jump to navigation

Is the value of security really in “Making Nothing Happen”? October 5, 2009

Posted by jonathanpenn in value.
trackback

Security: Making Nothing HappenI saw this billboard on the way to work, and had to double back to take the picture (I’m so glad BlackBerrys now have cameras in them!).

Here’s a company is business for 63 years, and it still can’t figure out how to express the value of security to its customers. Is it really “making nothing happen”?

Of course not. Bay Alarm doesn’t prevent break-ins. Though the likelihood of a break-in may be reduced as a side benefit of having the alarm installed – or, more accurately, having the sign on your lawn. Criminals might be less inclined to try to break in, knowing that the house has a burglar alarm on it. I once had an anti-theft device that came with my car when I bought it in 1993. After a few months, the device started acting up, so I got rid of it.  But I kept the sticker on the driver side window as a psychological deterrent to would-be car thieves (or maybe it was psychologically pacifying to me!). Of  course, a contrary hypothesis would be that the alarm let’s burglars know that you have something valuable to protect: so maybe they’d be more likely to attack that  house. I’ll leave that for the actuaries to figure out. Though as someone without such an alarm and whose neighbor does have one, I would like to know.

In any case, what Bay Alarm and others do, of course, is reduce your probable loss in the event that your house does get broken into. Because alarm bells sound. Because the monitoring staff at Bay Alarm is contacted. But I guess that notion of mitigating risk is simply too complicated for a billboard. It’s certainly not catchy enough.

Perhaps IT Security needs to think in billboards when presenting to people across departments and to executives?

On the positive side, I like their tagline “What have you got to lose?”. The question is equally apt for IT Security groups to ask of their constituents.

Advertisements

Comments»

1. Andy Boots - October 9, 2009

I have said for years that the value proposition from infosec to management is “Nothing bad happened today … so far as we can tell.” And no one should be surprised that management questions infosec costs. A truly rational CFO would wonder how much infosec funding could be cut until something bad began to happen.

2. jonathanpenn - October 9, 2009

Andy,
Thanks so much for your comments. You’re spot on!! Once we say our jobs are to “make nothing happen” the conversation immediately turns to how much less you can spend to still have nothing happen. The sad irony is that the more successful we are at making nothing happen, the more keen they are on cutting. What can you do to convince them they haven’t spent enough, but we just got lucky this year? Or convincing them you spent exactly the right amount and not too much? Otherwise, they’ll naturally think they spent too much, whatever that excess may be. Seems like we need far better metrics than whether something bad happened or not if we’re to be successful at protecting the business. What do you think?

3. Andy Boots - October 9, 2009

Jonathan:

Thanks for the kind words. I think the pursuit of infosec “metrics” is Quixotic. All the sorts of things professionals like to measure don’t add up to much when an employee leaves his laptop on the subway with his password taped just above the keyboard. Or when Latvian criminals exploit a vulnerability the IT group hasn’t gotten around to patching. And so on …

The challenge is to get the enterprise to appreciate that it’s a dangerous world out there and the physical, personnel, and information security risks can only be minimized, not avoided.

It’s sorta amusing that the CFO who is comfortable with having profitability metrics at the mercy of currency traders and sales volume at the mercy of advertisers, but demands that in-house metrics shape up or the responsible managers ship out.

Andy

4. Kevin - April 13, 2010

I too was amazed at Bay Alarm’s use of the phrase and their claim of “making nothing happen since 1946”.

I would like to see Sonitrol counter that with “We’ve been making stuff happen for almost 50 years!” since, after all, we are the only security company that tracks and advertises the number of criminals we catch; over 160,000 since we began keeping track in 1977, and still counting.

Burglars, “be alarmed, be very alarmed”.

5. Kevin - April 13, 2010

Forgot to mention “Burglars… You’ve got a lot to lose”.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: