Recently I met former co-students at a reunion, and told them that my area of expertise is security. Everybody agreed that I must work in a hot area and be in for a great career. Well, really?
Latest polls indicate that (cyber) security is the top most concern to upper management especially when moving technology into the cloud.
Yet the reality for security practitioners is that they have limited if not shrinking budgets or get development resources taken away and not replaced.
Why is that? One reason is that there are different and incongruent interests of upper management.
A CEO wants to generate more business and make more revenue and profit. Chief Security Officers have a hard time positioning security as a revenue generating technology. That works only for cloud deployments, where one could position security as a revenue enabling technology.
The CFO wants to be compliant and make sure that all budgets and reporting are correct. Her or his focus are on compliance technologies at best.
The CIO wants to have a peace of mind, which means that she or he wants the systems and applications to run smoothly and continuously. Security is often perceived as a hindrance to undisturbed operations.
Lastly security is often positioned and sold via anxiety. “You really do not wish to find your company data being leaked, do you?”
However, the big industry trend in IT is towards usability. Whether you like them or not, the big internet giants have become so big, because their software is easy to use and pleasurable, which is reflected by growing consumer adoption. It might be better to pitch security technologies via ease of use. This is a no-brainer as in the case of single sign-on technologies or central identity administration. Instead of selling security with anxiety, CSOs should look for ways to explain the usability gains by implementing security.