BT and the Future of IT Security. Bruce Schneier Chief Security Technology Officer, BT BCSG. 27 February 2009

Similar documents
Checkpoint Marketing for Firms Social Media Solutions. Jane gets results

Guest Concepts, Inc. (702)

Seven Key Success Factors for Identity Governance

My 1-Page Marketing Plan. Before (Prospect) During (Lead) After (Customer) 3. The Media I Will Use To Reach My Target Market

Not all payroll solutions are created equal. Get the facts and choose the best payroll option for your company

Following the Money: Non-Security Considerations in Security Decisions

developer.* The Independent Magazine for Software Professionals Automating Software Development Processes by Tim Kitchens

Critical Steps to Prepare Your Business for Sale

HOW TO CREATE A FRENZY OF CUSTOMERS IN YOUR STORE

The Challenger TM Customer: THE NEW REALITY OF SALES

Content & Contentment

How to Hire a Consultant

Insurance Marketing Benchmarks Report

Definitive Guide for Better Pricing. Build a solid pricing foundation that will help you create consistent sales and profit growth.

Grow your business 2016 Issue 08

FROM MYTHS TO MONEY YOUR JOURNEY TO REVENUE WITH CONTRACT RECRUITING

What is Cloud, and Why Should I Care?

THE E-COMMERCE BUSINESS OWNER'S GUIDE TO SEO MANAGEMENT

Leveraging Risk Assessments to Raise Funding for Your Security Program

Mr. Harry G. Foden, FM, HLM AEDC, President ( ) Interview Conducted with Nancy Moorman

30 Course Bundle: Year 1. Vado Course Bundle. Year 1

Linda Carrington, Wessex Commercial Solutions

Digital Transformation at Midsized Businesses:

The Financial and Insurance Advisor s Guide to Content Writing

The E-Learning Readiness Survey

YOUR MOST IMPORTANT DECISION!

Promotional strategies Do s and Don ts in promotions

How to Succeed in Social Selling with Employee Advocacy

THE HIGH COST OF BAD DATA SOME THINGS GET BETTER WITH AGE. YOUR DATA IS NOT ONE OF THEM.

7 MISTAKES MOST LOCAL BUSINESSES ARE MAKING WITH THEIR ADVERTISING

Not all payroll solutions are created equal. Get the facts and choose the best payroll option for your company

Measuring to demonstrate. Which metrics should you use and when?

MAGIC NUMBER How many listings do you need at all times? This is possibly the most important number of your career!

THE TAG GOVERNANCE FRAMEWORK

7 STEPS TO SUCCESSFUL RETENTION AUTOMATION YOUR GUIDE TO MAXIMIZING REVENUE FROM YOUR CUSTOMER DATA

Never Stop Communicating

YOUR MOST IMPORTANT DECISION!

Social Media Is More Than a Popularity Contest

7 STEPS TO SUCCESSFUL RETENTION AUTOMATION YOUR GUIDE TO MAXIMIZING REVENUE FROM YOUR CUSTOMER DATA

Marketing Strategy. Marketing Strategy

Value Navigation: Create, Capture and Convert

Successful Steps and Simple Ideas to Maximise your Direct Marketing Return On Investment

Content Marketing 101: Latest thinking on lead generation

Raising Quality Results on Supplier Audits Using EQMS for Pharmaceutical Companies. Whitepaper

Grow your business 2016 Issue 10

Our Solution: BizNet Total Network Care System Overview

HOW TO BECOME A PROFITABLE AFFILIATE MARKETER. Expert-made 1 Step by Step Guide

Negotiation and Selling Against Lower-Priced Competition

THE ULTIMATE GUIDE TO HIGH-PERFORMING. Amazon Sponsored Ad PPC Campaigns

Are you Capitalizing on the New Automotive Shopper Journey?

BECOMING A SALES TRIPLE THREAT. CHAPTER TWO: How to Elevate Value In Your Customer Conversations CORPORATE VISIONS

Trends in Change Management for 2018

How Not to Sweat an Oracle Audit

INDEX 1. THE MARKETING CHALLENGE AMBASSADOR MARKETING HOW TO GET STARTED THE AMBASSADOR CANVAS USE CASE...

SUPPORT NOTES FOR THE ARTICLE: SELL PRODUCTS AND A WIN-WIN RELATIONSHIP (#4.9 at

6 CONSIDERATIONS WHEN SELECTING A ROBOT INTEGRATOR CONSIDERATIONS WHEN SELECTING A ROBOT INTEGRATOR COURTESY OF

7WAYS TO IDENTIFY A BAD IT TEAM

10 Things To Never Say

Why Your SIEM Isn t Adding Value And Why It May Not Be The Tool s Fault Co-management applied across the entire security environment

Picking the Right Marketing Automation Deployment Strategy

What Business Transformation Approach is Right for CIOs

Collaboration within the public sector

Motivating Your Booth Staff

Make sure to listen to this audio: as you go through this handout, to get maximum value.

How to do Agile when your organization and/or a business partner does Waterfall? -Commitment from leadership

Become A Change Champion

EMBRACING TECHNOLOGY Q&A WITH MARK SINANIAN

STOP. COLLABORATE & LISTEN. EIGHT BEST PRACTICES FOR IMPROVING COLLABORATION IN THE PROPOSAL PROCESS

Improving the Measurement of Sales Readiness Initiatives

MORE SPEND. MORE SAVINGS. MORE REBATES. eprocurement Utilization Playbook. How to Drive More eprocurement Utilization

The Keys to Building a Revenue Marketing Practice

Organizational Change Management for Data-Focused Initiatives

Capturing Customer Value in a Multichannel World SAS Marketing Automation at Northern Tool + Equipment

IT on Demand: Why Integrated Services Are Exploding

Law of Supply and Demand The Economy economy Consumers, Producers, and the Market consumer producer market economy Free enterprise or Capitalism}

How to Choose the Right Lead Gen Company?

FROM THE SERVER ROOM TO THE BOARDROOM:

BUSINESS INTELLIGENCE: IT S TIME TO TAKE PRIVATE EQUITY TO THE NEXT LEVEL

How Account Aggregation Can Lead You to Heaven or Trap You in Hell

The #1 Financial Mistake Made by Small-Business Owners

NURTURE MARKETING. Plant a Seed to Warm your Leads

Chapter 4 Develop Systems

HOW THE BEST DEALERS USING LOYALTY PROGRAMS TO BOOST CUSTOMER RETENTION

Marketing for Manufacturers

SCALING LAND-BASED INNOVATION GROUP DECISION-MAKING TOOLKIT

DIGITAL MARKETING. Better Experience. Better Results.

Financial Advisors: How to Optimize your LinkedIn Profile

HOW BEST-IN-CLASS DEALERS ARE MAKING MORE CUSTOMER CONNECTIONS

The Five-Step Plan to Moving Fleet

FREE ebook. Critical Steps for. Starting a New Accounting Practice

Understanding and Mitigating IT Project Risks BY MIKE BAILEY AND MIKE RIFFEL

Tech-Clarity Insight: The Best of Both Worlds for CAD. Taking the Pain Out of Multi- CAD Data within a Consolidated CAD Platform

Marketing Automation: One Step at a Time

SCALING SOCIAL: GOING BEYOND TECH IN NORTH AMERICA

The Influence of Advertising

Most organizations spend

Content GET GOOGLED IN 9 SIMPLE STEPS WHY GOOGLE WANTS YOU TO GET MORE REVIEWS (AND HOW)

Legal Disclaimer. Page 2

R ANAND S VIEWS ON ORGANISATIONAL COMMUNICATIONS

Transcription:

BT and the Future of IT Security Bruce Schneier Chief Security Technology Officer, BT BCSG 27 February 2009 The computer security industry is about to change. In the future, organizations will care both much more and much less about security. Understanding this apparent paradox is critical to BT s success in the IT space. Why it s Hard to Sell Security the Technical Reason Computer and network security is complex, and understanding them requires a lot of education and experience. The threats and vulnerabilities are complex. The countermeasures are complex. The products that organizations need to buy to mitigate the risks are complex. Universities offer courses and degrees in computer security. Several organizations certify computer security practitioners. Someone who isn t properly trained can easily get confused. And even trained people are getting confused. The technologies, and the products that encompass them, are so complex that most buyers can t understand them. This causes a fundamental mismatch between buyer and seller. The sellers can t explain what they re selling, and the buyers don t understand what they re buying. Commerce requires a meeting of minds between buyer and seller, and it s just not happening. The result is that organizations don t buy the security they need. If they re lucky, they buy what they re told to by auditors or consultants. Or they follow best practices and buy what everyone else is buying. Or they choose some big name in the security industry and buy that company s stuff. New companies with new ideas, new technologies, and new products have a much harder time in this environment. To add to the difficulty, security is primarily visible only when it fails. Attacks successfully defended against are often not even noticed. Even worse, if an organization s security is good and doesn t get successfully attacked, it s liable to conclude that it s spending too much money on security.

