most IT products and services are considered productivity tools. Security is not productive, it is protective. It does not add, it just spends on trying to prevent losses. A necessary evil.
I agree with this assessment. Scott McNealy, former CEO of SUN Microsystems, years ago was asked, “When is SUN going to take security seriously?”, and replied, “When security makes us money, or lack of it costs us money. Security doesn’t sell!” (paraphrased a bit there, I can’t recall the exact quote, but this is certainly the sentiment!).
As an IT/Network person myself, I’ve long said, “Security is inversely proportional to productivity!”. Many of the examples cited by others in this thread, including those by Saul, such as OKTA, AYX, and the ones you mentioned, FB, GOOG, etc. all have something in common; they make things easier in a very obvious way to everyone.
AYX - Makes data analysis easier to the analyst. But the rest of the company sees this in the form of faster turn-around time, faster analysis, more complete analysis, better information faster, etc.
OKTA - Makes application access faster and easier to everyone. The entire company knows what OKTA is, it’s the “One single place I need to enter a single set of credentials to gain access to ALL of the web sites and applications I use all the time rather than remember a different set of credentials for each of them!” IT sees it as “The one place I need to disable a user when they leave to company to know they no longer have access to anything!”
AMZN - Saves time, saves money, makes finding and shopping and receiving of things easier.
FB - Makes sharing and keeping in touch with friends and family easier and faster than ever.
AAPL - Makes devices that incredible simple to use and make tedious things easier with those simple-to-use devices
GOOG - Makes finding information easier and faster than ever before.
All of these companies make things easier whatever those things are. And everyone intuitively understands exactly what it is they make easier, faster, cheaper.
Contrast that with what I refer to as “infrastructure plays” (which I’ve discussed here before), which is where things like NTNX and ESTC, and possibly ZS, Akamai, CRWD, PANW, etc. fall. A few people understand who they are and what they do. But most do not. The vast majority of people in any company have no idea whether their HCI is on NTNX or VMWare
, or OpenStack, nor do they care. The CIO or whomever, cares about cost, and that’s it. The IT staff might care about a few different features. But Jane in accounting, or Joe in HR, doesn’t know and doesn’t care. Same for if they use ZS or PANW or CRWD. But both of those people know if the company is using OKTA. And, everyone who needs to do data analysis knows the company uses AYX’s product, or Tableau, etc.
Additionally, as you point out, and as Scott McNealy noted, “security doesn’t sell!”. No one cares about it. It’s a necessary evil that costs money. You never actually know if it works, only if it fails. It’s an insurance policy you hope to never have to use.
I think that’s what makes it so hard to invest in security. No one really cares until something bad happens. It’s not like DDOG which solves a huge problem, (monitoring and alerting), it’s an insurance policy you don’t even know is there, and don’t really want, but are forced into “just in case”.