The “security frontier” has moved from firewalls and anti-virus to IM and VoIP security. However, convincing people and organizations to implement effective security measures has not become easier, so we must ask ourselves:
Is security worth it?
First, let’s look at how vendors attempt to sell security. There is usually some FUD factor involved. Years ago it was pretty blunt, concentrating on web defacements and Denial of Service takedowns “the hackers are coming”. Now, sleek statistics from reputable firms or institutions are used, so the language has also become more grown up: “organizations should secure,”, “we must ensure that every piece of critical information in a company is appropriately secured”, etc. The problem with these approaches is that the need for security is not personalized enough to trigger a buying decision.
Security as insurance does not work really well because either people can see through FUD and dismiss it as a cheap sales ploy, or because the potential consequences of a lapse in security are not immediately clear. The issue is quantification. You or your firm may not care much that “virus attacks have increased by X% in the last 12 months”, but you may pay more heed if the warning was specific to your industry: “virus attacks against XYZ systems running ABC applications have increased against ACME-industry institutions”.
It is of course, easier to sell any type of insurance or advisory services in regulated industries: housing or car insurance, financial services, health care, government. One only has to look at laws like Data Protection Act, HIPAA (US) and Sarbanes-Oxley to see how these created new business opportunities for consulting firms in may countries. However, for the security practitioner catering for a diverse clientele, another class of arguments must be found, in order to successfully convince clients to buy security services and products.
Fear vs. Economics
The problem with using Fear to sell security is that it is subject to the stroboscopic light effect: you get used to it, you may not realize when it really is bad and you could collapse under it not knowing why. Fear also works if you are naturally risk averse. But, it doesn’t work if you’ve never experienced the touted bad consequences or, if you are not risk averse.
Basic economics tells us that a free market for one specific product or “good” (let’s leave it “good”, please, as this is the basic economics terminology.. thanks) will converge to an equilibrium position, where supply equals demand, at a certain price P per unit. However, security is a complex issue, where many remedies are required for different aspects, so such a simplistic view may not be enough to look at when selling our security wares. Besides, in some cases it is difficult to determine what “one unit” of that product or good may be and company purchasing decisions are not as simple as the theoretical academic models may suggest.
Some industry participants complain about increased competition as a factor in depressing their security sales. However, let’s take a quick look at a typical large European country as a “market” for example Germany or the UK. This reveals that there will be, on average, ten firms providing Managed Security Services (MSS), with the biggest firm holding about a 20% market share. There will also be around 30 firms providing various Security Consulting services and we’ll perhaps find one with the biggest market share of 10%. This would mean HHI indexes of competitive intensity of 526 and 135 respectively.