April 26, 2009

How to succeed in Security

Adam asks:

So I'm getting ready to head over to RSA, and I'm curious. If you believe that "security is about outcomes, not about process," what outcomes do you want from RSA? How will you judge if the conference was worthwhile?

Many have commented that the world's premier security event is a worthless event from the point of view of security. So what's the point?

An event is successful if you increase your marketing capabilities. Obviously, RSA does, and for this reason it is totally successful, for them. What about you?

Security as a business is mostly about marketing; whether it be via books, blogs, personal contacts, conferences, or whatever. Quite why this is requires a deeper thrust into the economics into asymettric or imperfect information markets; in a market where neither the seller nor the buyer know what is to be done, then only signals are available as tools (c.f., silver bullets) and signals are the domain of marketing, not engineering.

Hence the rise of marketing -- perception -- as the key factor in success in the security business. A conference is a good thing; if you can get enough people to go year after year, then it is presumably a signal of something. Which feeds the whole process, it generates a feedback loop that is at least self-sustaining.

But in a crowded market for signals, one signal isn't enough. Hence, there is a tendency to pursue a range of signals. So far we've got: the blog, the book, the conference, the RFC, the job, the protocol, the project, the network, the paper, the award, the article, the government contract, the patent, the algorithm, the ...

Any serious practitioner of security can pull together one of those (as an assumption). I can, you can too, if you are reading this. But, can you bring together 4 or 5? That's the battle, and in that battle, it becomes a simple marketing game of proving that you are more single-minded, more productive, and more strategic than the competition, and can drown out their signals with yours.

(Hence, I am not posting that much these days... I simply haven't the time, because I'm concentrating on another signal :)

The winner of this game is the one who generates enough resources to then feed those resources back into building the base of signals. Thus, a positive feedback loop in signals. And so, we see the tendency is for the biggest player to win, because more resources means more signals. Hence, RSA plus the conference. And so, security takes on more of an aspect like classical markets like soap powder or breakfast cereals. The commodity product underneath is not important, the structure of industry and the ability of the major players to build barriers to entry to newcomers becomes the battle ground.

OK, that was all theory. What's the bottom line? If you want to win at security, study marketing.

Posted by iang at April 26, 2009 11:04 AM | TrackBack

As much as I hate what you said, its def true and why I went the public sector after failing out of the private (I refuse to do marketing or sales on principple). I have been in security now for 12 years and you have pretty much hit in on the head. The security guys who truly care about security are your guys in the trenches who eventual either give up and leave security, go hardcore security engineering/technical, and/or go internal audit.

Those who remain either become marketing guru's and thrive or don't learn sales 101 and work at Burger King while railing against the system.

Or to quote the best sales guy I ever knew "You don't have to know anything in security to become successful in security because the people you are selling to don't know anything about security but buzzwords. Given there are no meaningful security metrics an exec cares about the only requirement you have is to market market market and then hire specific niche talent for one or two off deals to actual implement what you said you could do. Remember Sales is all that is important, everything else if fixable as long as you have a revenue stream. Any if you screw up, who cares, just make sure you hammer home about risk and nothing is one hundred percent for the price they are paying you. For the most part they will even pay you to fix what you implemented and advised wrong in the first place as long as you don't admit fault, blame evil bad guys, and market market market. Execs like pretty pictures also."

Posted by: Peter at April 27, 2009 11:29 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.