Although information security has a long history, it wasn’t really top of mind of senior management, Board or other employees until late 2010s. A “security professional” became a real job and market demand has grown ever since. Awareness about security risks increased significantly. The thriving forces for this were major security breaches such as Snowden, NotPetja and WannaCry shocking the world, but also regulators demanding companies to protect their critical assets, including non-tangible ones such as data. As a result of this, we can now state it has the Boards attention by default.
Since the number of security specialists, security hard- and software technology vendors and security service providers have increased over the past decade, we also experience a significant increase in security spending. And these security budgets have become an important part of the organizations’ financial planning cycle. Recent predictions indicate that budgets will continue to grow and it’s not clear where it will end.
We think however that at a certain stage the novelty of digital security will wear off and budget pressure will increase. We simply cannot try to empty the ocean with a thimble. To prevent this from happening staff being responsible for digital security will have to show the added value of their investments but also from themselves. Just as any other business process or department manager within the company.
To shed some historical light and background about our reasoning we first compare Digital Security with regular IT and the IT department, and what has happened to IT when being unable to show value and being misaligned with the business. After that we will provide some guidance on how to demonstrate “true” value and to make it taste as sweet as cherries.
What happened to IT, will happen to Digital Security
Business-IT alignment has been an issue since the seventies and is mainly caused by;
- Lack of collaboration,
- Lack of mutual understanding and a
- Lack of tangible added value.
To overcome these alignment issues and improve this relationship, multiple Business and IT alignment models have been introduced. Over the last few years, we have also seen multiple ‘Value of IT” methods, including ITIL, being introduced to also focus on showing value to the business. However, the focus of these models is often on the more generic objective value (ROI, KPIs, SLAs) instead of the subjective value (customer satisfaction score and how people perceive and experience IT). Later more about that.
The main reason for this switch from more process focused to value focused is the result of Boards and Senior Management starting to ask the question “what is the value of IT for the money we spend on it?”. Maybe this is caused by the experience they had in their personal life during the consumerization of IT. What we mean with that is they experience in their personal life that IT can work smooth and that iPhones are safe by biometric access, something the IT department never delivered to them. This department of “no” had a sour taste of lemon. But they also experience budget pressure. The main reason for this budget pressure is that budget holders were unable to judge the value delivered by IT. Because if you can’t understand or see the benefits of something, you start trying to lower the spend on it. They simply squeeze the people that do not deliver or truly contribute.
It must be mentioned that currently due to the digitalization trend and COVID19, budget limitations have become less of an issue. One can however question whether companies spend their money on digitalization out of fear for being the next Kodak or Nokia or whether they actually know the digital value they are getting for their money.
Are IT and Digital Security both a Market for lemons?
In the book “Discover the IT Cherry” we made a comparison between the 1970 paper “Market for Lemons” of Akerlof and whether IT is a Market for Lemons as well. The paper examines how the quality of goods traded in a market can degrade in the presence of information asymmetry between buyers and sellers, leaving only “lemons” behind. In the table below the Criteria for a lemon market are stated and the parallel with IT organizations is made. The parallel with Digital Security is made based upon our own experience to determine whether Digital Security is also a market for lemons. We consider Digital Security in this case as a whole and not only the security software or services providers.
