The "fun" part of security is usually the attack. Figuring out how to break in, break through, or slide around a security system. The defense side seems to be a endless slog: ever uglier passwords, annoying lines at airports, and endless expenses that feel futile.\nSo, its fun when the security guys (or gals) do something fun. And make some money.\nOf course, it would be Disney.\n"Piracy, in China?"\nIn 2006, Disney had a problem. Their licensed products were being counterfeited on a massive scale. They were losing money and junk products were damaging their reputation. Even worse, licensed products were virtually the only viable product for Disney to sell in China. Videos were pirated and most TV programming and movies were not allowed.\nMost companies would go after the bad guys.\nWhat Disney did instead was reward the good ones.\nSecurity Judo\nDisney saw its customers as the solution, not the problem.\nTheir goal was to maximize revenue, not punish pirates.\nSo, they started a marketing campaign.\nDisney put holographic tags on all of their legitimate products and announced a promotion. Customers could fill out an entry form and provide the holographic "proof of purchase" label for the chance to win big prizes.\nIt worked beautifully.\nInstead of customers looking for the cheapest Disney products (legitimate or not), they now were part of the anti-piracy strategy:\n\nFake products = No prizes... created a positive incentive for consumers to buy real Disney products. WIN\nIncentive to report phoney products. Consumers reported retailers who sold bogus products to Disney. WIN\nIntelligence on pirates. When consumers provided their proof-of-purchase labels, Disney was given ongoing intelligence on the capabilities of the pirates and where their products were being sold. WIN\n\nEven better, Disney built a mail list of over 250,000 customers within 3 weeks and probably some extra sales too.\nWhile the final effect on piracy is unknown, the program paid for itself. More legitimate products sold. Direct relationship opened with a quarter of a million customers.\nHow many times do security programs run at break-even or a a profit?\nEmbedding security\nToo many security professionals and business leaders think of security as an IT niche. It isn't. Security is a basic business discipline. If Disney had focused on "fighting counterfeiters" instead of maximizing revenue and business opportunity, it would have come up with a very different approach.\nI find it funny and sad to hear about trying to train security people to talk with C-suite executives. Real success in security can only come from being deeply embedded in the business, culture and people you are working with.\nWhen I worked at NSA as a security analyst, I was an anomaly:\nI wore a coat and tie. Every day.\nWhy?\nI went to meetings with contractors and customers all the time. Instead of sitting in my office reading the contract required security documents, I met the people and understood their work.\nIf there was a meeting, I went. Even if security wasn't on the agenda.\nThis made a huge difference.\nI learned their business and what they cared about.\nToo often, security professionals act as if "security" exists separately from a business. (I think this is a variation of the affliction that some IT people have about "IT").\nIt's totally bogus.\nWe say that "you need to build security in from the beginning", yet we refuse to show up to those early meetings... or stay for the bits that aren't on security.\nToo often in security, we confuse handling a security "problem" with supporting the business.\nOn the other hand, sometimes a business will add a "feature" that offers minimal benefit to the company or its customers but creates a massive security risk. The recent OPM breach is a good example (a topic for a future post, perhaps).\nAs far as I'm concerned, security professionals need to understand their business and project at least as well as anyone else working on it. Only then can you provide useful security guidance in a timely fashion. This is true of everyone, from the greenest security analyst to the CISO or CSO. Only then are you practicing real business security.\nDo you have any good examples of business and security working together?\nWhat have you done to reach out to your business colleagues?\nShare them in the comments below or email me directly.