Cybersecurity has gone through many changes over the past decade. From being a niche sector, rarely taken seriously or understood, to underpinning national security, economic growth and the availability of financial infrastructures. In the process it has become a large, high growth and consequently overfunded market.
This evolution is based on cybersecurity’s newfound profile and responsibility for protecting against attacks that threaten the underpinnings of our digital way of life. Historically, the security threats put forth by the industry were largely hypothetical and didn’t impact the bottom line. Today, cyber threats have materialized to the point where they impact everything from data protection and privacy, to election results and how nation states conduct espionage.
So, while security has emerged as a darling industry, this success has come at a price – we’ve sacrificed our credibility, objectiveness and honesty.
This is evident in how cyber security is marketed. Fear Uncertainty and Doubt or FUD, have always played a part in convincing businesses and governments to invest in cybersecurity, especially in the days before cyber threats were mainstream Nevertheless, this FUD was balanced by full disclosure and a community that, dealing with risk, is sceptical by nature.
In recent years, however, FUD has escalated to a whole new level. Anyone who receives vendor emails or is active on LinkedIn can testify to being inundated with claims that every new vulnerability, threat or breach could have been prevented using product XYZ. In many cases, these are outright exaggerations, and often lies. Marketers and salespeople are incentivised not to miss out on what is perceived to be a good opportunity, regardless of the resulting blowback on social media.
Another indicator of how the industry has changed is its focus on subjective competitive analysis models. Like the Harvey ball diagrams that contrast and compare one vendor against its competitors. The criteria used is always highly selective and frequently irrelevant to what end users consider important. Even though purchasing enterprise security products is based on a list of requirements and proof of concept, security vendors continue to feed customers a steady diet of unrealistic claims.
It is, of course, the objective of marketing to put lipstick on a pig. Unfortunately, we’ve reached a new dimension where the pig ends up looking like a tomato. All lipstick, and no pig. Marketing descriptions and claims of what a product can do, often sound like something out of a science fiction movie. This includes comparing technologies to biological systems and possessing cognitive artificial intelligence, capable of replacing engineers and analysts to once and for all eliminate all security threats. Yet we all know this isn’t true and that the messaging is far grander that the reality. So why do vendors and marketers do this? Why is there such a disconnect between what a solution does, and what it claims to do?
I have three simple explanations.
The first is increased competition. In the early days of the vulnerability assessment market, vendors’ greatest challenge was convincing end users that they should perform vulnerability management in the first place, and to use a commercial product, not rely on open source tools.
Today, the challenge is to convince customers to buy one solution from a large field of competing offerings. These range from vulnerability assessment tools and vulnerability assessment as a service, to emerging technologies that claim they eliminate the need to patch vulnerabilities at all and new infrastructure approaches like containerization that address the problem in a very different way.
In nature, increased competition usually applies greater evolutionary pressure, leading to genetic mutations to achieve a competitive advantage. Aside from vendors who claim they are disrupting the status quo, it is easier and more cost effective (at least for a while) for vendors to escalate their marketing than to innovate and find new solutions to problems.
The second is based on the simple fact that there are more vendors than the market can support, while most offerings are mediocre or bad. The marketer’s job remains to succeed and meet their targets, creating commercial pressures to exaggerate. For example, during my time at Gartner, I encountered marketers whose bonuses were predicated on their company’s placement in the Magic Quadrant rankings. This is of course unrealistic – since placement is based more on product capabilities and company growth than on the marketing.
The third is lack of experienced cybersecurity marketers and salespeople to fill available openings. This is forcing vendors to recruit from other industries, or hire raw recruits that do not have the benefit of seasoned mentors to guide them.
This explains the focus in marketing on quantitative metrics. We have X amount of integrations or signatures, or detect Y amount of threats. If you subscribe to Netflix or Amazon prime this will be familiar, since these services are constantly adding low quality movies and series just, so they can claim to offer the most content. The problem with this approach in cyber security is that it’s often meaningless, since customers are not interested in how many integrations a product supports, but whether it supports the ones they need (usually the most popular).
As an industry, we’ve lost our way. Instead of using marketing to create brand awareness and visibility, highlighting the strengths and differentiators of a product and making it easier for prospects to shortlist vendors for RFPs, we’re creating inertia. Smoke and mirrors tactics are making the sales process longer, more expensive and more difficult for vendors and customers. We are creating sceptical buyers. Ultimately, false or misleading claims will be exposed in proof of concepts, or worse, in product environments where stakes are extremely high.
We are not selling consumer, lifestyle or experiential products. We need to act like it.