I’ve been in this business a long time – longer than most, though not as long as some. That longevity provides perspective, and has allowed me to observe the pendulum swinging back and forth more than once. This particular pendulum is the security as an enabler concept – you know, positioning security not as an overhead function but as a revenue driver (either direct or indirect).
Jeremiah’s post earlier this week, PROTIP: Security as a Differentiator, brought back that periodic (and ultimately fruitless) discussion. His general contention is that security can differentiate an offering, ultimately leading to security being a vehicle that drives revenue. So before we start down this path again, let me squash it like the cockroach it is.
First we examine one of Jeremiah’s contentions:
When security is made visible (i.e. help customers be and feel safe), the customer may be more inclined to do business with those who clearly take the matter seriously over others who don’t.
That’s not entirely false. But the situations (or in marketing speak, segments) where that is true are very limited. Banks have been telling me for years that churn increases after a breach is publicized, and the one which say they are secure gain customers. I still don’t buy it, mostly because the data always seems to come from some vendor pushing their product to protect bank customer data.
The reality is that words do not follow behavior when it comes to security. Whether you sit on the vendor side or the user side you know this. When you ask someone if they are worried about security, of course they say yes. Every single time. But when you ask them to change their behavior – or more specifically not do something they want to because it’s a security risk – you see the reality. The vast majority of people don’t care about security enough to do (or not do) anything.
Jeremiah is dreaming – if he were describing reality, everyone related to the security business would benefit. Unfortunately it’s more of a PRODREAM than a PROTIP. Or maybe even a PROHALLUCINATION. He’s not high on peyote or anything. Jer is high on the echo chamber. When you hang around all day with people who care about security, you tend to think the echo chamber reflect the mass market. It doesn’t – not by a long shot.
So spending a crapload of money on really being secure is a good thing to do. To be clear, I would like you to do that. But don’t do it to win more business – you won’t, and you’ll be disappointed – or your bosses will be disappointed in you for failing to deliver. Invest in security it because it’s the right thing to do. For your customers and for the sustainability of your business. You may not get a lot of revenue upside from being secure, but you can avoid revenue downside.
I believe this to be true for most businesses, but not all. Cloud service providers absolutely can differentiate based on security. That will matter to some customers and possibly ease their migration to the cloud. There are other examples of this as well, but not many.
I really wish Jeremiah was right. It would be great for everyone. But I’d be irresponsible if I didn’t point out the cold, hard reality.
Photo credit: “3 1 10 Bearman Cartoon Cannabis Skunk Hallucinations” originally uploaded by Bearman2007
Reader interactions
5 Replies to “PROREALITY: Security is rarely a differentiator”
Don’t forget, nearly of his JG’s blogposts are furthering Whitehat’s agenda.
In this case, it pushes the Whitehat seal/certification.
I believe you forgot to mention that part Mike.
@bobby, I agree that B2B companies can fail if they have a significant breach. That isn’t my argument. It’s whether they will buy one product over another because it’s perceived to be *more secure.* I don’t think so. I don’t believe that in that case a product/service (except in rare instances) can differentiate based on being more secure.
@joshbw, appreciate your perspectives. I just haven’t seen it in practice often at all. Let’s say I sell a product offering to credit unions. If it involves private data, obviously you have to show the customer how you protect the data. In my book, that’s a capability that *must* be there. You are not going to differentiate on it. Now if your shop does 5 other security things that the competition doesn’t do, and customers respond to that with their money, that would be one of the edge cases I refer to.
But what I’ve seen in the vast majority of examples is that a low bar of security is sufficient, and the differentiation happens based on business oriented features of the offering.
I don’t think the segment is as narrow as you make it out to be. If your customer base is primarily security conscious enterprises then demonstratable security practices can be fairly important in terms of sales (depending on the competition it can either be a useful differentiator or a market necessity to just stay competitive).
Now granted, the degree this is true is proportional to the risk your market segment represents to those customers. It also isn’t the single selection criteria by any stretch, but it does matter. Having done many a vendor evaluation for various previous employers during their selection process the security evaluations DID have an appreciable impact on the selection criteria. Given the risk profile my current enterprise represents to our customers we fairly regularly have customer or 3rd party pen tests performed on our apps. You can’t tell me that the customer is willing to spend the resources for that but doesn’t actually care what the results are.
On top of that there are plenty of ways to leverage specific practices during sales engagements – for example, some of our onsite products for small businesses store the bulk of our customer’s sensitive personal information. Because we encrypt it at storage, during transport, and have display masking they get a discount in their breach insurance policy that is not insignificant (of course a single SQL Injection can bypass all of those controls, but don’t tell the insurance companies). That becomes a selling point.
I have to agree with you Mike. But I think there is a caveat. I have been observing the stock price & revenue reports for companies experiencing a security breach. Companies that have a C-to-C business model, i.e. those that service consumers or the public, in general, have a small dip but recover very fast. Two perfect examples are Hannaford and TJX. It could be that the public doesn’t realize that TJX is TJ Maxx. But I doubt it because the media seemed to make that clear. So in a C-to-C company, minimal breach impact.
However, when you look at a B-to-B model, i.e. those that service other businesses, the cost of a security breach can put a company out of business. An example of this was the Choicepoint breach of 2005-2005. Choicepoint was sold in 2008 after suffering millions in losses. And I have seen the loss of clients when a services company experiences a “security event”.
The loss of trust between businesses is one driven by liability – if you do business with a company that has experienced a breach, you are engaging in risky behavior and that can be used against you.
The public is much more forgiving. They grumble and moan, and go right back to doing business with the company if it is convenient and they like their product. Does anyone remember Apple’s “breach” in 2010? Are they hurting for business?
Bobby
TJ Maxx’s revenues went UP after their big breach. What mattered more to its customers than security? A good deal on clothes, I guess.
There probably is a market segment that cares more about security than other factors but I don’t know what it is. Price is typically the primary driver even for business decisions.