Gartner Blog Network


Twelve Word Tuesday: Measuring Security Program Effectiveness

by John Pescatore  |  October 28, 2008  |  17 Comments

The best security program is at the business with the happiest customers.

Additional Resources

Category: 

John Pescatore
VP Distinguished Analyst
11 years at Gartner
32 years IT industry

John Pescatore is a vice president and research fellow in Gartner Research. Mr. Pescatore has 32 years of experience in computer, network and information security. Prior to joining Gartner, Mr. Pescatore was senior consultant for Entrust Technologies and Trusted Information Systems… Read Full Bio


Thoughts on Twelve Word Tuesday: Measuring Security Program Effectiveness


  1. Jabber says:

    hmmm… don’t they say ignorance is bliss also?

  2. This is a nice sound bite but it suffers from over simplification, IMHO.
    In the spirit of terseness (which I love about this blog) let me just cite one reasonably well-regarded model, namely the balanced scorecard. It includes three other perspectives besides the customer perspective for a good reason.

  3. Jeffrey Gorton says:

    True. Especially if one realizes that “happiness” comes from the utility of a thing — utility meaning that one derives more pleasure or value than harm from its use.

  4. Staying within the twelve word construct pretty much dictates sound bites, but here’s my thinking behind this:

    Over the long term, the most successful businesses are the ones that listen to their customers and provide products and services that their customers can depend on. There are lots of different products and services, lots of different reasons why people buy and what utility they get – it is definitely not one size fits all.

    Kaplan and Norton’s balanced scorecard approach for flowing top level management objectives and mission statements downwards in an organization added financial, internal business and innovation/learning perspectives to the customer perspective. That is certainly valid – but I think in security at least two of those three (financial and internal business process) have already been talked to death and are very commonly addressed by the ROSIs and ITILs of the world and the scads of dashboards out there.

    I think the hardest and most valuable part is determining how much security is enough for your particular business – in particular, for your particular customers. That connection – how does a security decision or expenditure relate to some noticeable customer benefit – is the least addressed and the least understood.

    This is not constant – it changes just as fast as your business environment changes. A great example is the pre-2001 Microsoft. It was popular and easy for us in security to trash the security of Microsoft’s products, but they had the happiest customers – they were streamrolling all the more secure products because the market conditions meant that security was not valued (this gets to the ignorance is bliss comment.) It took the vulnerability-seeking attacks of 2001 to cause Bill Gates to say “OK, security is an in-demand feature” and start the process to turn Microsoft around on security.

    There are a lot of other examples of this. What I think is the real take away important issue is that there is a tendency for people in security to join the “Cult of the difficult problem” and treat security as some absolute – this must be done because it is on the security stone tablet that says so. There is a lot of talk in security about how convince the business that the stone tablet needs to be baked into to business systems but very, very little action in trying to understand what security is important for the success of the business – and if you believe that the long term (long term is key) success of the business is tied to happy customers, you get back to the twelve words.

    As an aside, this is why we always say “Protect the customer, protect the business – then demonstrate compliance.” Compliance regimes are one size fits all and are definitely *not* aimed at happy, safe customers.

  5. David Etue says:

    10 words: People still love TJ Maxx because Visa lost, not them.

    And I don’t say that to necessarily disagree with John or want to pick on TJX because this could be anyone that has suffered a breach.

    If people don’t care and/or change their actions, was security appropriate? I’d say no, but I can see a credible argument.

  6. The banks have done studies that show significant customer defection when the bank is the source of an identity theft incident – the customers are unhappy enough to switch to another bank. That’s because a large part of the customer happiness has to do with trusting the bank to safeguard their money – the identify theft problems undermine that trust, the customers aren’t happy.

    The customer happiness equation in retail is a different story (and the complex credit card liability spreading complicates is further) but even TJX changed a lot of their ways after the incident in an effort to deal with potentially unhappy customers – back to why I said above that “long term” is key. No airline’s passengers are happy after a plane crash but it takes the long term to determine if there is a customer-perceptible difference in safety across the airlines.

