Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

Solving Security Problems Isn’t Sexy

Many Security Professionals Find Themselves Trapped in a Cycle of “Sexy” – What Can We Do About It?  

Many Security Professionals Find Themselves Trapped in a Cycle of “Sexy” – What Can We Do About It?  

Recently, during a discussion around the current state of marketing and sales in the security industry, one of my colleagues said something that jarred me. I asked why more people in the security field, regardless of the specific role they are in, don’t focus marketing and sales messaging on problem solving.  His response was uncanny.  The “herd” isn’t looking for solutions to problems. They are on the prowl for “sexy”.

Though this statement initially jarred me, the more I thought about it, the more I realized how poignant it was.  I do know many talented security professionals who don’t follow the herd and who solve problems on a daily basis.  But, unfortunately, they are too few in number to control the herd mentality that too often prevails in our industry.  Sadly, solving problems simply isn’t sexy enough for the masses.

To explain what I mean by this, let’s take a closer look from a few different perspectives.

First, let’s begin with entrepreneurs in the security field.  There are certainly entrepreneurs in our field who are visionary and who are working to solve the problems of tomorrow. But, unfortunately, there are far too many who simply chase after the hot topic of the day. Or, to put it another way:  These entrepreneurs are solving the problems of today, or worse yet, yesterday, rather than the problems of tomorrow.

Unfortunately, with the lead time involved in building a company and bringing a product to market, by the time the product is ready to go out the door, the world has often moved on. I won’t name specific markets, but I can think of a few in the security space that were “on fire” one or two years ago. Now, you’d be hard pressed to find enough customers willing to buy the products that have been brought to market in those areas since then.

Of course, it’s hard to place the burden solely on entrepreneurs without also looking at the funding angle.  For obvious reasons, those who fund security start-ups tend to want to fund companies that have a high likelihood of a successful acquisition or an IPO. Sometimes it seems that this potential is more directly correlated to the “sexiness” of a company and its ability to function in a “hot” area, than it is to the company’s ability to address actual operational pain points for customers.

And why is this the case?  To answer that question, we need to take a look into the buyer angle. Of course, there are many experienced security buyers who have been around the block a few times and tend to acquire in a strategic and calculated manner. Sadly, however, they are not the majority of buyers. Far too many buyers buy products that are hot or en vogue. Perhaps because someone told them they had to have one. Or, perhaps because everyone is buying one.  Unfortunately, this type of approach is more grounded in pop culture than it is in strategically solving security problems.

Advertisement. Scroll to continue reading.

It’s difficult to fault buyers, however, without looking at the diet of FUD (Fear, Uncertainty, and Doubt) they are being fed.  That brings me to the final angle I’d like to examine. Executives of established security vendors tend to repeatedly beat the drum of the latest hot item du jour. Over and over again.  Rather than focusing on messaging anchored around solving problems and addressing gaps, they tend to exploit the weaknesses of the cycle described above.

When we combine all of these angles, we find ourselves trapped in a cycle of “sexy” in the security field.  So what can we do about it?  How can we shift the discussion from one around sexiness to one around what pain points buyers are looking to address and what makes for a sustainable and profitable security business?

As entrepreneurs, we can found companies with sustainable business models that have the potential for long-term profitability.  We can focus on addressing real operational pain points that exist in the industry.  There is no shortage of them.

As those who fund start-ups, we can have the bravery and vision to look for companies that offer sustainable business models, together with real solutions to real problems.

As buyers, we can acquire in a strategic and calculated manner – not buying things we don’t need or that don’t help us address our operational pain points just because someone told us we had to have one or because everyone else is doing it.

Lastly, executives of established security vendors can focus on putting together value for buyers and messaging that value accordingly.  Value that solves problems, simplifies deployment, and helps customers mitigate risk.  Not over-selling them on sexiness.

Only when we each do our part can we break out of the cycle that our industry is currently caught in.  Will there be people who either misunderstand or disagree with the tone or content of this piece?  Most likely.  Does that mean that the time hasn’t come for some of these things to be said?  I don’t think so.

I realize I’m swimming upstream here. But, I’m fairly certain I’m not alone and that I’m not the only person who feels this way. History has shown repeatedly that it only takes a small number of people to think boldly and go against conventional wisdom to cause real change. Maybe a few of those people will come to the aid of our ailing security field.  We’re desperately in need of it.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently Global Solutions Architect - Security at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Security Infrastructure

Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a...

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Audits

The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture