EXPERT ADVICE

The ‘Visual Yield’ of Information Security

Over the holiday weekend, a family friend (whose husband is a contractor) introduced us to a great concept we hadn’t heard before: The concept of “visual yield.” It’s a concept that I think anybody who’s ever been involved in a home improvement project can understand and appreciate — and it has more to do with information security (and technology in general) than you might think at first blush.

The premise is that not all work is created equal — at least from an impact perspective. On the one hand, you have work that’s necessary but not impactful from a visual standpoint — you need to make a change, but that change doesn’t make the room you’re doing it in look any better. That’s a “low visual yield” change. For example, if you’ve ever had a radon problem, you know that it can be thousands of dollars (not to mention hundreds of hours of work) to fix. But while it takes a lot of “doing” to fix the problem, none of what you do is likely to make the house look any better visually for your effort.

By contrast, “high visual yield” work results in a drastic improvement in the look of a room relative to the amount of effort and dollars involved. For example, consider painting or wallpapering a room. That kind of change is easy to notice and can make a world of difference in making a room look “pulled together,” but it’s not really a ton of work to make happen. It’s a “high visual yield” change.

In addition to projects (painting, changing fixtures, wallpapering, etc.) that have (or don’t have) a particular “visual yield,” you also have “unveiling” moments in the context of a much larger project. Consider, for example, getting rid of black mold in a bathroom. Black mold is a health hazard and unquestionably needs to get fixed, but getting rid of it is an extensive project that can go on for weeks or even months. And during that time, the room is uninhabitable — just a musty, dusty pit full of exposed wiring, exposed pipes, and no fixtures to speak of. It stays in that sorry state until you think it’ll be like that forever, and then — one day at near the end of the project — everything comes together and it looks whole again. That day is the “high visual yield” day — not because it was little effort, but because the room looked so bad before relative to how it looks after.

Impact Is Power

Anyway the point is that when it comes to security and technology, everything we do has a “visual yield,” just like remodeling a house does — it’s just that we’re not usually as aware of it.

But we should be. “High visual yield” days are like giant neon signs advertising to our business partners that we’re doing our job. Successful technology professionals know that calling attention to deeds done well can be very powerful. Why bother doing a good job quietly and behind the scenes? So much better to do a good job right where your business partners (who are ultimately responsible for not only your budget but your continued employment) can see it.

In fact, I won’t necessarily advocate that we do this, but there are cases where folks actually create visual impact in order to impress the customer. A friend of mine, a car mechanic, once told me that he made sure each and every car that came through his garage was washed and waxed before it went back to the owner. Why? Because the visual impact of that freshly washed car led directly to desirable outcomes: repeat business, increased customer satisfaction, and (in some cases) outright additional remuneration in the form of tips.

Our customers, like the clients of my mechanic friend, respond well to being able to see the value we provide. It’s harder to come by these opportunities in security because of the “preventative” nature of much of what we do, but that doesn’t make it any less important that we market to our customers. Moreover, the relative rarity of the high-impact moment is exactly why we should be so careful to take full advantage of it when the opportunity arises.

What’s Sexy, and What Isn’t …

So say that you’re on board and you want to take advantage of the “high yield” moments when they arise. How do you know what’s likely to impress a business partner, and how do you know what probably won’t impress them?

First of all, it’s useful to understand what is “high yield” from the business’ point of view so that we can understand, by contrast, what isn’t. In short, it’s anything that will be impactful to the business is going to tie directly to (and ideally solve) a business problem that they have right now. For example, does the business have an antiquated DOS-based purchasing system that makes it difficult to acquire new materials? Well, replacing that old system with something new, slick and easy to use would be a “high yield” moment for them.

However, since the opportunities for security to directly solve business challenges are fewer and farther between than in other areas of technology, we have to look outside of the standard fare to create those moments. We can do that most easily with expensive services where the business will notice cost savings. For example, if the business spends US$1,000 per month and you can get them to a place where they spend $100 and get the same value? If we can get them there, that’s a high-yield moment for us. Why? Because most businesses keep careful track of expenses — and they can directly compare the “before” picture with the “after” to realize the significance of the change.

There are some situations that don’t involve cost savings that we can use to create the high-value moment as well — but we have to get a little creative to make them happen. In some cases, we might need to create the mechanism for our business partners to perceive the change first — and then use that mechanism to create the high-yield moments. For example, if we have a reliable metrics program, we can use that to produce the effect we’re looking for.

Think about it this way: If you painted a room in a blind person’s house, would that be a high-impact moment for them? Not likely, right? Because no matter how sweeping the change you made, they’re not equipped to observe it. However, give them an alternate mechanism to observe the change — for example, if they start getting compliments on the room, they might start to see the value. The business would be like the blind homeowner — they can’t directly see value no matter what changes you do or don’t make until you give them a mechanism to observe (in this case, the security metrics).

Bottom line: Use the moments that you’re given to showcase the changes you’re making to your business partners, and market yourself through these moments. In situations where marketing opportunities don’t readily present themselves, consider equipping your business partners with a new mechanism that you can leverage to showcase changes you’re making for the better. For example, consider how effective a metrics initiative could be to allow you to point out high-yield security moments when they occur.


Ed Moyle is currently a manager withCTG’s information security solutions practice, providing strategy, consulting and solutions to clients worldwide, as well as a founding partner ofSecurity Curve. His extensive background in computer security includes experience in forensics, application penetration testing, information security audit and secure solutions development.


Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

CRM Buyer Channels