques to build the soil and other assets over time. Maximizing value over the long haul.

You can look at security this way, your security budget is in part predicated on building security on your customer's behalf by investing security organization, processes and tools that build current and future value for them.

Looked at from this perspective, you can measure the value of customers and target security resources accordingly.

So maybe the outcome looks like this

Security person: Hello boss I have identified our top 10 customers, and assessed where there are gaps in our security around the assets that we store and process on their behalf. If we want to continue to do business with them, here is a practical plan to secure their assets.

Chris Clymer said...

Wouldn't a blended argument work a little more effectively? I would expect most CXO's to be looking for some data on how likely this industrial espionage situation is for their company...in other words, to some degree, you're still talking about risk.

Obviously cost will always be something discussed as well. Not making it your leading argument sounds sensible to me, but any CXO is eventually going to come back to ROI.

I understand the approach though...with your focus on improving competency at incident _detection_ the more successful your team is, the more incidents your company has reported. Its very difficult to get some folks heads wrapped around the idea that these things were already happening, all you did was look harder. And if you're given more resources to look even harder, you're only going to find more incidents. Many CXO's are going to recoil and wonder if life might be easier if they just didn't know. And once again you're back to risk...how do you explain to the CXO the potential loss?

Putting risk in arbitrary numbers without context isn't good for anyone. Security risk has no choice but to be qualitative most of the time, there aren't reliable metrics for most of the factors we're accounting for, anyone who feels otherwise is either a lot smarter than I am, or a little detached from reality. But we all make decisions based on risk, both in business and in security...its just a matter of how formal we are about it.

extantproject said...

People don't do business with companies that don't give them what they pay for or that treat them poorly. The biggest "competitive advantage" is giving a shit about the people that buy what your company produces. Isn't the extent to which security problems cause customers to not get what they pay for (directly or indirectly) or causes them to be mistreated (directly or indirectly) the extent to which they're problems at all?

A company dies unless they receive money from people in return for the things they create or do, therefore everything a company does must center around those people (customers). Maybe the best way to justify having (or increasing) security operations at a company to the people that 'run' the company is by asking how security operations helps get the customers what they pay for and treats them well?

Frame it around people; wallets and checkbooks don't make decisions.

Anonymous said...

Fear is always the motivator in business. But, nice packaging.

Colin Watson said...

The three example dialogues are an excellent way of discussing alternative approaches.

In a recent report from the UK Information Commissioner's Office, four alternative aspects of personal data value were presented:

- its value as an asset used within the organisation’s operations;
- its value to the individual to whom it relates;
- its value to other parties who might want to use the information, whether for legitimate or improper purposes;
- its societal value as interpreted by regulators and other groups.

These values, and the related benefits can be useful in building business cases for CXOs. The report is:

The Privacy Dividend, March 2010, ICO


(I am a joint author of the report)

Anonymous said...

I totally buy this position on security as competitive advantage when you're combatting espionage from your competitors.

Unfortunately, in any other case I really think it gets too close to the nasty "business enablement" argument.

I really think business in general is more like what zqyves said: avoiding competitive disadvantage.

Will security make money? Not unless that is your industry.

Will security give you an advantageous position over your competitors? Perhaps from the org's perspective (ala I just have to outrun you, not the bear), but I would suspect most customers will respond more strongly to security breaches than they would in a positive manner to good security. In other words, will your security make me choose you, or will your breaches make me move away from you? Which really just gets back to risk.

This almost feels like hijacking a term executives use just so we can be talking in their terms. But we haven't really brought anything new.

Actually, wouldn't this discussion at some point cause an exec to ask, "Well, why don't we go on the offensive and attack and perform espionage on our competitors? Now *that* could be a competitive advantage!"

-LonerVamp

dagerm89 said...

Consider this a thank you for keeping this blog up!

Here's the Wood article you were looking at from 1991 :)

http://www.yousendit.com/download/bFFPT204NnkwVW52Wmc9PQ

Marcelo said...

What about the infosec maturity level approach?
Maturity Level can demonstrate process efficiency, level of automation, visibility and reachability in the company environment, control efficiency.
In the boss to sec guy talk we will be able to show the target level we want to achieve, which risks it can mitigate and for residual risks: how prepared the company is to respond to them.
Thoughts Richard?

LowLatency said...

Sweet, delicious Irony. I just read this post after sending an email to a client's "Security Officer" (SO, not CSO) justifying my sense of urgency in implementing a password policy. Currently the client's password policies are weak enough to represent almost no obstacle to even unsophisticated attackers, let alone APT. I went with competitive advantage as my justification. I also used the argument that National Security is a competitive advantage, as the client works with technologies that are targeted by both commercial and governmental entities.