    We all know that online services would be much safer if everyone was forced to used strong authentication yet consumers reject it and show that they will do less online consumption if they are forced to augment reusable passwords with tokens. Which is the better security program: the safer one that customers dislike and don’t use, or the riskier one that generates higher revenue?

  7. Jeff Reava says:

    To the extent that bad security, whether inadequate or oppressive, frustrates customers – this statement is true. Probably will become even more so as user generated content blurs the line between customer and company.

    I’d be tempted to try it this way:

    The best security program minimizes cost: from incidents, implementation, and process impact.

  8. Gunnar says:

    “Which is the better security program: the safer one that customers dislike and don’t use, or the riskier one that generates higher revenue?”

    perfect question – Alan Greenspan’s customers loved his low interest rates and lack of regulation. And it worked great, until. Well…you know…

    Props to you for putting customer focus into infosec, which we need, just saying that its not the only measure.

  9. Mark Kadrich says:

    Ignorance is bliss.

    Our experience indicates that the basic transactions themselves aren’t any more secure no mater what type of authentication a consumer uses. I say consumer versus customer since consumer more accurately describes the folks that use online banking. And consumers are quite happy to install a security tool on a rooted system. (It does seem like we’re talking about both kinds of users here since there is discussion of balanced score cards.)

    Consumers generally become unhappy only after a change in state – their computer functions slower or they detect a fraudulent charge. (Even then only for a short period of time.) So I would say that although happiness can be important, it is by no means required when mandatory security functions are indicated, implemented, and enforced.

  10. Dan Geer says:

    Security is when there are no surprises remaining that can’t be handled.

  11. Surprises: the lack of surprises that can’t be handled essentially means the lack of change.

    One of my favorite quotes is from Helen Keller: “Life is either a daring adventure or nothing at all. Security is mostly a superstition. It does not exist in nature.”

    The other issue is human nature is to be surprised constantly – it is part of being a hopeful species. For many, many people April 15th is a surprise each year. A common conversation right now is “Wow – it is really getting dark early, now”….

  12. The best security program is one whose benefits outweigh its costs.

    The fallacy of the cybersecurity industry is that security has no meaningful cost. We acknowledge it costs something, but we have no idea exactly how much because we spend all our time looking at the benefits.

    Yes, a bank loses customers when customers suffer from hacking. But a bank also loses customers when it’s security makes it too hard to bank there.

    Banks used to put bullet proof glass between the tellers and customers. However, customers found this unpleasant and took their business to more friendly banks. The costs of bullet proof glass, in terms of lost customers, exceeded its benefits, in terms of prevented robberies. Banks are now designed to be open and friendly to bank robbers.

    The Microsoft Vista UAC. (I had an entire paragraph explaining why the example of UAC supports my point, then i realized an explanation is redundant).

  13. That just loops back to what are the benefits? The costs are very obvious – both the direct procurement and operations costs that are eating up 7% of the average IT budget, and the business disruption costs that are constantly complained about by the business side.

  14. […] had a fun bloggie style discussion on measuring the value of security programs a while back. All attempts to do so always run into problems measuring the cost or the benefits.  Everyone […]

  15. […] year, in a Twelve Word Tuesday post I said “The best security program is at the business with the happiest customers.“ Security and creativity are not antonyms – keeping your customer data safe and your […]

  16. albert A. says:

    hi,
    As Yogi Berra put it, “If you don’t know where you’re going, you’ll end up someplace else.” Do you know where you’re going with respect to your privacy and security awareness programs? How will you know when–or if–you get there?

  17. marion lewis says:

    Skift’s hotel oracle Deanna Ting broke down the results from the recent American Customer Satisfaction Index last week to figure out which hotel chains have the happiest customers. The result: Hilton, Marriott, Hyatt, and Starwood (in that order) with scores of 81, 80, 79 and 78 respectively. The least happy customers in the study? Motel 6, with a score of 65..



Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.