Pizza Sauce and Security

We conducted a yard sale last week. If you’ve ever done this, then you know the turmoil over pricing. Your stuff is valuable to you, but there is often a hard reality that hits you when you try and extract that value from the public. Put simply, your stuff typically isn’t worth what you think.

Pricing your security services reflects a similar statement of risk. Many organizations mandate a security review as a part of their SDLC (and if they don’t, they should). Paying for this is an interesting conundrum. Once upon a time, I developed a metaphor that I thought was useful for getting to the root of the pricing problem. I called it “Pizza Sauce.” At the time, we were trying to develop a way to price the value that we thought security could add to software development projects. The problem that we came to quickly was that people thought security was already a part of the price (at the time, we were selling to 3rd parties not internal organizations, but the metaphor works either way). I equated it to a pizza: if you ordered a pizza, you assume it comes with sauce. You’d be insulted if you received a bill for the pizza with a line-item for sauce. Similarly, there is a negative perception associated with adding a line-item for security (If I don’t pay extra you’ll make it insecure?). So let’s assume that you created a really amazing, brand-new sauce. You can’t charge extra for the sauce, but you can include pricing to reflect that value in the overall price of the pie.

Security needs to be priced similarly – namely, since people already assume there is security baked in, you need to include that pricing in the overall cost in a way that doesn’t encourage people to skip it to reduce costs. For many organizations this can include listing security personnel on project plans at a zero dollar bill rate, or to include security in the overhead charged to cost centers for general IT services.

The key take-away is to ensure that you price security to extract value but not so high as to encourage circumnavigation.

How to Play


I recently took my daughter to a kid’s birthday party. The location had one of those kid’s gyms where you kick your shoes off and dive into the balls and have a great time. Risk never leaves my mind, so when I was reviewing the sign that was posted over the entrance to the area, I found an interesting parallel that I thought I’d share.

There was a sign posted that said, “How To Play,” followed by what is presumably a list of rules on how to play. The gate was guarded by a disinterested young man sketching on a pad and ostensibly enforcing the rules of play. What were those rules? See for yourself:

  1. No shoes or coats
  2. No running or jumping
  3. No throwing balls

What is missing from these list is exactly what the title of the sign said would be there: rules for playing. Instead, what we have is a list of how NOT to play. While my little one was playing she was having a difficult time getting up some of the ramps in her stockinged feet, so I slipped her socks off and sent her on her way. My wife chastised me because another sign somewhat out of sight indicated that socks were required. The disinterested young man from early failed to notice.

I think there are some clear parallels to corporate security polices in this brief example. First, information security policies rarely identify “How to Play.” Instead, like our sign example above, we frequently find a list of things you are not allowed to do. This is an example of security-centric thinking. Know this: the people in your company are interested in knowing How To Play. Tell them the approved technologies, processes, and systems that they are allowed to use without running afoul of the policy. This is the basic logic of a white vs black list, so help your organization know how to do the right thing (I’m assuming there’s more you don’t want them doing than otherwise, so save time and just tell them what to do).

Next, the metaphor of the disinterested enforcement agent I’m sure is not lost on most. Enforcement is tricky business, and worthy of longer treatment, but for today’s blog post focus on the economics of the situation. There was one guy at the entrance who ostensibly had responsibility for enforcing the rules in the entire area (it was very large with between 30-50 kids). Clearly he was going to fail at 100% enforcement. But just like in other areas of life, its often just as effective to selectively offer enforcement for those areas that are high-risk.

Lastly, don’t forget the allure of the one-stop-shop. Having everything you need someone to know in one place is valuable. Don’t make them hunt for that hidden sign to find out that bare feet are not allowed. Everything should be clearly visible and in one place.

In summary, we as security practitioners can make it easy or hard for people to comply. You get to decide, “How To Play” for your organizations. Choose wisely.