Generalizing About Security/Privacy as a Competitive Advantage is a Waste of Perfectly Good Electrons
Curphey gets right to the point in this blog post by decrying that security and privacy do not constitute a competitive advantage to those companies who invest in it because consumers have shown time and time again that despite breaches of security, privacy and trust, they continue to do business with them. I think.
He tends to blur the lines between corporate and consumer "advantage" without really defining either, but does manage to go so far as to hammer the point home with allegory that unites the arguments of security ROI, global warming and the futility of IT overall. Time for coffee and some happy pills, Mark? 😉
Just for reference, let’s see how those goofy Oxfordians define "advantage":
advantage |ədˈvantij| noun a condition or circumstance that puts one in a favorable or superior position : companies with a computerized database are at an advantage | she had an advantage over her mother’s generation. • the opportunity to gain something; benefit or profit : you could learn something to your advantage | he saw some advantage in the proposal. • a favorable or desirable circumstance or feature; a benefit : the village’s proximity to the town is an advantage. • Tennis a player’s score in a game when they have won the first point after deuce (and will win the game if they win the next point). verb [ trans. ] put in a favorable or more favorable position.
Keep that in your back pocket for a minute.
OK, Mark, I’ll bite:
Many security vendors army of quota
carrying foot soldiers brandish their excel sheets that prove security
is important and why you should care. They usually go on to show
irrefutable numbers demonstrating security ROI models and TCO. I think
its all “bull shitake”!
…and those armies of security drones are fueled by things like compliance mandates put forth by legislation as a direct result of things like breaches, so it’s obviously important to someone. Shitake or not, those "someones" are also buying.
You’ve already doomed this argument by polarizing it with the intractable death ray of ROI. We’ve already gone ’round and ’round on the definition of "value" as it relates to ROI and security, so a good majority of folks have already signed off an aren’t reading past this point…yet I digress.
Wired has the scoop;
Why should consumers pay anything to protect their data!? Security and privacy are table stakes expectations (see below) on the consumer front. Companies invest millions in security and compliance initiatives driven by legislation brought on by representatives in local, state and federal government to help make it so. Furthermore, given the fact that if someone utilizes my credit card to commit fraud, I’m not responsible; it’s written off! If you change the accountability model, you can bet consumers would be a little more concerned with protecting their data. I wager they’d pay a hell of a lot more than $0.25 for it, too.
They aren’t, because despite being inconvenienced, they don’t care. They don’t have to. But before you assume I’m just agreeing with your point, read on.
After the TJX debacle I remember seeing predictions that people will vote with their feet. Of course they didn’t, sales actually went up 9%. The same argument was made for Ruby Tuesdays who lost some credit cards. It just doesn’t happen. Lake Chad and disasters on a global scale continue to plague us due to climate change yet still people refuse to stop buying SUV’s.
See previous paragraph above. When bad things happen, consumers expect that someone will put the hammer down and things will get better. New legislation. More safeguards. Extended protection. They often do.
Furthermore, with your argument, one could suggest that security/privacy have become a competitive advantage for TJX now since given their uptake and revenues, the following definition seems to apply:
Competitive advantage (CA) is a position that a firm
occupies in its competitive landscape. Michael Porter posits that a
competitive advantage, sustainable or not, exists when a company makes economic rents,
that is, their earnings exceed their costs (including cost of capital).
That means that normal competitive pressures are not able to drive down
the firm’s earnings to the point where they cover all costs and just
provide minimum sufficient additional return to keep capital invested.
Most forms of competitive advantage cannot be sustained for any length
of time because the promise of economic rents drives competitors to
duplicate the competitive advantage held by any one firm.
It looks to me that based upon your argument, TJX benefited from not only their renewed investment in security/privacy but from the breach itself! I think the last statement resonates with your Carr’s commentary (below) but you aren’t talking about "sustainable" competitive advantage. Or are you?
Right, wrong or indifferent, this is how it works. Corporate incrementalism is an acceptable go to market strategy to overall bolster one’s strategy over a competitor; it’s the entire long tail approach to marketing. You can’t be surprised by this?
This is why we have hybrid SUV’s now…
Nicholas Carr discusses this in IT Doesn’t Matter.
To start with technologies can become competitive differentials like
the railroads or the telephone. But once everyone has it, the paying
field levels and it becomes table stakes. Its a competitive
disadvantage if you aren’t in the game (i.e. insecure) but the economic
cost of developing a service or technology that is so compelling as to
become an advantage ain’t on the radar (for the most part).
So getting back to what I thought was your original premise, and escape the low-earth orbit of the affliction of the human condition, global warming and ROI… 🙁
For the sake of argument, let’s assume that I agree with your lofty generalizations that security and privacy do not represent a competitive advantage. Please turn off your firewall now. Deactivate your anti-virus and ant-spam. Turn off that IDS/IPS. Remove those WebApp firewall-enabled load balancers…
Yes, IT (and security/privacy) are table stakes (as I established above) but NOT having them would be a competitive disadvantage. THAT is the point. It’s a referential argument and a silly one at that.
…almost as silly as suggesting that you shouldn’t try to measure the effectiveness of security; it seems that people want to hang language on these topics and debate that instead of the core issue itself.
The threat models dictate how investments are made and how they are perceived to be advantageous or not. They’re also cyclical and temporal, so over time, their value depreciates until the next wave requires more investment. Basic economics.
Generalizing about security and privacy as not being competitive advantages is a waste of time. I’d love to see an ad from a company that says they’re NOT investing in security and privacy and that their Corporate credo is "screw it, you don’t care, anyway…"
I’m going to get on my bike and ride down to the store to buy a cup of coffee with my credit card now…
/Hoff
I agree completely with this post and Curphey's original post. Security is definitely a "table stakes" issue. Security is EXPECTED, like arriving at your flight's destination in one live piece. Like Dan Geer says, "No airline advertises that its planes don't fall from the sky."
I think there are only two times when security/privacy can be competitive advantages, and they're very narrow instances.
1) When your business is security, such as a security provider or security software developer.
2) When business is predicated on the presence of security. We are seeing that consumer-to-business, breaches are not affecting loyalty or purchasing. I also see all the time how business-to-business is also not much caring about security. We'd have a far more secure environment and a lot more vetting of businesses if they truly did care about their partners.
Alas, these areas are very narrow, and in the end, saying security gives competitive advantage or is simply twiddling semantics a bit weirdly…
-or 😛
I think you nailed it on the point of not having security is a competitive disadvantage. Indeed you can take this further and imply that compliance with regulations of all sorts protects a company from that disadvantage, and the next step is being efficient and optimal in meeting that regulation.
A problem as a provider of security/compliance systems is that there is effectively a "bar" set that is the minimum level for compliancy, and people then wonder about the lowest cost. Trying to sell a Rolls Royce solution in this case, you then need to bring out your ROI calculators and slide rules.
Some of this might involve portrayal of meeting security compliance as a shifting requirement, that attacks on your systems will become more sophisticated, and that the basic preventative measures will soon be obsolete. Who wants to spend millions on a system that won't work for very long?
When customers shop at a hardware shop they don't think (as we security people do) primarily about security. They think – I need this wrench, I need it cheap. It is just assumed that the credit card information will be safe. If it isn't..well.. at least they are fixing the issues. Here InfoSec is really just part of the shopping experience and not a differentiating factor in choosing where to shop. TJX should do security as well the next shop – any better is a waste of money.
Google is slowly rolling out what will one day be a web based operating environment with spreadsheet, email, research, etc etc. Your every personal detail will be there to be taken. Google has a huge vested interest to make sure nothing gets taken. If they can do that then they will have an advantage of any competitors. Here security can be used to gain advantage.
I disagree with the analogy of "No airline advertises that its planes don't fall from the sky."
The reality is that the service an airline is selling is that of safe travel from one location to another. A huge portion of the populous that consumes the services that are provided by an airline think about safety before and during their flights. They are also reminded of this fact when they are told "in case we crash here is what you do". When an airline says "come fly the friendly skies" they are not just referring to those wonderful stuarxxx, um I mean flight attendants. They are also trying to infer a safe service.
In my opinion LonerVamp was close to the mark. There is another area where security is absolutely, without a doubt, an advantage. In my business of providing solutions for Business Intelligence and data to go along with that solution – prospective clients (were talking other companies here BtoB) assume substandard security and it is our job to show them different. I have personally won deals where a strong information security program was the tipping factor. Additionally, we have also retained business due to this exact same thing.
So I guess what I am trying to say is that what I am seeing is a huge shift from security last to security first. Now granted, we absolutely still in transition on this but until most companies are secure, only then will the reality of "Security is EXPECTED" start to materialize.