2 Why it s Hard to Sell Security The Psychological Reason There are two basic motivations to buy something: greed and fear. The first is a much easier sale than the second; it s easier to sell someone something he wants than a defense against something he wants to avoid. People are reluctant to buy insurance, or home security devices, or computer security anything. They do buy these things, but it s an uphill struggle. The reason is psychological, and explained by something called Prospect Theory. In brief: people are risk-averse when it comes to gains, but risk-seeking when it comes to losses. Security is a choice between a small sure loss the cost of the security product and a large risky loss: for example, the results of an attack on one s network. Of course there s a lot more to the buying decision. The buyer has to be convinced that the product works, and he has to understand both the threats against him and the risk that something bad will happen. But all things being equal, buyers would rather take the chance that the attack won t happen than suffer the sure cost of purchasing the security product. Security sellers know this, even if they don t understand why, and are continually trying to frame their products in positive results. That s why you see slogans with the basic message, We take care of security so you can focus on your business, or carefully crafted ROI models that demonstrate how profitable a security purchase can be. But these never seem to work. Security is fundamentally a fear sell. IT Security The Past The entire IT security industry is an accident: an artifact of how the computer industry developed. Traditionally, computers are hard to use; you need an IT department staffed with experts just to make everything work. Contrast this with other mature high-tech products such as those for power and lighting, heating and air conditioning, automobiles and airplanes. No company has an automotive-technology department, staffed with engineers needed to install the latest engine upgrades and help users recover from the inevitable crashes. Additionally, the IT products people want are inherently insecure. Companies need to buy after-market security add-ons because the computers, networks, databases, and everything else they want are so insecure. They don t want to buy security, but they know they have to. 2

3 BT s Managed Security Services In 1999, I formed Counterpane Internet Security, Inc., to address this need in the marketplace. From the beginning, we did outsourced security monitoring. When we started, we didn t do anything active on the network; our customers wanted us to passively monitor and nothing more. But as the years went on, we did more active things: incident response, device management, vulnerability scanning, and so on. This shift reflected this greater acceptance of outsourcing in IT security and IT in general. The idea was to make Counterpane an essential part of a company s IT security infrastructure. We wanted our customers to not even be able to consider halting our service. We wanted to be their trusted partner in the event of an incident, as well as their trusted partner for day-to-day auditing and reporting. BT acquired Counterpane in October 2006. IT Security The Future The IT industry is changing. Organizations are increasingly outsourcing IT: delegating the technical details of their information infrastructure to another company. Cloud computing, software as a service, and managed security services are all examples of this. So is the ever-greater number of companies willing to contract with BT for an ever-increasing portfolio of IT services. IT is becoming infrastructure. And when something becomes infrastructure power, water, the phone network, cleaning service, tax preparation customers care less about details and more about results. Technological innovations become something the infrastructure providers pay attention to, and they package it for their customers. Customers, in turn, buy services, not products. They from home users to multinational corporations care less about the technological specifics and just expect IT to work. Utility customers don t care about the technical details of IT. Utility customers don t ask for ROI models; there s no ROI for buying electricity, or telephone service, or desks. Utility customers certainly don t care about the technical details of IT security. They don t even want to purchase IT security. They want to purchase a suite of services that make up their IT infrastructure, and they expect it to be dependable, reliable, and secure. In this marketplace, security will no longer be a separate thing; it will be part of everything. You can see this in the current wave of industry consolidation. Traditionally, consolidation in the security industry came from larger security companies buying smaller ones. These days, it s non-security companies buying security companies: Verizon buying Cybertrust, IBM buying ISS, BT buying Counterpane. We re all positioning ourselves to offer security as part of our larger service offerings. This is no different from what happens in other mature industries. Your car comes with safety and security features built in; they re not sold separately. Same with your house. 3

