Curphey gets right to the point in this blog post by decrying that security and privacy do not constitute a competitive advantage to those companies who invest in it because consumers have shown time and time again that despite breaches of security, privacy and trust, they continue to do business with them. I think.
He tends to blur the lines between corporate and consumer "advantage" without really defining either, but does manage to go so far as to hammer the point home with allegory that unites the arguments of security ROI, global warming and the futility of IT overall. Time for coffee and some happy pills, Mark? ;)
Just for reference, let's see how those goofy Oxfordians define "advantage":
advantage |ədˈvantij| noun a condition or circumstance that puts one in a favorable or superior position : companies with a computerized database are at an advantage | she had an advantage over her mother's generation. • the opportunity to gain something; benefit or profit : you could learn something to your advantage | he saw some advantage in the proposal. • a favorable or desirable circumstance or feature; a benefit : the village's proximity to the town is an advantage. • Tennis a player’s score in a game when they have won the first point after deuce (and will win the game if they win the next point). verb [ trans. ] put in a favorable or more favorable position.
Keep that in your back pocket for a minute.
OK, Mark, I'll bite:
Many security vendors army of quota carrying foot soldiers brandish their excel sheets that prove security is important and why you should care. They usually go on to show irrefutable numbers demonstrating security ROI models and TCO. I think its all “bull shitake”!
...and those armies of security drones are fueled by things like compliance mandates put forth by legislation as a direct result of things like breaches, so it's obviously important to someone. Shitake or not, those "someones" are also buying.
You've already doomed this argument by polarizing it with the intractable death ray of ROI. We've already gone 'round and 'round on the definition of "value" as it relates to ROI and security, so a good majority of folks have already signed off an aren't reading past this point...yet I digress.
Wired has the scoop;
Why should consumers pay anything to protect their data!? Security and privacy are table stakes expectations (see below) on the consumer front. Companies invest millions in security and compliance initiatives driven by legislation brought on by representatives in local, state and federal government to help make it so. Furthermore, given the fact that if someone utilizes my credit card to commit fraud, I'm not responsible; it's written off! If you change the accountability model, you can bet consumers would be a little more concerned with protecting their data. I wager they'd pay a hell of a lot more than $0.25 for it, too.
They aren't, because despite being inconvenienced, they don't care. They don't have to. But before you assume I'm just agreeing with your point, read on.
After the TJX debacle I remember seeing predictions that people will vote with their feet. Of course they didn’t, sales actually went up 9%. The same argument was made for Ruby Tuesdays who lost some credit cards. It just doesn’t happen. Lake Chad and disasters on a global scale continue to plague us due to climate change yet still people refuse to stop buying SUV’s.
See previous paragraph above. When bad things happen, consumers expect that someone will put the hammer down and things will get better. New legislation. More safeguards. Extended protection. They often do.
Furthermore, with your argument, one could suggest that security/privacy have become a competitive advantage for TJX now since given their uptake and revenues, the following definition seems to apply:
Competitive advantage (CA) is a position that a firm occupies in its competitive landscape. Michael Porter posits that a competitive advantage, sustainable or not, exists when a company makes economic rents, that is, their earnings exceed their costs (including cost of capital). That means that normal competitive pressures are not able to drive down the firm's earnings to the point where they cover all costs and just provide minimum sufficient additional return to keep capital invested. Most forms of competitive advantage cannot be sustained for any length of time because the promise of economic rents drives competitors to duplicate the competitive advantage held by any one firm.
It looks to me that based upon your argument, TJX benefited from not only their renewed investment in security/privacy but from the breach itself! I think the last statement resonates with your Carr's commentary (below) but you aren't talking about "sustainable" competitive advantage. Or are you?
Right, wrong or indifferent, this is how it works. Corporate incrementalism is an acceptable go to market strategy to overall bolster one's strategy over a competitor; it's the entire long tail approach to marketing. You can't be surprised by this?
This is why we have hybrid SUV's now...
Nicholas Carr discusses this in IT Doesn’t Matter. To start with technologies can become competitive differentials like the railroads or the telephone. But once everyone has it, the paying field levels and it becomes table stakes. Its a competitive disadvantage if you aren’t in the game (i.e. insecure) but the economic cost of developing a service or technology that is so compelling as to become an advantage ain’t on the radar (for the most part).
So getting back to what I thought was your original premise, and escape the low-earth orbit of the affliction of the human condition, global warming and ROI... :(
For the sake of argument, let's assume that I agree with your lofty generalizations that security and privacy do not represent a competitive advantage. Please turn off your firewall now. Deactivate your anti-virus and ant-spam. Turn off that IDS/IPS. Remove those WebApp firewall-enabled load balancers...
Yes, IT (and security/privacy) are table stakes (as I established above) but NOT having them would be a competitive disadvantage. THAT is the point. It's a referential argument and a silly one at that.
...almost as silly as suggesting that you shouldn't try to measure the effectiveness of security; it seems that people want to hang language on these topics and debate that instead of the core issue itself.
The threat models dictate how investments are made and how they are perceived to be advantageous or not. They're also cyclical and temporal, so over time, their value depreciates until the next wave requires more investment. Basic economics.
Generalizing about security and privacy as not being competitive advantages is a waste of time. I'd love to see an ad from a company that says they're NOT investing in security and privacy and that their Corporate credo is "screw it, you don't care, anyway..."
I'm going to get on my bike and ride down to the store to buy a cup of coffee with my credit card now...
/Hoff