Security is a tough sell. Plain and simple.
Nobody really wants security. It is necessary when we feel threatened or under attack, but it can be inconvenient, costly, and adversely affect productivity. It is the lesser of two evils. It does have an important purpose, to protect our valuables and access to a networked world. Without it the situation quickly deteriorates into something completely unacceptable, but the overall value prospect can be frustrating as it is difficult to comprehend the risks of seemingly invisible threats. To complicate matters, it is not simply a binary decision: to buy or not buy security. There are infinite gray areas. How much security is enough? When will it no longer be effective? What type and how many solutions do I need today or tomorrow? The worst part is even with the best security, it may not be enough. Sadly, you still could become the next victim, as there are no guarantees.
The desire for security is difficult to quantify. It is not just technological, but also psychological. Security is a personal determination, not an actual state of configuration. If you are victimized, you will feel insecure, regardless of the current protections. On the other hand if your environment shows no sign of risk or compromise, you will feel secure, even given the exact same controls.
So how does a reputable company market and sell security features, capabilities, and services in this environment?
This has been the challenge for nearly 20 years in the information security industry. Here is the key: Security only becomes relevant, when it fails. Security marketing will fall on deaf ears for someone who has never had a virus, lost their data due to malware, had their bank/credit accounts stolen, or been victims of identity theft. However, for those who have been down that road or are more cognizant of the security risks bearing down on them, they will have interest in being more secure. In general, consumers are not security savvy. In fact, most consumers are driven by emotion. In security world, it is primarily fear. Fear of loss. Driven by fear, but not technically savvy, they look for simple solutions from suppliers they trust.
A decade ago, security vendors would peddle FUD (Fear, Uncertainty, and Doubt) to generate sales. Wild claims of super-products protecting from impending doom was typical. Of course, they were baseless. The security industry today looks back at this time as consumers being widely victimized by snake-oil peddlers. Customers soon realized they were lured by false promises and over time those companies earned themselves poor reputations and subsequently fell out of the security market.
The market has evolved. Since those dark days, a middle layer of pseudo-experts has filled the gap to help consumers identify quality offerings from pure-marketing fluff. These researchers, white-hat hackers, technology experts, labs, and testing organizations now provide analysis of new security products, services, and vendors. They play an important role in vetting the industry. Customers look to them as their proxy for understanding the complexities and nuances to determine if something is worthwhile. Today, more than ever, security vendors must be conservative in their claims and be prepared to prove themselves again and again. The threat and catastrophe predictions are still rattling about, but in a more realistic form. They instill fear as intended, but are tempered by actual previous incidents and face an audience who has become somewhat desensitized over time.
In information security, when bad events occur, they are sometimes quietly and sarcastically called ‘fund raisers’ as it drives organizations to spend on security. Such events, although damaging, are wake-up calls which continuously prove the threats are real and still out there. They cannot be predicted with any accuracy, but result in a significant increase in motivation of consumers, driving the sales of security related products and services.
For security services and enterprises who wish to market the value of new security features within their products, timing is critical. Success hinges on being in the minds of people when they independently come to the realization they need to be more secure. These customers will move quickly to fill the need. It does not happen simultaneously across the community, so the successful company must have already established their reputation within the target market.
Reputation is built through providing a meaningful security capability in a competitive manner. Such capabilities must intersect pressing threats recognized by consumers, mitigate risks to an acceptable level, and with the ability to be integrated in a timely and affordable way. A tall and complex order, which is why reputation must be established prior to the need. Recognition as 'secure' can be the emotional pillar needed when customer's fear of loss increases. Those with a solid standing are highly preferred, as compared to unknowns trying to rapidly prove themselves at the point when the consumer just wants to make a purchasing decision.
Unlike traditional technology marketing, reputation is not built by throwing dollars around to get consumer recognition or build product excitement. Security is not sexy. Unlike the latest phones, tablets, or toys, people don’t stand in line for hours to buy the latest security product. A different approach is required. Marketing will fail without proper foundational measures. Billboards, magazine adds, leave-behind pamphlets, and catchy feature names are largely a waste until a solid product is vetted and revered by the security expert community. It is the industry proving grounds which feeds consumers. Failure will lead to dismissal as a viable, effective, or competitive product. Success will garner public praise, further testing, and even recommendations for enhancements, with a direct line to those customers interested in buying more security.
Without expert community support, marketing dollars are largely a waste. Even worse is when a good security product is handed over to an inexperienced marketing team, who spin their normal yarn of tantalizing promotion geared for getting the attention of end-users. These claims can push the bounds of what can be delivered and inadvertently inflate the 'potential' impact over the likely impact. Experts have no tolerance for such exaggeration. It is a fatal misstep sure to cause a backlash with the security community that will doom not only that product, but could destroy the reputation of the vendor. Mature security companies have seen the crashes of others and approach marketing of their products carefully, even cautiously. Claims are always backed with data and expected to be ruthlessly scrutinized. They know who the experts are and extend them the courtesy to enable proper evaluation. In return, they often get early insights on weaknesses and possible optimizations, which can further enhance the final product. Ultimately, it is the end-user who benefits the most, with great products delivering on reasonable expectations bubbling to the top.
Although security is a tough sell, for those organizations that know the players, deliver a value-add capability, and can navigate the process, it can be very rewarding. Computer security is not going away, nor will its importance diminish anytime soon. Building a security reputation is an investment in the future. One which pays many dividends to all involved.