Is selling security still a negative sell once the overall acceptance of the need for security is commonplace? Using Bruce’s automobile example where manufacturers embed security products like anti-lock brakes -- what happens if you are offered a choice of just driver-side airbag, driver & passenger, or also side-impact airbags? Once acceptance occurs (in this case, that air bags are a fundamental need) then we revert back to utility theory / ROI / standard value judgments.

This is happening already. Just a few years ago you had to sell customers on why they need an IDS or security monitoring. But now many customers are accepting the fundamental need for security (either due to risk or compliance). As such, vendors now need to sell "why my IDS" or "why my security monitoring". Think about IDS/IPS technology -- most folks who have used several commercial or open source platforms will agree that they all are pretty much adequate. Just like a car or house alarm system, pick any decent brand and you are protected “well enough”.

Of course, Most vendors haven't figured this out yet.

Can we really compare the judgements made on our personal safety to technology?

Do we evaluate these in the same way?

I agree with the comment below, however; there's still the point of 'buying' the product or service. That's where the customer makes his 'quick' calculation.

Once you embed a security solution in a wanted product - say a desktop - then it becomes accepted. As long as you have to pay, it's still that 'thing apart' you have to pay for and wich you'd rather avoid paying for.

I think the common evaluation takes shape in that personally and professionally we don't want to spend money that doesn't immediately benefit us. If I fail to understand what I receive then it's hard to say "yes".

When the security is packaged effectively, and it's value is accurately communicated, I'm not sure it's that tough of a sell.

I have various insurances for different aspects of my life. I have them because I understand what they will do for me, and I don't mind it so much if I never use that benefit.. because it means I've avoided the problem that I purchased them for in the first place.

Security is tough to sell if your trying to protect something that you don't value.

Based on the results of the Digital Trust research program (see http://www.csc.com/aboutus/leadingedgeforum/mds/mds436/844.shtml or just Google "digital trust" + CSC) it seems that "security" does not need to be a "negative sell." The widespread use of security services and technology for direct value creation (while always seeing risk exposure diminish as a beneficial side effect) seems to indicate that a learned behavior like a digital trust strategy can indeed overcome even evolutionary predispositions. We'll continue to struggle with the same issues over and over if realities like digital trust are ignored.

Bundling security in everything we create is a good idea. However, what strategy exists for protecting assets that haven't been attacked here or at any of our sister organizations even though it is just a matter of time?

I am not sure it is. After all, you want your peer senior execs take a realistic look at the potential threat. This is in their – and company’s – best interest. If they are not open to a rational conversation (and the article suggests they probably aren’t) – then what do you do? Here is what I did once.

Many years ago I started as CIO at a financial institution. You would expect that people in this industry are aware of security threats. Well… After a few unsuccessful attempts to initiate a serious discussion on the subject, I decided to use a sledgehammer. I invited my chief SysAdmin to a senior execs meeting.

The guy turned his laptop toward my peers and started commenting his actions:

- I’m connecting to the Internet.
10 seconds later:
- I’m searching for a free password cracking tool.
In 30 secs:
- OK, here is one, I’m downloading it.
After 60 seconds:
- I’m now installing the tool on my laptop.
Another minute:
- I’m done and ready to strike.

In 90 secs:
- James, as you can see on the screen, the tool suggests that your password is . Is it correct? (James turns red). Marsha, is your password ? (Marsha’s opens her eyes wide). George, your password might be… All but one password were cracked.

Less then 5 min from the start – and I have a team of senior exec who are at least open to a serious conversation. Just because they saw with their own eyes how a simple yet devastating an attack can be.

Did I achieve my goal by causing fear? Sure I did. Did I do something unethical or did I simply do my job educating my peers and looking after company’s interests and protecting client’s information? I think I know the answer. Try to convince me otherwise.

Truly,
Eugene Nizker

I fail to see the value and applicability in this article. Seems rather meaningless.

I appreciate the information provided here.

While running an advanced biometric solutions company focusing on Face Recognition solutions, I have had a lot of success in India.