Coupons. Frequent flyer miles. Rebates. Loyalty programs. Member specials. Double coupon days. Frequent buyer programs. Weekly drawings. Big sales events. Seasonal sales. Presidents day sales. Sales tax holiday sales. Going out of business sales. Private clearance sales. 2 for 1 sales. Buy 2 get 1 free.

Sometimes it strikes me just how weird commercial promotions are. It’s a sport where nothing is as it seems. We don’t just buy things – we have to make a game out of it. A game slanted against those who don’t follow the rules, don’t care to play, or just plain can’t do math. We don’t base most of our buying decisions on price vs. quality – instead we are always looking for an angle or a deal. We want to “game the system”, so business provides games to feed our habit.

‘Exclusive’ Internet deals. ‘Sticker’ books. Rewards programs. Receipt Bingo. Discount ‘accelerators’. Friends fly free. Nights and weekend minutes. Family plans. Price match guarantee. All while playing classical music (or country music here in the South) and telling you how smart you are.

It’s not just retail merchants either. We made mortgages into a game: mortgage brokers, mortgage ‘points’, marketing fund indexes, teaser rates, interest rate buy-backs, variable interest, no-interest, balloon notes, FHA programs, tax credit programs, no-doc, and any other combination of variables that can be shuffled to squeeze you into a deal. Heck, we even get games from our government. Our tax system is essentially a game. There is absolutely no such thing as a straight formula. We are incentivized to find for ways bend the rules without a violation and penalty – especially with the new tax codes – to tweak what you pay. If you know how to leverage the code in your favor, you pay far less. And if you don’t know the rules of the game you pay more.

We get distractions like “Secret codes” – announced over the radio. Cute reptiles with Cockney accents which equate buying their product with drinking tea and eating cake. Preferred memberships. Free shipping on orders over $25. Double-discount Wednesdays. Your tenth cup of coffee free. Free gift with purchase. Free credit reports. Trade-ins. Trade-ups. Free upgrades. Get more. Pay less. Bring the kids! You are so very smart to take advantage of our one-time-only 9-year auto lease program with an 70% residual cap! Because, after all, you deserve it! Hey, do I hear Mozart?

Our healthcare system is even more of a game than our tax system, but it’s much less obvious, except to people who try to avoid playing by the rules. Pre-existing conditions? Preferred provider networks? Anyone? Ever have a hospital say they can’t tell you what you owe so you have to wait for your bill? That’s because they don’t know. Nobody does. Price is an illusion that only comes into focus when the medical provider determines what your insurance provider(s) will swallow. It’s a game within a game. Don’t believe me? Trying paying for medication or a simple office visit without providing health insurance details. The price quintuples after the fact. And people who don’t play, aka those without health care, know they pay a premium when the get services. It’s a giant shell game, and your motivation to play comes through through cheap copays and the lure of the pre-tax spending set-aside.

And you will play the game. After all, you want to be healthy, don’t you? Pay the premiums, follow the process and nobody get’s hurt!

I know the basic scam is selling a dream while masking the truth. What I have not figured out is whether all these games are just a by-product of sales people trying to sell the unpalatable – and how they prefer to sell it – or if people have genuinely come to enjoy the game so much they no longer care. Who knows? Maybe it’s both. I know some people who won’t buy if they don’t have a coupon, but the more serious problem is people who always buy when they have a coupon – regardless of need. But people like to play, and it all feels so much more virtuous than roulette or poker. How many of you have a free set of pots from the supermarket? Or a knife set? Or buy gas across the street because they accept your grocery reward card? How many of you shop on double-coupon days? How many loyalty cards are in your wallet?

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

Favorite Securosis Posts

  • Mike Rothman: A Public Call for eWallet Design Standards. Everyone wants a free lunch, even if it’s not even remotely free. Folks will eventually learn the evil plans of these marketing companies (offering said eWallets) the hard way. And I’ll be happy I pay for 1Password to protect all my important info.
  • Adrian Lane: Managed Services in a Security Management 2.0 World. When adopting complex solutions, managed services are a pretty attractive option in terns of risk reduction and skills management.

