One of the greatest struggles a security vendor has is how to effectively spend its marketing dollars. CISOs are becoming jaded and tuning out at an alarming rate. Even with buyer irritation at an all-time high, security practitioners do react passionately to vendors who listen, participate, and respond.

Jeff Williams, Co-Founder and CTO, Contrast Security

“I think [traditional marketing] is doing less well over time,” said Jeff Williams (@planetlevel), CEO of Contrast Security.

Williams has admittedly spent millions of dollars on traditional marketing in areas such as conferences, online ads, email campaigns, and PR firms.

“Frankly, I don’t think they’ve worked as well as the marketing we did at Aspect,” he said.

Got feedback? Join the conversation on LinkedIn

Filling a community need

Back in 2002, Williams launched a consulting firm, Aspect Security, focused on application security, a nascent market at the time that was a greenfield for opportunities. Williams made a critical decision to shift all of his company’s marketing dollars to open source projects. He believed Aspect Security would get a better marketing boost if his team of engineers were present and providing value to the application security community.

At around the same time Williams launched his company came the introduction of the Open Web Application Security Project (OWASP). In early dialogue, someone posed the question if anyone had developed a vulnerability application that allowed developers and engineers to experiment with security in a safe way. Williams had produced such an application.

“Why don’t I just make this open source and if people love it, it will be good publicity for my company,” said Williams. “And if they hate it no harm, it doesn’t matter.”

That application, released as open source to the OWASP community, was affectionately known as WebGoat. It became a huge hit.

While they asked for nothing in return, Aspect Security’s contribution profoundly affected security professionals’ lives. Many had told Williams that WebGoat became their introduction to application security.

Looking for the next big community win

After the success of WebGoat, Aspect Security was on high alert as to what would be their next contribution.

Aware of SANS Institute’s popular and updated list of 20 critical security controls, Williams realized that application security practitioners needed a similar list.

“We could have released it through Aspect and it would have been just another marketing piece,” said Williams. “But we felt by making it a community thing and creating a project around it to continuously build it and maintain it over the years it would be much more powerful.”

The OWASP Top 10 was a huge hit, said Williams. The list was Slashdotted and the immense traffic temporarily took down the OWASP site.

“It dramatically raised the awareness of application security. I feel it was good for my company as well,” added Williams. “It sent exactly the right messages what Aspect was. We were a bunch of people passionate about application security and really skilled in it.”

Riding the open source wave to thought leadership

“We got kind of addicted to it,” admitted Williams of the industry recognition they got from their open source efforts.

But they weren’t all successful, confessed Williams. About half of them were duds, like the OWASP legal project, which was a secure software contract that could be reused, but rarely was.

Failures didn’t dampen Aspect Security’s resolve to continue participating in the application security community. They eventually had more success with other open source contributions such as the release of the cross site request forgery (CSRF) testing tool and the Enterprise Security API (ESAPI), which was used by 5,000 companies at one point, said Williams.

“We never saw the point of doing mass advertising,” said Williams.

Contributing helped Aspect Security build their thought leadership among a niche community in security. They became a known entity. Some of their conversations led to business and consulting work and some didn’t, said Williams.

We tried traditional advertising and it doesn’t work for us

Even though Williams had so much success in open source, he initially chose to go the route of traditional marketing upon founding his new company Contrast Security in 2013.

Contrast Security is a product company, and a traditional marketing approach made sense. But after spending millions on traditional marketing with middling results, Williams has decided to reverse course and go back to what has historically proven to deliver the greatest value, and that’s giving back to the community.

While his new company participated in open source, releasing about 20 narrow-focused projects on GitHub, Williams is trying to make a big splash with the release of a free version of their enterprise product called “Contrast Community Edition.”

It’s a full version (not open source) of their vulnerability assessment product but designed for just one application and it has a few limitations on enterprise features like integration with LDAP, said Williams.

Contrast Security is giving back by providing enterprise-level security to organizations that simply can’t afford such a tool, said Williams. But this time their engagement is branded “Contrast Security” unlike before where their contributions were just a footnote to a community effort within OWASP.

Marketing for the community, not yourself

“Our goal with the Community Edition is to make application security something everybody can do. We want to democratize it,” said Williams. “Because right now the other tools that are on the market are tools for experts and they’re expensive. It creates a market where only the top one percent is doing anything serious about application security.”

This is the big distinction between providing for the community and trying to craft the perfect marketing message. Security practitioners rarely become passionate about a marketing message no matter how well written it is. It’s simply not the way to be seen as a thought leader or influencer.

When you provide for a community through either content marketing efforts or a valuable tool, you can hit people at a critical point of need. And if so, the response can be visceral.

For others eager to follow suit, Williams advises that you must communicate your passion for the space, your expertise, and your commitment. And unfortunately, since the Internet is not an “if you build it, they will come” environment, you will also have to spend some money on advertising, just to get your project seen.

Contrast Security released the Community Edition just a few months ago. After just three weeks one consumer upgraded to the full version. That sales cycle is surprisingly fast. It usually that takes many months, said Williams who is thankful he can avoid the POC (proof of concept) route and generate sales by just giving away a free product.

Got feedback? Join the conversation on LinkedIn