Security Experts:

Marketing Security Solutions: Is There a Better Way?

In my previous piece, I discussed the difficulty vendors sometimes have in understanding what security buyers are really looking for.  As I mentioned in that piece, this confusion is further compounded by the large volume of vendors and distinct markets that exist within the information security profession.  The irony that my previous piece came out during the week of one of the largest security conferences wasn’t lost on me.  Why is this ironic?  I’ll elaborate.

Many of the people reading this piece have been to the big Las Vegas and/or the big San Francisco security conferences at least once.  If you’ve never been to either of these conferences, saying something like “hordes of people descend on the conference location” would be an understatement.  The volume of people that attend these conferences is simply hard to grasp until you see it with your own eyes, and even then, it can be a bit overwhelming.

You know what else is overwhelming?  The number of vendors exhibiting at these two conferences.  Just how many vendors exhibited at these two conferences in 2017?  Let’s take a look at the numbers:

Las Vegas: 290 exhibitors across two floors of exhibition

San Francisco: 687 exhibitors across two exhibition halls

Not all conferences are quite this large, of course.  Some of them are downright intimate. And there are also the various different meetups, networking events, and peer-to-peer organizations that try to bring security professionals together, including vendors and customers.

I do understand the value that some of these different events bring to the security community and don’t mean to be critical of them in any way.  I understand that event organizers need to support themselves financially.  I also understand the need, or perhaps the perceived need, to be at some of these different events in order to be included in much of what goes on in the industry.  Further, I do understand the networking opportunities that some of these events represent for so many people.  I don’t argue with these points in any way.  Rather, I am making another point entirely.

At large conferences, vendors may find themselves amongst hundreds of exhibitors and thousands of attendees.  How is it possible to stand out from the crowd in a sea of noise, gimmicks, buzzwords, and hype in order to grab the attention of those who are interested in our product or service?  Perhaps we can roll in a keg and offer free beer to those who stop by our booth?  Or will that merely bring us people who are interested in free beer?  What about if we roll in a boxing ring and stage boxing matches?  Or will that just bring us people who are interested in watching people box each other?

Although large conferences have many advantages, producing highly qualified leads as a return on the marketing budget invested is not among them.

Alright you say, so what if I focus some of my marketing budget on smaller, more intimate events such as those put on by peer-to-peer organizations?  Well, it is certainly considerably easier to stand out from the crowd in those types of environments.  So what’s the downside?  For starters, it can be extremely difficult for these smaller events to bring the right, most relevant crowd to their sponsors.  Some are better than others.  There is, however, quite a bit of variation, and it can difficult to truly understand what the event will be like at the time payment is rendered.

As an example, consider a series of intimate breakfast events that I was signed up to speak at in my previous position.  The company I worked for paid a fair bit of money to be one of three vendors in attendance at these events.  In exchange for this sum, the event organizer promised 10-20 CISOs and explained that non-CISOs would not be permitted to participate in the breakfast events.  With promises like those, who would say no?

As you might have expected, the reality on the ground was quite different.  There were very few, if any, CISOs in attendance at the overwhelming majority of the events.  In fact, the attendees were mostly a mix of people looking for a free breakfast, people who were brought in by the event organizers to bring up the number of attendees to between 10-20, and occasionally someone who was legitimately interested in hearing what the sponsors had to say.

Of course, mileage varies significantly with these smaller, more intimate events.  Sometimes they can be quite good.  But more often than not, sponsoring vendors walk away disappointed.  And worse yet, it can be extremely difficult to know how the event will be until it actually happens.  I know this both from my own experiences, as well as the experiences of others who have shared their frustrations with me.

Given the current state of affairs, perhaps the time has come for security vendors to rethink how they invest their marketing budgets?  Security marketing seems to be stuck in a bit of a “spray and pray” rut.  This is not a knock on marketing professionals in any way -- historically, they simply have not had a lot of great options.  On the vendor side, this has resulted in poor return on investment from the marketing budget.  While on the customer side, this has resulted in security vendor fatigue.  Both results are quite unfortunate and exacerbate the widening gap between vendors and customers in the security field.

So what can be done about this situation?  How about looking for ways to better target marketing and sales efforts and budget?  What if security vendors had a way to understand the gaps that customers have, the issues they’re grappling with, and the problems they’re looking to solve?  Maybe, just maybe, the two sides would begin to draw closer together, improving return on investment for security vendors and reducing security vendor fatigue for customers.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently Co-Founder and Chief Product Officer at IDRRA. Prior to joining IDRRA, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.