Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Cybersecurity’s Marketing Dilemma

Cybersecurity has gone through many changes over the past decade. From being a niche sector, rarely taken seriously or understood, to underpinning national security, economic growth and the availability of financial infrastructures. In the process it has become a large, high growth and consequently overfunded market. 

Cybersecurity has gone through many changes over the past decade. From being a niche sector, rarely taken seriously or understood, to underpinning national security, economic growth and the availability of financial infrastructures. In the process it has become a large, high growth and consequently overfunded market. 

This evolution is based on cybersecurity’s newfound profile and responsibility for protecting against attacks that threaten the underpinnings of our digital way of life. Historically, the security threats put forth by the industry were largely hypothetical and didn’t impact the bottom line. Today, cyber threats have materialized to the point where they impact everything from data protection and privacy, to election results and how nation states conduct espionage.

So, while security has emerged as a darling industry, this success has come at a price – we’ve sacrificed our credibility, objectiveness and honesty. 

This is evident in how cyber security is marketed. Fear Uncertainty and Doubt or FUD, have always played a part in convincing businesses and governments to invest in cybersecurity, especially in the days before cyber threats were mainstream Nevertheless, this FUD was balanced by full disclosure and a community that, dealing with risk, is sceptical by nature.

In recent years, however, FUD has escalated to a whole new level. Anyone who receives vendor emails or is active on LinkedIn can testify to being inundated with claims that every new vulnerability, threat or breach could have been prevented using product XYZ. In many cases, these are outright exaggerations, and often lies. Marketers and salespeople are incentivised not to miss out on what is perceived to be a good opportunity, regardless of the resulting blowback on social media. 

Another indicator of how the industry has changed is its focus on subjective competitive analysis models. Like the Harvey ball diagrams that contrast and compare one vendor against its competitors. The criteria used is always highly selective and frequently irrelevant to what end users consider important. Even though purchasing enterprise security products is based on a list of requirements and proof of concept, security vendors continue to feed customers a steady diet of unrealistic claims. 

It is, of course, the objective of marketing to put lipstick on a pig. Unfortunately, we’ve reached a new dimension where the pig ends up looking like a tomato. All lipstick, and no pig. Marketing descriptions and claims of what a product can do, often sound like something out of a science fiction movie. This includes comparing technologies to biological systems and possessing cognitive artificial intelligence, capable of replacing engineers and analysts to once and for all eliminate all security threats. Yet we all know this isn’t true and that the messaging is far grander that the reality. So why do vendors and marketers do this? Why is there such a disconnect between what a solution does, and what it claims to do?

I have three simple explanations. 

Advertisement. Scroll to continue reading.

The first is increased competition. In the early days of the vulnerability assessment market, vendors’ greatest challenge was convincing end users that they should perform vulnerability management in the first place, and to use a commercial product, not rely on open source tools. 

Today, the challenge is to convince customers to buy one solution from a large field of competing offerings. These range from vulnerability assessment tools and vulnerability assessment as a service, to emerging technologies that claim they eliminate the need to patch vulnerabilities at all and new infrastructure approaches like containerization that address the problem in a very different way. 

In nature, increased competition usually applies greater evolutionary pressure, leading to genetic mutations to achieve a competitive advantage. Aside from vendors who claim they are disrupting the status quo, it is easier and more cost effective (at least for a while) for vendors to escalate their marketing than to innovate and find new solutions to problems.

The second is based on the simple fact that there are more vendors than the market can support, while most offerings are mediocre or bad. The marketer’s job remains to succeed and meet their targets, creating commercial pressures to exaggerate. For example, during my time at Gartner, I encountered marketers whose bonuses were predicated on their company’s placement in the Magic Quadrant rankings. This is of course unrealistic – since placement is based more on product capabilities and company growth than on the marketing.

The third is lack of experienced cybersecurity marketers and salespeople to fill available openings. This is forcing vendors to recruit from other industries, or hire raw recruits that do not have the benefit of seasoned mentors to guide them. 

This explains the focus in marketing on quantitative metrics. We have X amount of integrations or signatures, or detect Y amount of threats. If you subscribe to Netflix or Amazon prime this will be familiar, since these services are constantly adding low quality movies and series just, so they can claim to offer the most content. The problem with this approach in cyber security is that it’s often meaningless, since customers are not interested in how many integrations a product supports, but whether it supports the ones they need (usually the most popular). 

As an industry, we’ve lost our way. Instead of using marketing to create brand awareness and visibility, highlighting the strengths and differentiators of a product and making it easier for prospects to shortlist vendors for RFPs, we’re creating inertia.  Smoke and mirrors tactics are making the sales process longer, more expensive and more difficult for vendors and customers.  We are creating sceptical buyers. Ultimately, false or misleading claims will be exposed in proof of concepts, or worse, in product environments where stakes are extremely high. 

We are not selling consumer, lifestyle or experiential products. We need to act like it.

Related: Marketing Security Solutions: Is There a Better Way?

Written By

Oliver has worked as a penetration tester, consultant, researcher, and industry analyst. He has been interviewed, cited, and quoted by media, think tanks, and academia for his research. Oliver has worked for companies such as Qualys, Verizon, Tenable, and Gartner. At Gartner he covered Security Operations topics like SIEM, and co-named SOAR. He is the Chief Futurist for Tenzir, working on the next generation of data engineering tools for security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem