Historically, fear has been a good sales tactic to sell security products.
“Security is a fear sell. It’s a choice between a small sure loss – the cost of the security product – and a large risky loss – the potential results of an attack on a network,” said Bruce Schneier (@schneierblog), CTO, IBM Resilient. “[One] option is to push the fear button really hard. When we’re really scared we’ll do almost anything to make that feeling go away.”
This strategy however does not work on CISOs. As reported in my first article in the CISO/security vendor relationship series, CISOs are not motivated by fear to purchase products.
Here’s why using FUD (fear, uncertainty and doubt) doesn’t work on CISOs.
1: CISOs are already two steps ahead of you
“Fear does not sell a CISO – we deal with existential threat every day – our careers are dependent on our ability to prevent these things from happening,” said Randall Frietzsche (@rfrietzsche), CISO of Denver Health. “It’s insulting that [security vendors] don’t believe a CISO already understands these issues and is actively working to mitigate them.”
2: It’s just adding to the noise
3: Fear sells a solution to a problem rather than a process
As explained in my last article, each security vendor is part of an overall process to maintain security. Successful CISOs aren’t swayed by a fear pitch because all issues are not necessarily problems that need to be fixed.
A perfect example of “turning everything into a problem” is how many security vendors are pitching their products as the “fix” for the looming GDPR deadline.
“Too many security vendors are advertising their product as the solution to GDPR,” said Gabe Barrett (@barrettgc), CISO, Abellio Group. “GDPR is a business approach and business process issue first, an IT issue second, and a security issue a distant third.”
4: Signals that the vendor can’t be a potential partner
“When a vendor comes in ‘hair on fire’ about the latest and greatest headline, it’s a red flag to me that they are not focused on the ‘big picture,’” said Elliot Lewis, president and chief architect, Lewis Security Consulting.
It doesn’t bode for a healthy future relationship if an InfoSec vendor ignores the process and instead tries to capitalize on the misfortune of others.
5: It hurts the industry as a whole
Ever wonder what it’s like to be a truly great and ethical used car salesman or personal injury attorney? The behavior of others in your industry affects your ability to conduct business. Everyone already has a preconceived notion of who you are. You have little choice but to dispel the very well-known stereotypes of those professions.
When security vendors take advantage of someone else’s demise for their gain it’s even worse than a lawyer who practices ambulance chasing. That’s because the InfoSec vendors are not just trying to solicit business from the victims, but to everyone watching what happened to the victims.
“[Compared to ambulance chasing,] cybersecurity vendors have gotten a similar bad rap over the past few years due to their doom and gloom approach and there is no denying this,” said Vijay Bolina (@_jamesbaud_), CISO, Blackhawk Network.
6: CISOs become numb to the scare tactic
“I think it’s really the ‘piling on’ that CISOs get tired of,” said Robb Reck (@robbreck), CISO, Ping Identity. “How many different vendors reached out in 2013 and 2014 to say that if Target had just used their product, the breach would never have happened?”
7: We all know how to stop the breach after the fact
“Stop saying your solution would have prevented a breach,” warned Blackhawk Network’s Bolina.
Hindsight is always 20/20. The Target breach happened because of stolen network security credentials from a contractor. Now that we all can see what happened, it’s easy to devise a plan to stop it.
“There are countless examples of organizations with large security teams and a multitude of solutions that still end up on the news,” said Bolina.
There’s no reason your security company won’t be next. If an InfoSec vendor wants to make the claim that their product could have prevented the breach, they better be ready to pay the costs of the fallout for customers if and when it does happen.
8: It causes internal problems
CISOs can easily spot and delete scare pitches, but they can’t prevent those same pitches from entering their CEOs’ inboxes. A forwarded email from the CEO with the comment, “We should look into this,” only makes the CISO’s job more difficult.
“[Scare pitches] may cause more problems by inciting your CEO to question your security posture or strategy,” said City of Mesa’s Godsey. “If vendors are trying to endear themselves to security professionals, see how well going over their heads and causing fear and doubt in their boss’ mind works.”
9: It scares the customer base
CISOs are far from the only ones affected. Instead of solving problems, the selling of FUD creates far more problems.
“At their worst, these messages freak out my stakeholders and threaten my credibility with them,” explained Boyle.
CONCLUSION: Should security vendors ignore the latest breaches?
Just because selling fear is ineffective and bad for the industry as a whole can security vendors still use the latest breach as a news hook? I’m not sure. Will just the mention of the most recent breach turn off potential customers? I ask you. I’d be interested to know if you can mention the latest disaster in a valuable way that doesn’t come off as selling fear.