Forget ROI and Risk. Consider Competitive Advantage
In my last post, Time and Cost to Defend the Town, I mentioned pondering different ways to discuss digital security with a new executive. This business leader reportedly said "every day, our businesses are competing in a global marketplace. How can we help them?" I thought about that statement and one idea came to mind: Digital security helps businesses build competitive advantage.
I've decided that competitiveness is the new theme which I will use to justify my team's activities when discussing our mission with management.
It seems simple and accurate to me. Capable digital security teams help businesses build competitive advantage by keeping data out of the hands of adversaries.
Contrast competitiveness with two other popular paradigms for discussing digital security: ROI and risk. Imagine the following conversations. Which do you prefer?
1. "ROI-centric discussion"
Security person: Hello boss. We need to implement our security program because it has a ROI of $1 million dollars.
Boss: You mean if we adopt your program we're going to earn $1 million dollars?
Security person: No, we'll save $1 million.
Boss: Get out of my office. Come back after you've taken a finance class.
2. "Risk-centric discussion"
Security person: Hello boss. We need to implement our security program because I've calculated our risk to be 1.35.
Boss: What does that mean?
Security guy: Hmm, ok I'll leave now.
3. "Competitiveness discussion"
Security person: Hello boss. We need to implement our security program because it will provide a competitive advantage to our businesses.
Boss: That's a new one. Tell me more.
Security person: We have adversaries who try to steal, and sometimes do steal, our data.
Boss: So what. Isn't it just World of Warcraft credentials?
Security person: Our adversaries steal intellectual property like design plans, pricing data, negotiation strategies, and other information which means they might understand our business as well as we do.
Boss: Is that true? You mean we could lose deals because our products are copied, our bids undercut, our positions already known? I wonder if that's why we lost a deal to MegaCorp last month...
Security person: Now that you mention it, here is a report on suspicious computer activity involving MegaCorp last week. Our team managed to interdict their theft attempt, but in the future we'd like to be able to detect and respond faster, as well as make it more difficult for the adversary to have a chance to steal our information.
Boss: Now you're talking. Sit down, let's discuss this.
Notice what happened here. Magazines written for CIOs, CTOs, CISOs, and so on constantly advocate "speaking the language of the business." Unfortunately this "language" has been assumed to be finance. As a result security people tried to shoehorn their projects into ROI or ROSI, to laughable results.
As we've seen during the last few years, "risk" has turned out to be a dead end too. The numbers mean nothing. Even if you could somehow measure risk, it's easy enough for managers to accept a higher level of risk than the security manager.
Competitiveness, on the other hand, is everything to business people. They are constantly looking for an edge. It a tight economy, gaining an advantage over the competition could mean the difference between thriving or going out of business.
Notice that discussing competitiveness also avoids the death spiral associated with ROI discussions: cost. When conversation is ROI-centric, digital security is perceived as being a loss prevention exercise and a cost center. IT in general is often seen in this light. Don't dump money in a cost center -- cut spending instead!
When you turn the focus on the adversary -- you are threat-centric -- and discuss how he is trying to beat you and how you can beat him, you are likely to strike a primal chord in the mind of the business person. The executive is likely to wonder "what else can we do to give us a competitive advantage?" Suddenly the digital security shop is seen as a business partner in a common fight with the competition, not a cost center dragging down the "productive" elements of the business.
This isn't a new idea, but it's largely absent in the mindshare of digital security professionals. (If anyone has an ACM account I'd like to read Using information security to achieve competitive advantage by Charles Cresson Wood, 1991.) In addition to mentioning ROI and risk, it's important to remember that compliance is the other driver that is likely to justify funding. However, I believe we are more likely to see security shops spending resources explaining why their current activities meet regulatory requirements. I doubt new programs are going to be created to meet compliance needs, since compliance is basically a ten-year-old justification at this point.
Comments
"Security as a business enabler" is a phrase that's gone around the block for atleast 5 years.
And even ITILv3 has taken your last piece into its new framework.