|#||Criteria for a lemon market||Parallel with IT organizations||Parallel with Digital Security|
|1||The buyer is unable to fully determine the value and quality of a product before the product is bought. The salesman is aware of this value (asymmetric information).||Business (the consumer) has too little information to determine the actual costs and quality of an IT service. The internal or external IT organization or IT suppliers could or do hold this information. For example, looking at the selection of an outsourcing partner a comparison between suppliers is hard to make and it is unclear what quality is actually given for the paid price.||Business has too little information to determine the actual costs, benefits and quality of digital security. Although the seller market increased significantly, it remains difficult to understand the difference between products and services. Decisions are mainly made based upon “can we afford this?” instead of understanding the benefits or ability to determine the value.|
|2||The seller is stimulated to disguise a lower-quality product as a higher-quality product.||The uncertainty of the consumer, as a consequence of asymmetric information, often brings IT under the yoke of cost reduction. Often, the forced solution is to deliver lesser quality for a lower price, however this does not meet the expectations of customers. As a consequence, the Lemons Problem continues to grow.||Security providers and security software providers often state that their software or service will solve all the problems and prevent hacks from happening. In practice however software can’t meet that expectation, is harder to implement then expected or has unexpected higher costs (e.g. storage costs when using a SIEM). (See also the “Research Report Cybersecurity Technology Efficacy – Is cybersecurity the new “market for lemons”)|
|3||The salesman doesn’t have a credible story or technique to represent the high quality of his product.||IT itself is unable to clarify the quality, or added value, of its products and why the price is righteous.||Sales is often done based upon Fear, Uncertainty and Doubt. “If you don’t by my product you’ll be hacked”. Value delivery based on an outcome or committed SLA is rarely done. Comparison with other products can hardly be made, except for what e.g. Gartner or Forrester state,|
|4||Buyers are pessimistic and suspicious concerning the seller and the quality of his products.||Unfortunately, the IT organization is often known as of poor quality and too expensive. For example, IT knows many cases of absence and projects often turn out to cost more than initially anticipated or fail. Due to this, often IT already has a 1-0 arrear.||Buyers become more pessimistic and suspicious since expectations are often not or partially met. Products can’t deliver what was expected or are not fully implemented or used. Also due to the increase in competitors, large discounts are already given with the first offer. Instead of being thankful for this discount, it usually makes buyers suspicious about the real value of the product. Lots of point solutions are perceived as spaghetti only making things worse, let alone hard to rationalize since nobody really understand what they do.|
|5||There are no effective public supervision or general guidelines for consumers to guarantee quality standards.||There is no guideline for business to control the quality of IT. The frequently chosen guidelines (CMMi, ITIL, COBIT, etc) are internal IT standards, which, however, poorly correspond to the business experience. The supervision that does exist is focussed on internal control and not on quality for customers||Certain sectors (e.g. financials), and even countries, are regulated and supervised which leads to an increase of the digital security maturity. In most sectors and countries there is however no effective public supervision or guideline for business to control the quality of digital security. A general HACCP norm for security providers is highly desirable. Simple stated; if you don’t comply you are not allowed to operate, similar like restaurants, lawyers, airlines, hospitals etc.|
To be ahead of the game, start showing the value of Digital Security
The current situation can’t last forever. At a certain stage a company wants to have a sufficient level of security and wants to focus its attention and spend on things that generate revenue or contributes to business goals. More and more questions will be asked why certain investments in Digital Security must be made and whether security budgets can decrease. This will be the case when security incidents will not occur or will have limited impact. When a boards mindset is “assume the breach” and the focus is on to reduce the blast radius rather than reduce all the blast. That is simply throwing money down the drain. To precede this budget pressure, Digital Security professionals, Tech vendors and Suppliers should now start showing their value.
Showing value of Digital Security might be more difficult than one thinks. Value of Digital Security is more than reporting about the number of vulnerabilities found and remediated, number of security incidents resolved, number of people trained in awareness trainings or the number of auditor findings resolved. To understand value, it is a good start to with a definition of value:
Value concerns the relation between benefits and costs. Value can be measured partially objectively and partially subjectively (perception) and can depend on a group or even an individual.
The above definition shows that digital security value is more than just reporting objective numbers about security occurrences. Based upon this definition we can divide value in four areas of attention:
This way of showing value is the way most of us learn in management schools via business cases etc. A good way to measure Digital Security value in an objective way is using ROSI (Return on Security Investment). We’ve talked about that in our Blog at Antwerp Management School. An easy way to increase or keep the same level of benefits but lowering the costs is to start using the software and licenses to the fullest, instead of buying additional software that provides functionality you might already have. We refer to the term technology utilization. During operations it is a good practice to measure the security occurrences and show the impact of newly implemented security measures. Make reporting about benefits and cost effectiveness as a part of your daily routine, just as every other manager or director in the company is doing.
Subjective value is all about the perception of the person or group experiencing the security measures or level of security. In this case it becomes important to start managing the perception people have. The perception can be for example “we’re way to secure and not a bank!”, “we’re completely unsecure” or “security makes my work so much more inefficient, can’t we shut this down?”.
