The “fun” part of security is usually the attack. Figuring out how to break in, break through, or slide around a security system. The defense side seems to be a endless slog: ever uglier passwords, annoying lines at airports, and endless expenses that feel futile.
So, its fun when the security guys (or gals) do something fun. And make some money.
Of course, it would be Disney.
“Piracy, in China?”
In 2006, Disney had a problem. Their licensed products were being counterfeited on a massive scale. They were losing money and junk products were damaging their reputation. Even worse, licensed products were virtually the only viable product for Disney to sell in China. Videos were pirated and most TV programming and movies were not allowed.
Most companies would go after the bad guys.
What Disney did instead was reward the good ones.
Disney saw its customers as the solution, not the problem.
Their goal was to maximize revenue, not punish pirates.
So, they started a marketing campaign.
Disney put holographic tags on all of their legitimate products and announced a promotion. Customers could fill out an entry form and provide the holographic “proof of purchase” label for the chance to win big prizes.
It worked beautifully.
Instead of customers looking for the cheapest Disney products (legitimate or not), they now were part of the anti-piracy strategy:
- Fake products = No prizes… created a positive incentive for consumers to buy real Disney products. WIN
- Incentive to report phoney products. Consumers reported retailers who sold bogus products to Disney. WIN
- Intelligence on pirates. When consumers provided their proof-of-purchase labels, Disney was given ongoing intelligence on the capabilities of the pirates and where their products were being sold. WIN
Even better, Disney built a mail list of over 250,000 customers within 3 weeks and probably some extra sales too.
While the final effect on piracy is unknown, the program paid for itself. More legitimate products sold. Direct relationship opened with a quarter of a million customers.
How many times do security programs run at break-even or a a profit?
Too many security professionals and business leaders think of security as an IT niche. It isn’t. Security is a basic business discipline. If Disney had focused on “fighting counterfeiters” instead of maximizing revenue and business opportunity, it would have come up with a very different approach.
I find it funny and sad to hear about trying to train security people to talk with C-suite executives. Real success in security can only come from being deeply embedded in the business, culture and people you are working with.
When I worked at NSA as a security analyst, I was an anomaly:
I wore a coat and tie. Every day.
I went to meetings with contractors and customers all the time. Instead of sitting in my office reading the contract required security documents, I met the people and understood their work.
If there was a meeting, I went. Even if security wasn’t on the agenda.
This made a huge difference.
I learned their business and what they cared about.
Too often, security professionals act as if “security” exists separately from a business. (I think this is a variation of the affliction that some IT people have about “IT”).
It’s totally bogus.
We say that “you need to build security in from the beginning”, yet we refuse to show up to those early meetings… or stay for the bits that aren’t on security.
Too often in security, we confuse handling a security “problem” with supporting the business.
On the other hand, sometimes a business will add a “feature” that offers minimal benefit to the company or its customers but creates a massive security risk. The recent OPM breach is a good example (a topic for a future post, perhaps).
As far as I’m concerned, security professionals need to understand their business and project at least as well as anyone else working on it. Only then can you provide useful security guidance in a timely fashion. This is true of everyone, from the greenest security analyst to the CISO or CSO. Only then are you practicing real business security.
Do you have any good examples of business and security working together?
What have you done to reach out to your business colleagues?
Share them in the comments below or email me directly.