:)
Basically it is not giving a competitive advantage, its protecting against others gaining a competitive advantage over you, or you gaining a competitive disadvantage.
I can see the fictitious conversation with the executive going your way the first couple of times. On the third you'll eventually be asked "and what have you been doing with all that money I have been giving you then ? " so it's a rather short lived argument.
Sadly (for the state of the industry), I think compliance will always be the way to ask money for security.
The only way to be seen as an equal partner is to find a business model where your work can be payed for directly by your customers, such as a service offering. That's when you start making money for the company...
./Z
I've just downloaded and read Charles Cresson Wood's article and he is talking about using security as a differentiator to gain competitive advantage when marketing the organisation's products and services.
dre: Customers are obviously important. My focus wasn't on protecting customer information.
CR: I dislike the "business enabler" theme. It's too vague. Oxygen is a business enabler too.
zgyves: I like what you said, but I slightly disagree. I think it is a competitive advantage if you protect your information better than another company. I guess in your thinking a "pure" competitive advantage means your organization goes offensive against peers. That's illegal for US organizations.
Regarding "what have you been doing" with the money, that's the easier part -- at least for my organization.
If you have a "service model" with paying customers, then you're a MSSP and this debate doesn't apply.
Chris: Thanks for checking the CCW article. Government agencies would have to think at the level of national security, i.e., is the US losing its competitive advantages when adversaries disclose/degrade/deny our information?
1) I agree completely with your position regarding ROI. Cost-benefit maybe, but not ROI. And even with cost-benefit we're still stuck with figuring out how to measure the benefit...
2) I also agree completely with your statements about a risk-based approach when the approach is as lame as some number on an ordinal scale. Ordinal scales for risk are largely meaningless, although I suppose an argument could be made that it can be an effective way to measure progress from measurement to measurement. Still...
3) Compliance has become important for regulated entities, but it doesn't apply to every business and even some regulated businesses pay marginal attention to it.
4) Protecting against the loss of competitive position due to theft of information is incredibly important for some businesses, but not for all. Boeing, yep. Intel, yep. Retail stores, insurance companies, and other places where high value intellectual property is far less prevalent -- not so much. In those cases, the business people are every bit as likely to laugh us out of the room on the "competitive advantage" argument as they are on an ROI argument. Their comments are going to sound something like:
* "Are you kidding? Someone from xyz company is going to risk going to jail over this kind of data? Let alone take the reputation exposure associated with it? Get out of my office until you've taken a reality pill or a prozac."
Clearly, there can be exceptions like M&A information and such, but it's not likely to be prevalent enough a concern to base your security program arguments on.
BTW -- how many of the companies you work for are engaged in this kind of corporate espionage? After all, they are the competition to someone else...
5) As for executive willingness to accept more risk than the security manager. You may be right, but it depends on the business person. Keep in mind though, that it's their prerogative (in fact it's their job) to decide on how much risk the organization is willing to take on and it's our job to help them make informed decisions. The fact that our profession is lousy at helping them make well-informed decisions about risk isn't their fault.
Thanks
Given everything that we've seen over the past 10 or more years, it's clear that the bottom-up approach simply does not work. Many organizations do not have IR plans in place simply due to the fact the Boss's priorities are (1) email/IM, (2) servicing customers and (3) getting paid. Nowhere in current business courses does there seem to be anything about "what do you do when an outside, third party comes to you and tells you that your customer's data has been exposed", or "why would you want to protect your customer's data"?
Four benefits are described below: improved image of the organization as a conscientious corporate citizen, enhanced customer confidence, new products and services, and new security features for existing products and services.
Will the marketing benefits with customers and partners outweight the renewed efforts of attackers to prove the company wrong and make it a public debacle.
It certainly is an interesting approach and with a solid and mature security focus could be pulled off.