To manage the perception of the security users and stakeholders (e.g. Board, Regulators) you need to start understanding what their current perception is as well as what their expectation is, since perception is the result of expectation. A well-known rule to manage expectations:
- When you deliver under expectation people are unhappy and want to stop using what you’re “selling”, marketing term for this is cognitive dissonance.
- When you deliver according to expectation people are satisfied, but also still open to other opportunities
- When you deliver above expectation people are happy and become loyal ambassadors
The best trick to make people happy is then of course to make sure that the expectations are as low as possible or be an absolute overachiever.
Value for the Group
Value for the Group is often shown in standard reports made by suppliers or found in public available information. In general, this covers the basic need and is something that is according to expectation. The real value however is in the value for the individual.
Value for the Individual
Value for the individual is often measured with Customer Satisfaction Scores. You might recognize them from your personal life when you order something online and a week after the delivery you are asked about how happy you are with the product or the service. Often based upon a score from 1 to 10 or with a smiley face. In some cases there is also room for a comment.
In Digital Security we haven’t seen this way of measuring value yet. Within IT we do see Customer Satisfaction scores, but a follow-up of these scores is often limited. While in our experience spending some time on following up this valuable feedback often results in an “above expectation” experience. So customer satisfaction scores can be a valuable instrument to understand the perception of your users and stakeholders about digital security.
Next to customer satisfaction scores we love the empathy factor; This is about understanding the people that have and hold the budgets. Understanding what these people find important in Digital Security is to be able to manage their perception or expectations. A recent article by Gartner about “beyond individual passions and concerns”, boards collectively generally care about three things:
- Revenue/mission: Operating or nonoperating income and enhancing nonrevenue mission objectives
- Cost: Future cost avoidance and immediate decrease in operating expenses
- Risk: Financial, market, regulatory compliance and security, innovation, brand, and reputation”
These three things are generic statements. So as a Tech leader, Digital Security professional or/and CISO, understanding the budget-holder’s needs, agenda, desires and what’s important to them, understand what’s important for the company, understand the strategy and mission of the company, etc, is very important. Demonstrate sincere empathy.
Showing Value is not a step-by-step roadmap
The hard part about value is the part that is subjective and for the individual. What’s important for one person might not be important to someone else. As a result, decisions are not always made based upon rationality. When people don’t understand, trust or like you or the idea, they tend to decide to go for a different direction which will leave you in confusion. One thing that can support you in these irrational processes is the use of collaborative technologies that facilitate interaction between business and professionals in certain domains (e.g. business or security) like Group Support Systems in which you can brainstorm collectively on viewpoints, opinions and novelties. Then categorize them into what is important to a certain group or individual. Make the opinions of the group more tangible, explicate them and collectively discuss them and deal with them in a more rational manner. In the end however, you still need to understand the “environment”, since not every organization has the same context, and experiment a bit with what is valuable for the different stakeholders.
For example, start measuring customer satisfaction scores about a specific security solution or experiment with ROSI on individual investment scenario’s or a complete portfolio and thereby demonstrate the true value of investments. Asking the help of somebody outside of IT helps you understand the opposite position and cross the gap between IT & Digital security to the business. All of this is to prepare our profession for the year 2025.
 Akerlof, George A. (1970). “The Market for ‘Lemons’: Quality Uncertainty and the Market Mechanism”. Quarterly Journal of Economics. The MIT Press (see also: https://en.wikipedia.org/wiki/The_Market_for_Lemons)
 Research report cybersecurity technology efficacy, Is cybersecurity the new “market for lemons”?, October 2020, Debate Security
 HACCP is a management system in which food safety is addressed through the analysis and control of biological, chemical, and physical hazards from raw material production, procurement and handling, to manufacturing, distribution and consumption of the finished product.
 Mark Butterhoff, Barry Derksen, Aart van der Vlist. “Discover the IT Cherry – How to become the most valued IT organization by using cherries”
 Cognitive dissonance refers to a situation involving conflicting attitudes, beliefs or behaviors. This produces a feeling of mental discomfort leading to an alteration in one of the attitudes, beliefs or behaviors to reduce the discomfort and restore balance.
 Bobbert & Mulder (2016) on GSS in Digital Security in ISACA Journal (https://www.isaca.org/resources/isaca-journal/issues/2016/volume-5/boardroom-dynamics-group-support-for-the-boards-involvement-in-a-smart-security-decisionmaking-proce)