Connect with us

Hi, what are you looking for?


Artificial Intelligence

Know Your Audience When Speaking to Security Practitioners

How can security practitioners make sense of the vendor landscape and separate those who talk a good game from those who can execute, perform, and solve real problems for enterprises?

Every now and again, I feel that the voice of the security practitioner – those in the trenches day-in and day-out defending their enterprises – needs to be heard.  I’m not sure why exactly, but as I write this piece, today just seems like one of those days.  Lately, a few things going on around the industry have caused me to believe that the time is right for me to put on my cranky security analyst hat and put a few things down on paper.

It is not news that the security vendor landscape is crowded – perhaps even overcrowded.  With this comes quite a bit of confusion – everyone seems to market the same way, use the same words, make the same claims, and purport to solve the same problems.  As you can imagine, all of this messaging is coming at security practitioners on a regular basis.  With all of that noise, how can security practitioners make sense of the vendor landscape and separate those who talk a good game from those who can execute, perform, and solve real problems for enterprises?

This is an interesting question that I believe deserves some attention. Having spent quite a bit of time in the trenches myself before moving over to the vendor side, there are a few discussion topics that cross my mind. I’d like to devote the remainder of this piece to discussing what resonates and what doesn’t when vendors seek to communicate their value to security practitioners.

Lay off the marketing slogans: Marketing slogans may serve their purpose when it comes to raising brand awareness, capturing people’s attention, and explaining your focus in just a few words.  It turns out that marketing slogans are not so helpful when it comes to conveying to security practitioners how you can solve operational security problems and how you can help them achieve their goals.  In fact, using buzzy slogans can backfire in some cases.  They may actually cause security practitioners to roll their eyes, take you less seriously, and engage more hostilely with you.  Instead of speaking slogans, try asking questions, understanding challenges, and listening.

Beware of inducing an AI allergy: Artificial Intelligence is a popular topic these days. Of course, AI is an important technology that has some very real and useful applications. Unfortunately, AI also creates a lot of hype and buzz. You can talk about AI, but make it meaningful.  AI generally produces the best results when applied to specific problems that it is well-suited for. Be specific regarding what problems you apply AI to, how you leverage AI as it relates to those problems, and what concrete results have been achieved with the help of AI.  Security practitioners are hearing about AI day-in and day-out. They want to hear how it can be applied to help them – not more hype and buzz.

The proof is in the pudding: Perhaps it is not surprising that every vendor presents themselves as the most effective on the market and the best solution in the industry.  While no one polices what goes on PowerPoint slides, numbers don’t lie. If you want security practitioners, who hear the same claims from every vendor, to take your claims seriously, you’ll need to prove it with data.  Even better if you can prove it using their own data (obtained via Proof of Concept, for example).  Claims backed by real data speak volumes when compared with unbacked claims.  Sales pitches that are data-driven are so much more powerful than those that are not.

Speak to business needs: Resist the temptation to begin enumerating the features of your product or products.  Security practitioners aren’t interested, at least initially, in seeing a suitcase full of features.  It is more likely that they want to understand which of their goals you can help them achieve and how.  In other words, they want to understand which of their real world problems you’ll be able to help them solve.  The more of those requirements that you as a vendor can cover with the less complexity and budget requirement, the better.

Quit ambulance chasing: The older I get, the more amazed I am at how many vendors think that ambulance chasing is going to get them wins with security practitioners.  When a security practitioner is dealing with a significant breach, a major vulnerability, or the “item du jour” that has the attention of management, the last thing they want to hear is that if they only had your product, they wouldn’t be in this situation.  Simply put, ambulance chasing doesn’t work.  On the contrary, it often reduces the credibility of a vendor and spurs animosity amongst potential buyers.  Don’t do it.  Instead, develop trusted relationships with security practitioners.  Understand their pain points, their objectives, and what challenges they are looking to address in the coming years.  Then explain to them how you can help them achieve that.

Advertisement. Scroll to continue reading.

Although security practitioners have a bit of a reputation for being allergic to vendors, they are really not. Rather, they are tired of hearing the same old rhetoric, promises, and hype again and again. If you put yourself in their shoes, it’s not hard to understand why. Instead of coming at them with the same tired hype, consider using the discussion points above to refine your approach and engage with security practitioners from a different angle. I think you’ll find that the results will be quite different.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently Global Solutions Architect - Security at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.