The security industry is one of the most interesting and exciting fields of technology. The pace in which things move and the sophistication of the work being done is unparalleled. However, there is one drawback that mainly affects the business and marketing side of a security vendor and that is, nobody “really wants” to buy security, they just know it’s necessary.
Our industry does not suffer from a lack of hype or point solutions. If a piece of networking equipment, software application, hardware, etc. exists, we have a security solution for it and can probably provide a list longer than your arm as to why you need it and more importantly, why you should buy it. It may seem cynical, but I believe we’ve stopped paying attention to what really matters in the industry and have lost a bit of focus.
I recently touched on some additional industries that suffer from being considered “necessary evils” by corporations but perhaps the one that most mirrors security is the insurance industry. They both represent avenues to protecting the most critical of assets, they are widely recognized as a business necessity, not a luxury, and there tends to be quite a bit of noise and uncertainty around how to appropriately allocate budget.
There is a popular expression known as insurance poor. Essentially this refers to the situation in which you’ve spent so much on insurance, preparing for a worst case scenario, that you don’t have the funds to adequately address other expenses. This can hold true for the security industry as well. You could easily spend a majority of an IT budget on security solutions at the expense of other technology initiatives that are providing greater value to the organization. In preparation, I came across a well-written explanation to this phenomenon by a company called Peterson International Underwriters. Here is their excellent synopsis:
Consumers are not anxious to buy insurance. The product has no chrome strips, no moving parts, one cannot eat it, sit on it, or ride on it, and one surely would not hang it on the wall to show friends. It lies in a dusty drawer, unseen and out of mind except when the premium due notice arrives, or in the event of applying for a claim.
If there has been no claim benefits paid out under a policy, the consumer is likely to have little appreciation of the product. Peace of mind is a dividend from an unused policy. It is difficult to appreciate a policy when there is no dollar basis by which to measure it’s value.
“I’m Insurance Poor” is a standard cliché offered by many consumers to express their dislike of spending so much money on lackluster products. In many cases the consumer is saying, “I’m poorly insured.”
You could easily replace the term insurance for security in the above passage and it would apply equally as well.
The theme here is that whether it is insurance or security, you have a limited amount of budget to spend so you need to carefully consider what is most important to protect. In terms of insurance, healthcare for you and your family, your home and your primary modes of transportation would be high on the list of things to protect. In business, items such as intellectual property, customer data, and financial information would be critical to protect.
Just because you can buy insurance or security for nearly every aspect of your existence, it doesn’t mean that you should. This point was recently driven home for me at a retail store when I purchased a $40 video game as a gift. At the register they asked if I wanted to add the extended two year warranty (or insurance) at a cost of $22. While I’ll be the first to admit I know nothing of video games, I like to think that as a CEO I do know a little about business and investing. The concept of spending more than 50 percent of the product value on a two year insurance policy seems absurd to me.
Yet at the same time, I meet with customers and prospects every day that spend large amounts of valuable IT budget on securing areas that represent minimal risk to the organization. At the end of the day, it all comes down to making decisions based on priorities. You can’t insure or protect everything in your life or business; you have to be willing to accept some level of risk. The important thing to do is take a predictive approach to these risks and determine what is most important and spend the majority of your money and efforts protecting these things.
When it comes to losing IP and other data that can’t be replaced, that’s the real “Game Over” for your business.