Every now and again, I feel that the voice of the security practitioner – those in the trenches day-in and day-out defending their enterprises – needs to be heard. I’m not sure why exactly, but as I write this piece, today just seems like one of those days. Lately, a few things going on around the industry have caused me to believe that the time is right for me to put on my cranky security analyst hat and put a few things down on paper.
It is not news that the security vendor landscape is crowded – perhaps even overcrowded. With this comes quite a bit of confusion – everyone seems to market the same way, use the same words, make the same claims, and purport to solve the same problems. As you can imagine, all of this messaging is coming at security practitioners on a regular basis. With all of that noise, how can security practitioners make sense of the vendor landscape and separate those who talk a good game from those who can execute, perform, and solve real problems for enterprises?
This is an interesting question that I believe deserves some attention. Having spent quite a bit of time in the trenches myself before moving over to the vendor side, there are a few discussion topics that cross my mind. I’d like to devote the remainder of this piece to discussing what resonates and what doesn’t when vendors seek to communicate their value to security practitioners.
Lay off the marketing slogans: Marketing slogans may serve their purpose when it comes to raising brand awareness, capturing people’s attention, and explaining your focus in just a few words. It turns out that marketing slogans are not so helpful when it comes to conveying to security practitioners how you can solve operational security problems and how you can help them achieve their goals. In fact, using buzzy slogans can backfire in some cases. They may actually cause security practitioners to roll their eyes, take you less seriously, and engage more hostilely with you. Instead of speaking slogans, try asking questions, understanding challenges, and listening.
Beware of inducing an AI allergy: Artificial Intelligence is a popular topic these days. Of course, AI is an important technology that has some very real and useful applications. Unfortunately, AI also creates a lot of hype and buzz. You can talk about AI, but make it meaningful. AI generally produces the best results when applied to specific problems that it is well-suited for. Be specific regarding what problems you apply AI to, how you leverage AI as it relates to those problems, and what concrete results have been achieved with the help of AI. Security practitioners are hearing about AI day-in and day-out. They want to hear how it can be applied to help them – not more hype and buzz.
The proof is in the pudding: Perhaps it is not surprising that every vendor presents themselves as the most effective on the market and the best solution in the industry. While no one polices what goes on PowerPoint slides, numbers don’t lie. If you want security practitioners, who hear the same claims from every vendor, to take your claims seriously, you’ll need to prove it with data. Even better if you can prove it using their own data (obtained via Proof of Concept, for example). Claims backed by real data speak volumes when compared with unbacked claims. Sales pitches that are data-driven are so much more powerful than those that are not.
Speak to business needs: Resist the temptation to begin enumerating the features of your product or products. Security practitioners aren’t interested, at least initially, in seeing a suitcase full of features. It is more likely that they want to understand which of their goals you can help them achieve and how. In other words, they want to understand which of their real world problems you’ll be able to help them solve. The more of those requirements that you as a vendor can cover with the less complexity and budget requirement, the better.
Quit ambulance chasing: The older I get, the more amazed I am at how many vendors think that ambulance chasing is going to get them wins with security practitioners. When a security practitioner is dealing with a significant breach, a major vulnerability, or the “item du jour” that has the attention of management, the last thing they want to hear is that if they only had your product, they wouldn’t be in this situation. Simply put, ambulance chasing doesn’t work. On the contrary, it often reduces the credibility of a vendor and spurs animosity amongst potential buyers. Don’t do it. Instead, develop trusted relationships with security practitioners. Understand their pain points, their objectives, and what challenges they are looking to address in the coming years. Then explain to them how you can help them achieve that.
Although security practitioners have a bit of a reputation for being allergic to vendors, they are really not. Rather, they are tired of hearing the same old rhetoric, promises, and hype again and again. If you put yourself in their shoes, it’s not hard to understand why. Instead of coming at them with the same tired hype, consider using the discussion points above to refine your approach and engage with security practitioners from a different angle. I think you’ll find that the results will be quite different.