It will take a lot of talking to move me from the point of view that “Security is a Cost ” no different than insurance or your Corporate Counsel. Yes in tough times “costs” are on the chopping block, but that’s when your CISO needs to step up and defend his/her shop. That’s why you get the “C” in front of your name…
I have proposed for years that there is no ROI for computer security and that it is a waste of time to try and measure it. It’s like asking a soldier to give you the ROI from digging a good foxhole; I guess the best you could say is that it offers him the best possible protection given his current situation. If you were to go offensive then it would afford him a good position from which to engage the enemy
Mike Chesmore, CISSP
As far as state and local issues, that's probably more about preserving citizen's privacy.
I guess at some point I should do a post contrasting privacy with security?
If a farmer grows the same high yield crop every year, looking only at short term profits, they do well for awhile but then burn the fields out over time.
A longer-term focused farm rotates the crops and invests in tools and techniques to build the soil and other assets over time. Maximizing value over the long haul.
You can look at security this way, your security budget is in part predicated on building security on your customer's behalf by investing security organization, processes and tools that build current and future value for them.
Looked at from this perspective, you can measure the value of customers and target security resources accordingly.
So maybe the outcome looks like this
Security person: Hello boss I have identified our top 10 customers, and assessed where there are gaps in our security around the assets that we store and process on their behalf. If we want to continue to do business with them, here is a practical plan to secure their assets.
Obviously cost will always be something discussed as well. Not making it your leading argument sounds sensible to me, but any CXO is eventually going to come back to ROI.
I understand the approach though...with your focus on improving competency at incident _detection_ the more successful your team is, the more incidents your company has reported. Its very difficult to get some folks heads wrapped around the idea that these things were already happening, all you did was look harder. And if you're given more resources to look even harder, you're only going to find more incidents. Many CXO's are going to recoil and wonder if life might be easier if they just didn't know. And once again you're back to risk...how do you explain to the CXO the potential loss?
Putting risk in arbitrary numbers without context isn't good for anyone. Security risk has no choice but to be qualitative most of the time, there aren't reliable metrics for most of the factors we're accounting for, anyone who feels otherwise is either a lot smarter than I am, or a little detached from reality. But we all make decisions based on risk, both in business and in security...its just a matter of how formal we are about it.
A company dies unless they receive money from people in return for the things they create or do, therefore everything a company does must center around those people (customers). Maybe the best way to justify having (or increasing) security operations at a company to the people that 'run' the company is by asking how security operations helps get the customers what they pay for and treats them well?
Frame it around people; wallets and checkbooks don't make decisions.
In a recent report from the UK Information Commissioner's Office, four alternative aspects of personal data value were presented:
- its value as an asset used within the organisation’s operations;
- its value to the individual to whom it relates;
- its value to other parties who might want to use the information, whether for legitimate or improper purposes;
- its societal value as interpreted by regulators and other groups.
These values, and the related benefits can be useful in building business cases for CXOs. The report is:
The Privacy Dividend, March 2010, ICO
(I am a joint author of the report)
Unfortunately, in any other case I really think it gets too close to the nasty "business enablement" argument.
I really think business in general is more like what zqyves said: avoiding competitive disadvantage.
Will security make money? Not unless that is your industry.
Will security give you an advantageous position over your competitors? Perhaps from the org's perspective (ala I just have to outrun you, not the bear), but I would suspect most customers will respond more strongly to security breaches than they would in a positive manner to good security. In other words, will your security make me choose you, or will your breaches make me move away from you? Which really just gets back to risk.
This almost feels like hijacking a term executives use just so we can be talking in their terms. But we haven't really brought anything new.
Actually, wouldn't this discussion at some point cause an exec to ask, "Well, why don't we go on the offensive and attack and perform espionage on our competitors? Now *that* could be a competitive advantage!"
-LonerVamp
Here's the Wood article you were looking at from 1991 :)
http://www.yousendit.com/download/bFFPT204NnkwVW52Wmc9PQ
Maturity Level can demonstrate process efficiency, level of automation, visibility and reachability in the company environment, control efficiency.
In the boss to sec guy talk we will be able to show the target level we want to achieve, which risks it can mitigate and for residual risks: how prepared the company is to respond to them.
Thoughts Richard?