The business of security is business. Disney showed how it is possible to take a counterfeit product problem into a business opportunity. It is a possibility we should all be looking for. The “fun” part of security is usually the attack. Figuring out how to break in, break through, or slide around a security system. The defense side seems to be a endless slog: ever uglier passwords, annoying lines at airports, and endless expenses that feel futile. So, its fun when the security guys (or gals) do something fun. And make some money. Of course, it would be Disney. “Piracy, in China?” In 2006, Disney had a problem. Their licensed products were being counterfeited on a massive scale. They were losing money and junk products were damaging their reputation. Even worse, licensed products were virtually the only viable product for Disney to sell in China. Videos were pirated and most TV programming and movies were not allowed. Most companies would go after the bad guys. What Disney did instead was reward the good ones. Security Judo Disney saw its customers as the solution, not the problem. Their goal was to maximize revenue, not punish pirates. So, they started a marketing campaign. Disney put holographic tags on all of their legitimate products and announced a promotion. Customers could fill out an entry form and provide the holographic “proof of purchase” label for the chance to win big prizes. It worked beautifully. Instead of customers looking for the cheapest Disney products (legitimate or not), they now were part of the anti-piracy strategy: Fake products = No prizes… created a positive incentive for consumers to buy real Disney products. WIN Incentive to report phoney products. Consumers reported retailers who sold bogus products to Disney. WIN Intelligence on pirates. When consumers provided their proof-of-purchase labels, Disney was given ongoing intelligence on the capabilities of the pirates and where their products were being sold. WIN Even better, Disney built a mail list of over 250,000 customers within 3 weeks and probably some extra sales too. While the final effect on piracy is unknown, the program paid for itself. More legitimate products sold. Direct relationship opened with a quarter of a million customers. How many times do security programs run at break-even or a a profit? Embedding security Too many security professionals and business leaders think of security as an IT niche. It isn’t. Security is a basic business discipline. If Disney had focused on “fighting counterfeiters” instead of maximizing revenue and business opportunity, it would have come up with a very different approach. I find it funny and sad to hear about trying to train security people to talk with C-suite executives. Real success in security can only come from being deeply embedded in the business, culture and people you are working with. When I worked at NSA as a security analyst, I was an anomaly: I wore a coat and tie. Every day. Why? I went to meetings with contractors and customers all the time. Instead of sitting in my office reading the contract required security documents, I met the people and understood their work. If there was a meeting, I went. Even if security wasn’t on the agenda. This made a huge difference. I learned their business and what they cared about. Too often, security professionals act as if “security” exists separately from a business. (I think this is a variation of the affliction that some IT people have about “IT”). It’s totally bogus. We say that “you need to build security in from the beginning”, yet we refuse to show up to those early meetings… or stay for the bits that aren’t on security. Too often in security, we confuse handling a security “problem” with supporting the business. On the other hand, sometimes a business will add a “feature” that offers minimal benefit to the company or its customers but creates a massive security risk. The recent OPM breach is a good example (a topic for a future post, perhaps). As far as I’m concerned, security professionals need to understand their business and project at least as well as anyone else working on it. Only then can you provide useful security guidance in a timely fashion. This is true of everyone, from the greenest security analyst to the CISO or CSO. Only then are you practicing real business security. Do you have any good examples of business and security working together? What have you done to reach out to your business colleagues? Share them in the comments below or email me directly. Related content opinion Bank of Personal Information: The security service you need today Data breaches are undermining your customers' confidence in your business. It is time to offer them real security. A bank of personal information could provide an essential service to businesses and consumers and be the heart of a multibillion-d By Steven B. Davis Oct 30, 2015 4 mins Data Breach Data and Information Security Security opinion Security through simplicity: The fantasy sports scandal and IoT Are the flood of exploits inevitable or can we improve security by expanding and simplifying our security architectures? By Steven B. Davis Oct 08, 2015 4 mins Cloud Security Internet opinion Shades of Greynets: The Internet of Secure Things Emerging, rich network architectures and dedicated simple security appliances can transform security for online systems. By Steven B. Davis Oct 02, 2015 4 mins Firewalls Cloud Security Security opinion How to fight denial of service - choose your battles, save your dollars You can cost-effectively fight denial-of-service attacks by focusing on finding ways to serve your customers and prospects even if your site is down. By Steven B. Davis Sep 21, 2015 5 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe