Security Myopia

Posted by

If you attended business school any time over the last 50 years you probably read the timeless Harvard Business Review article “Marketing Myopia” written by the late Theodore Levitt. An explanation of what “Marketing Myopia” meant was described in a Harvard Business Review refresher article:

The term was coined by the late Harvard Business School marketing professor, Theodore Levitt, in a 1960 article by the same name (republished in 2004). The “heart of the article,” according to Deighton, is Levitt’s argument that companies are too focused on producing goods or services and don’t spend enough time understanding what customers want or need. Therefore, he “encouraged executives to switch from a production orientation to a consumer orientation.” As Levitt used to tell his students, “People don’t want a quarter-inch drill. They want a quarter-inch hole!”

Most CISOs are attached to the IT organization and rightly see their role as protecting the IT assets of the company. That formula has worked fine and for many organizations may continue to do so. However, security professionals should always be keen to avoid myopia. They need to understand the interests of their true customers – their executives and board. Many CISOs are selling their boards “security,” but the boards want to buy reduced risk.

If security organizations were companies, and CISOs called in a big-time marketing consulting firm to look at the biggest competitors to the CISO’s “company,” the consultants would identify at least two threats.

First, the move to the cloud is rapidly integrating security with IT. Eternal platitudes such as “you need to build in security from the beginning” are on the cusp of actually being achievable. AWS and Azure are building full security stacks into their cloud offerings. Security point solutions are being absorbed in the cloud just as any other part of IT. In many enterprises, security organizations will be forced to live with the security tools embedded in the cloud services.

Second, the old saying “cyber risk is business risk” is also coming to reality. This calls to mind an apocryphal story of a CISO who was giving a board presentation. A board member asked the CISO what the three biggest cyber risks to the company were. The CISO hesitated and offered to get back to the board member the next day. Unfortunately, the next day the CISO was fired. The board felt it was unthinkable that a CISO would not immediately know information regarding business risk. CISOs are beginning to understand that one of their biggest competitors is a cyber insurance policy.

Most security teams have not had to justify their budgets in financial terms. That is changing. A bunch of charts showing security patches over time is not something that resonates well with senior management. As earnings for many companies are clipped, executives are hunting for parts of the organization that don’t increase value. Forward-thinking CISOs are proactively looking for ways to trim their budgets without substantially increasing risk.

Security teams need to sell their executives what their executives want to buy. Don’t get security myopia.