Hello,
I have a well-researched theory that (OK, well-researched by me, and since this is my column…you get the picture) that most cybersecurity wisdom stems from 1970’s punk rock. For example, in 1977, Joey Ramone graced us with this observation, which was philosophical, pithy, and deeply insightful all at once:
I don’t care (he don’t care)
I don’t care (he don’t care)
I don’t care (he don’t care)
About this world
I don’t care (he don’t care)
About that girl
I don’t care (he don’t care)[1]
Now, there are some who might say that I’m reading too much into these lyrics, which are obviously about teenage relationship angst. To those worthies I respond with a thoughtful and deeply considered rejoinder: Pbbbbbbbbbbbt!
What Joey was, clearly, singing about was how potential customers think about cybersecurity products that tout security as their unique (or primary) selling point. That is, they just don’t care. More precisely, while a nebulously defined caste of security professionals might care, the people writing the checks generally don’t. But muh security, bro! isn’t a winning sales strategy.
Part of the apathy stems from the idea that selling security is selling a paradox: The only way to know if it’s working is for nothing to happen. But, if nothing is happening, what evidence is there that it’s working? Another part results from the reality that every vendor promises a security panacea, and the terms security and cybersecurity are so overused as to become meaningless. The likelihood of a successful deal is inversely proportional to the degree that potential customers are overwhelmed with terms they don’t fully understand.
Put another way, security is table stakes and if security is a commercial organization’s calling card,” the organization probably needs a new way to introduce itself. Something more must be offered.
What resonates with potential customers are things that have a tangible impact on the business bottom line or that are responsive to a clear and compelling problem. Some examples:
- Speed, efficiency, and productivity: Security products are notorious for inducing organizational drag. Improved efficiency that comes with improved security translates to improved profitability coupled with cost savings that directly impact the bottom line.
- Direct cost reduction: When security improvements enable retirement of one or more expense generators that have a cost greater than the new product being acquired, without a loss of capability, suddenly both the check writers and the technologists take notice.
- Solution to a looming problem: The notion that a security product is a solution to a significant, imminent, and well understood problem creates immediate and time-sensitive relevance far beyond a vague notion of security.[2] For example: The Coming Quantumpocalypse or Q-Day, is the day when quantum computers will be capable of routinely breaking the asymmetric cryptography that keeps communications and information confidential. It’s easy to grasp how something that mitigates the problem of no more secrets, no more privacy, ever adds tremendous value.
It’s easy to get caught up in security esoterica, but the cybersecurity industry isn’t about filling its own needs. It’s about meeting the needs of the broader American and global economies, and to do that, security products must, first and foremost, be business products.
Build it right, America.
Adam Firestone
Editor-in-Chief
Leave a Comment