4 You expect your electrical equipment to be safe, and your food and water to be suitable to ingest. Security is a part of the products and services you want to buy. Sometimes it s even a feature that is called out in marketing campaigns e.g., automobile campaigns that tout safety or food campaigns that tout purity but that is a marketing choice. Aside from features, infrastructure sales are driven by two things: price and trust. When infrastructure sellers are interchangeable cell phone companies, for example price is the primary motivator for buyers. When the infrastructure includes premium services tax preparation, legal services, IT outsourcing trust becomes the primary motivator. Price still matters of course, but only after vendors have been selected for trust. Because the buyer doesn t have the expertise to evaluate the quality of the infrastructure he is buying, he instead relies on what economists call signals. Examples of signals in IT are analyst firms like Gartner, magazine reviews and comparisons, recommendations from colleagues, company reputation, and general impressions from the media. A seller that is perceived to be trusted will be able to sell into a greater market share, at a greater price premium, than a seller that is not. The insurance industry will further propel these trends. As IT insurance becomes more common, insurance companies will need standard protection profiles around which to write policies. This will further motivate organizations to buy prepackaged outsourcing solutions with embedded security. And then the insurance industry will have a more controlling role in IT security, by deciding which technologies are good enough to warrant premium reductions. Why BT Wins BT is in an excellent position to take advantage of all of these trends. As one of the world s premier IT outsourcing companies, BT will continue to take over IT functions both more broadly and for more organizations as more companies view this as infrastructure. BT will need to provide more and broader solutions for small and medium businesses and more and broader solutions for home users. BT is already well-positioned to do all of these things. In a commodity market, it s the small differentiators that sell the large contracts. Security will br one of those differentiators. Security concerns are only going to increase in the future, as customers are continually be bombarded with news stories, analyst reports, anecdotes from colleagues, and firsthand experience about how bad things are. They will demand that their outsourced services be secure; they ll write security metrics into their contracts. What they won t care about are any of the details. If we are trusted if our offerings are dependable, reliable, and secure then customers will buy our IT services. If our reputation is good enough, people will pay a premium for our services. Otherwise, we re just another commodity seller and the only differentiator is price. 4

5 At Counterpane, for example, we sent a monthly CIO report to each customer. Basically, it told them what a great job we re doing. BT shouldn t make its customers pay for this report; we should provide it to everyone as a demonstration of the quality job we re doing. Similarly, other BT managed security services have other ways to demonstrate trustworthiness to our customers. These little things will make a big difference when it comes time to renew the large contract. What this all means is the BT should eventually stop selling security as a separate item. It shouldn t be an add-on that customers have the option of buying or not. It should be included as standard practice in everything we sell. Certainly BT s services comes with security built in; we wouldn t even consider selling them any other way. Security then becomes the differentiator that influences the entire contract. Getting There Of course we can t stop selling security services today. This future of IT is coming, but it s coming in fits and starts. Today we need to both sell IT security as a separate thing and embed IT security into our broader service offerings. Specifically, BT should: Continue to broaden our security offerings. The more security responsibility we can take on, the better we look. Use security as a way to introduce customers to premium IT services. Customers who start by allowing us to manage or monitor their security can be more easily convinced to outsource other IT functions. Incorporate managed security services, such as Counterpane s Managed Security Monitoring, into all large IT outsourcing contracts not as an add-on, but as something that comes included with BT s normal IT solutions. Establish a dedicated world-wide sales force for security. At this time, the general BT sales force does not understand security and cannot sell it. Continue to fund security research as a way to demonstrate thought leadership and increase customer trust in our security know-how and solutions. Organizations will migrate to this outsourced utility model slowly, and at different rates. BT s service offerings will need to reflect these varieties of customer demand, as well as respond to the changing customer demand. 5

6 Conclusion We are about to witness an enormous shift in the IT world: from an immature industry where technology is the primary focus to a mature industry where capabilities are the primary focus. BT is at the center of this shift and, if we position ourselves properly, can easily end up as the world leader in IT infrastructure. Security is a key component of that positioning. We need to position ourselves as the secure, dependable, reliable the trusted IT outsourcer. 6

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback