BT and the Future of IT Security Bruce Schneier Chief Security Technology Officer, BT BCSG 27 February 2009 The computer security industry is about to change. In the future, organizations will care both much more and much less about security. Understanding this apparent paradox is critical to BT s success in the IT space. Why it s Hard to Sell Security the Technical Reason Computer and network security is complex, and understanding them requires a lot of education and experience. The threats and vulnerabilities are complex. The countermeasures are complex. The products that organizations need to buy to mitigate the risks are complex. Universities offer courses and degrees in computer security. Several organizations certify computer security practitioners. Someone who isn t properly trained can easily get confused. And even trained people are getting confused. The technologies, and the products that encompass them, are so complex that most buyers can t understand them. This causes a fundamental mismatch between buyer and seller. The sellers can t explain what they re selling, and the buyers don t understand what they re buying. Commerce requires a meeting of minds between buyer and seller, and it s just not happening. The result is that organizations don t buy the security they need. If they re lucky, they buy what they re told to by auditors or consultants. Or they follow best practices and buy what everyone else is buying. Or they choose some big name in the security industry and buy that company s stuff. New companies with new ideas, new technologies, and new products have a much harder time in this environment. To add to the difficulty, security is primarily visible only when it fails. Attacks successfully defended against are often not even noticed. Even worse, if an organization s security is good and doesn t get successfully attacked, it s liable to conclude that it s spending too much money on security.
2 Why it s Hard to Sell Security The Psychological Reason There are two basic motivations to buy something: greed and fear. The first is a much easier sale than the second; it s easier to sell someone something he wants than a defense against something he wants to avoid. People are reluctant to buy insurance, or home security devices, or computer security anything. They do buy these things, but it s an uphill struggle. The reason is psychological, and explained by something called Prospect Theory. In brief: people are risk-averse when it comes to gains, but risk-seeking when it comes to losses. Security is a choice between a small sure loss the cost of the security product and a large risky loss: for example, the results of an attack on one s network. Of course there s a lot more to the buying decision. The buyer has to be convinced that the product works, and he has to understand both the threats against him and the risk that something bad will happen. But all things being equal, buyers would rather take the chance that the attack won t happen than suffer the sure cost of purchasing the security product. Security sellers know this, even if they don t understand why, and are continually trying to frame their products in positive results. That s why you see slogans with the basic message, We take care of security so you can focus on your business, or carefully crafted ROI models that demonstrate how profitable a security purchase can be. But these never seem to work. Security is fundamentally a fear sell. IT Security The Past The entire IT security industry is an accident: an artifact of how the computer industry developed. Traditionally, computers are hard to use; you need an IT department staffed with experts just to make everything work. Contrast this with other mature high-tech products such as those for power and lighting, heating and air conditioning, automobiles and airplanes. No company has an automotive-technology department, staffed with engineers needed to install the latest engine upgrades and help users recover from the inevitable crashes. Additionally, the IT products people want are inherently insecure. Companies need to buy after-market security add-ons because the computers, networks, databases, and everything else they want are so insecure. They don t want to buy security, but they know they have to. 2
3 BT s Managed Security Services In 1999, I formed Counterpane Internet Security, Inc., to address this need in the marketplace. From the beginning, we did outsourced security monitoring. When we started, we didn t do anything active on the network; our customers wanted us to passively monitor and nothing more. But as the years went on, we did more active things: incident response, device management, vulnerability scanning, and so on. This shift reflected this greater acceptance of outsourcing in IT security and IT in general. The idea was to make Counterpane an essential part of a company s IT security infrastructure. We wanted our customers to not even be able to consider halting our service. We wanted to be their trusted partner in the event of an incident, as well as their trusted partner for day-to-day auditing and reporting. BT acquired Counterpane in October 2006. IT Security The Future The IT industry is changing. Organizations are increasingly outsourcing IT: delegating the technical details of their information infrastructure to another company. Cloud computing, software as a service, and managed security services are all examples of this. So is the ever-greater number of companies willing to contract with BT for an ever-increasing portfolio of IT services. IT is becoming infrastructure. And when something becomes infrastructure power, water, the phone network, cleaning service, tax preparation customers care less about details and more about results. Technological innovations become something the infrastructure providers pay attention to, and they package it for their customers. Customers, in turn, buy services, not products. They from home users to multinational corporations care less about the technological specifics and just expect IT to work. Utility customers don t care about the technical details of IT. Utility customers don t ask for ROI models; there s no ROI for buying electricity, or telephone service, or desks. Utility customers certainly don t care about the technical details of IT security. They don t even want to purchase IT security. They want to purchase a suite of services that make up their IT infrastructure, and they expect it to be dependable, reliable, and secure. In this marketplace, security will no longer be a separate thing; it will be part of everything. You can see this in the current wave of industry consolidation. Traditionally, consolidation in the security industry came from larger security companies buying smaller ones. These days, it s non-security companies buying security companies: Verizon buying Cybertrust, IBM buying ISS, BT buying Counterpane. We re all positioning ourselves to offer security as part of our larger service offerings. This is no different from what happens in other mature industries. Your car comes with safety and security features built in; they re not sold separately. Same with your house. 3
4 You expect your electrical equipment to be safe, and your food and water to be suitable to ingest. Security is a part of the products and services you want to buy. Sometimes it s even a feature that is called out in marketing campaigns e.g., automobile campaigns that tout safety or food campaigns that tout purity but that is a marketing choice. Aside from features, infrastructure sales are driven by two things: price and trust. When infrastructure sellers are interchangeable cell phone companies, for example price is the primary motivator for buyers. When the infrastructure includes premium services tax preparation, legal services, IT outsourcing trust becomes the primary motivator. Price still matters of course, but only after vendors have been selected for trust. Because the buyer doesn t have the expertise to evaluate the quality of the infrastructure he is buying, he instead relies on what economists call signals. Examples of signals in IT are analyst firms like Gartner, magazine reviews and comparisons, recommendations from colleagues, company reputation, and general impressions from the media. A seller that is perceived to be trusted will be able to sell into a greater market share, at a greater price premium, than a seller that is not. The insurance industry will further propel these trends. As IT insurance becomes more common, insurance companies will need standard protection profiles around which to write policies. This will further motivate organizations to buy prepackaged outsourcing solutions with embedded security. And then the insurance industry will have a more controlling role in IT security, by deciding which technologies are good enough to warrant premium reductions. Why BT Wins BT is in an excellent position to take advantage of all of these trends. As one of the world s premier IT outsourcing companies, BT will continue to take over IT functions both more broadly and for more organizations as more companies view this as infrastructure. BT will need to provide more and broader solutions for small and medium businesses and more and broader solutions for home users. BT is already well-positioned to do all of these things. In a commodity market, it s the small differentiators that sell the large contracts. Security will br one of those differentiators. Security concerns are only going to increase in the future, as customers are continually be bombarded with news stories, analyst reports, anecdotes from colleagues, and firsthand experience about how bad things are. They will demand that their outsourced services be secure; they ll write security metrics into their contracts. What they won t care about are any of the details. If we are trusted if our offerings are dependable, reliable, and secure then customers will buy our IT services. If our reputation is good enough, people will pay a premium for our services. Otherwise, we re just another commodity seller and the only differentiator is price. 4
5 At Counterpane, for example, we sent a monthly CIO report to each customer. Basically, it told them what a great job we re doing. BT shouldn t make its customers pay for this report; we should provide it to everyone as a demonstration of the quality job we re doing. Similarly, other BT managed security services have other ways to demonstrate trustworthiness to our customers. These little things will make a big difference when it comes time to renew the large contract. What this all means is the BT should eventually stop selling security as a separate item. It shouldn t be an add-on that customers have the option of buying or not. It should be included as standard practice in everything we sell. Certainly BT s services comes with security built in; we wouldn t even consider selling them any other way. Security then becomes the differentiator that influences the entire contract. Getting There Of course we can t stop selling security services today. This future of IT is coming, but it s coming in fits and starts. Today we need to both sell IT security as a separate thing and embed IT security into our broader service offerings. Specifically, BT should: Continue to broaden our security offerings. The more security responsibility we can take on, the better we look. Use security as a way to introduce customers to premium IT services. Customers who start by allowing us to manage or monitor their security can be more easily convinced to outsource other IT functions. Incorporate managed security services, such as Counterpane s Managed Security Monitoring, into all large IT outsourcing contracts not as an add-on, but as something that comes included with BT s normal IT solutions. Establish a dedicated world-wide sales force for security. At this time, the general BT sales force does not understand security and cannot sell it. Continue to fund security research as a way to demonstrate thought leadership and increase customer trust in our security know-how and solutions. Organizations will migrate to this outsourced utility model slowly, and at different rates. BT s service offerings will need to reflect these varieties of customer demand, as well as respond to the changing customer demand. 5
6 Conclusion We are about to witness an enormous shift in the IT world: from an immature industry where technology is the primary focus to a mature industry where capabilities are the primary focus. BT is at the center of this shift and, if we position ourselves properly, can easily end up as the world leader in IT infrastructure. Security is a key component of that positioning. We need to position ourselves as the secure, dependable, reliable the trusted IT outsourcer. 6