Other Securosis Posts

Favorite Outside Posts

  • Mike Rothman: End of year predictions. One of the only guys who can rival my curmudgeonly ways, Jack Daniel offers some end of year perspective. Like ‘Admitting that “life is a crap shoot” doesn’t get you the respect it should.’ Amen, brother.
  • Adrian Lane: Jobs Was Right: Adobe Abandons Mobile Flash, Backs HTML5. Big news with big security ramifications (i.e., this is good for security too)!

Project Quant Posts

Research Reports and Presentations

Top News and Posts

Blog Comment of the Week

Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Yinal Ozkan, in response to Managed Services in a Security Management 2.0 World. It’s long, but it’s good!

Mike, Well organized post, thank you. Having spent my past life on MSSPs here is my checklist:

1) Information security know-how of existing workforce. People matters; the engineers who will be handling complex operations are a key element. Check retention rate, average years of INFOSEC experience, certifications, network know-how etc

2) 3rd party security certifications. Customers give the keys of all of their assets to MSSP. MSSPs must be audited , tested by 3rd parties regularly, check for ISO 27001, SAS-70 or similar certifications . Ask for the scope and the results of audits – not the certificate/

3) Redundancy and resilience. MSSPs must have more than 1 security operation center (SoC), all of your data cannot be risked in a single location. Operation of customers’ business should not be effected with a failure of any single component on MSSP side. Ask about replication/sync options.

4) Privacy Concerns. Make sure that the MSSP understands the privacy as well as the security. Verify regional privacy requirements (it gets complex when the data starts crossing borders)

6) Support for a large set of over the counter security appliances(Ask names). Most of the MSSPs can only support a small subset of security devices, this will limit the functionality at customer side

Security devices make less than 5% of enterprise. Support for managing security on non-security appliances/solutions is a critical requirement (Even if a SIEM is involved). Managing security on network hardware, virtualization infrastructure, servers, end points storage and enterprise apps are as important as managing security of dedicated security solutions.

7) Event correlation engines and algorithms. Security Event Management is a key feature. Verify that the MSSP can correlate alerts among multiple systems, brands, locations etc. This is a very complex business when billions of alerts are received.

8) Device management capability. Managed security is not just about remote monitoring, sometimes MSSPs need local presence at customer premises. Large scale MSSPs do not rely on centralized management consoles in their SOCs, they develop their own customer premises equipment. These devices allow customer premises log collections, local alert correlation, backups, out-of-band access, power control, dial-backup, bare metal installs etc. MSSP CPE allows 1 single connection from MSSP to customer instead of hundreds of punches on external firewalls.

9) Vendor relationship, if the MSSP is managing an information security appliance, there will be times where strong vendor support is required, make sure that the MSSP has highest vendor partnerships, and maximum number of product certified engineers . Ask for certification levels / trained engineers

10) Portal. All customer facing operations should be available on portal with extensive reporting. Access must be controlled with strong authentication. Portal should have its own application server to increase functionality and speed (instead of a database interface).

11) 7X24X365 multilingual phone support. Ability create ticket, requests via alternative channels (portal should not be the only interface)

12) Rock Solid Service Level Agreements.(SLAs). SLAs must be detail oriented and they should cover all the corners. There must be clear response times, availability promises, escalation procedures. A charge back schema is essential when SLAs are not met.

13) Full support for ITIL stack: Change Management, Problem Management, Incident Management, Configuration Management and other major tasks must be well documented, and MSSP must provide these services for the customers

14) GRC Stack. MSSP should better support clients’ GRC requirements. Also gnerating necessary data/report/monitoring for compliance is a great add-on (e.g. PCI)

15) Dedicated technical account manager (TAM). Customers should not be talking with a new face when they have questions. Customers need a technical contact who understands their resources, network, requirements etc.

16) Solid QA process, quality of the services must be monitored by an independent QA process

17) Integration with 3rd parties. MSSP should be able to communicate with customer hosted or internet hosted services, like telecom service providers, cloud service providers,remote infrastructure management services, enterprise apps, compliance packages, risk management systems, content security providers, DR Services etc

cheers, – yinal