In the song Long Train Runnin, the Doobie Brothers ask, "Without love, where would you be now?"
As to where we'd be without love, I'll leave that to Dr Laura Schlessinger to answer. But if I may take artistic licence, without computer security, where would you be now? As a computer-security professional, that's a question I can answer.
And the answer is - absolutely nowhere. Without computer security, technologies like e-commerce, secure e-mail, online banking and electronic tax filing would all be pipe dreams.
But if security is a fundamental underpinning of the Web and corporate networks, why is it so tough to sell? Market-research firms estimate that Internet-based adult-entertainment revenue will generate roughly $US500 million in 1998. The fact that adult-entertainment income is higher than that of all computer-security firms combined indicates a sorry state of affairs.
The interesting reality is that computer security is no harder to sell than the average Amway product. The key is knowing how. Most security sales calls fail because the security solution is positioned as a cost factor, and no company enjoys added costs.
To successfully sell any type of security solution, you need to position it as the enabling technology that provides the means for systems implementation. I don't mean that all you have to do is a keyword search through your proposals to replace security with enabling technology. I mean that when selling security technology or dealing with related issues, you must demonstrate that without the proper level of security, any IT system is nothing more than a powerful Nintendo Game Boy.
Imagine the public perception of a Web-based retail system without security. No potential customer would touch that site with a 10-foot mouse.
The reason that a company's senior management can't see security as enabling is that they think the real problem comes exclusively from outsiders - i.e., that hackers are the prime threat and that computer-security expenditures are simply not cost-justified.
Managers then read figures provided by computer-security organisations that state the risk, but they can't believe it will happen to them. Indeed, most companies are far more likely to be victims of an insider attack. (These attackers know exactly where the corporate crown jewels are.) Calculated risksAttempting to sell security via the gloom and doom of a hacker threat or some fear of a future loss usually won't get you the final sign-off. This is especially true when dealing with financial-services firms that often don't mind taking calculated risks.
An additional problem that makes security a hard sell is that project-deployment time is unrealistically brief more often than not. For example, another integrator's marketing staff may have promised an enterprise application with features that don't exist, and the integrator's programmers are expected to work nights and weekends to implement those features. What usually gets sacrificed is security.
Likewise, downsizing has emaciated many security teams, and the IS personnel left in charge of security are often those with no operational experience.
Repositioning security as a core enabling technology is the key to your success in this market. You must also, however, enlist the support of a high-ranking manager - a security champion - inside your prospective customer site. If not, there's considerably less hope of selling your solution.
But the good news is that corporations are terrified of threats from the Web. They're compelled by market trends to have a Web presence, but in their haste to create that presence, they often treat security as an optional cost, not an integral component. Security solutions enable you to turn their risks into your profits.