Abandon FUD, Scare Tactics and Marketing Hype to Sell Information Security
For years, going back over a decade, as I worked in and managed IT and security teams in SMBs to a Fortune 10, sales people have been selling FUD.
In case you're not familiar with the term, FUD refers to "Fear, Uncertainty, Doubt" and is a sales tactic that is not exclusive to Information Security - but has found a match made in heaven... until recently.
I think we've rather recently, maybe as recently as the last three years, hit a tipping point where FUD-based selling has simply lost its "magic." So now what?
To adapt the line from Dante's Inferno - "Abandon all hope ye who enter here" could read "Abandon all FUD ye who wish to sell here"... which has a nice ring to it, and should probably be a sign over every CISO's office door.
FUD sells... or at least it used to. It's fun to plot the FUD selling wave like anything else and it helps us to understand why this became the preferred means to get organizations to buy, buy, buy security-related products and services. Back in the late 90's I don't recall FUD being very successful because people weren't afraid of the big, bad hackers.
As organizations become more aware of their presence on-line, FUD selling started to gain popularity and around 2005 literally ever slide deck I reviewed had a lead-in of at least 4-5 FUD-based slides. It usually went something like this (stop me if you're heard this one): "news of hackers is everywhere"... "hackers will get your valuable things"... "when hackers get you, you'll go out of business, or get sued, oh no!"... "buy our stuff, it'll be okay then."
Then some time in the last couple of years we got a massive spike upwards, rather than the predictable fall-off... probably because of all the security-related incidents and hacktivism and such. Then like winter in Chicago, it was over in a flash. Oh, the FUD-based selling was still happening (and continues right as you read this) but the "give-a-**bleep**" factor hit a sharp decline.
Perhaps it was security professionals' diminished tolerance for FUD, or perhaps there was a collective awakening to the bigger picture, or perhaps it was just time for the chickens to come to roost. No matter, this drastic anti-FUD backlash is strong and I for one say "It's about darn time."
Let's do a little exercise.
I want you to take out the last slide deck you either made, received or reviewed on the topic of security. Now open it up and tell me if it fits the following mold:
- [Slides 1~4] - some slides telling you how horrible the state of information security is, how hackers are hacking everything, and probably at least 1-2 "clippings" of articles in recent media.
- [Slides 4~7] - some slides telling you how you need to "act now," "get compliant," "protect your IP," "protect your customer data," or other catch phrases which fall into the category of "well, duh."
- [Slides 7~50+] - slides telling you how if you buy this product/service you will be protected from the threat du'jour and rainbows will appear as unicorns singing your praises.
Here's the thing... did you find the slide deck you're looking at more or less fits the above pattern? Experience tells me the odds of you nodding in agreement right now is fairly high.
Ask yourself, if you write slide decks like this one I just described - who does that actually serve? Are you expecting an executive, security leader or practitioner to read your slides and suddenly have a "Eureka!" moment in which they realize hackers are out to get them and they should quickly act? I really hope not.
On the other side of that coin - if you're the person hearing this presentation or reading these slides, at which slide did you simply tune out? Did you make it to slide three before you realized this was going to be a FUD-tastic presentation and simply cut your losses?
I think Eric Cowperthwaite, a CISO for a well-respected organization in the health services vertical, strictly speaking on his own behalf, says it best - "...we need help, we already know all the things that we fear..."
Yet things like this continue to happen... there are some very real side-effects to attempting to sell FUD to a modern CISO or security leader. "Clearly vendors do not understand how much FUD is angering security leaders," Eric says.
I think if you asked 100 random CISOs and security leaders you'd pretty much get the same reply every time. The general sentiment in reply to a FUD-based sales pitch is anger, resentment and a general "tuning out"... and I'm fairly sure that's not the intended result, right?
Turns out, just because it's true doesn't make it not FUD. Basing a pitch on fear (the F in FUD) is really going to get you a negative reaction whether that fear is real or not.
Eric has an interesting perspective on this - "People apparently think it’s only FUD if it isn’t the truth, isn’t based on good research, etc. A vendor actually told me that something wasn’t FUD because it was true, even though what they said was designed to cause fear that my networks were unsafe." How about we simply leave the fear off the slide deck?
"Do you lose sleep at night worried about the latest advanced threats to your enterprise? can help!" -- this is an actual headline from a marketing email I received while writing this post, the irony just makes me chuckle.
If you, like Eric, are getting upwards of 100 marketing emails per day and north of 60 percent of them are FUD-based, how likely are you to read any of these? I can't believe anyone does this anymore over email especially since I know most CISOs I've ever talked to simply round-file the email, or worse yet, you end up being categorized as SPAM.
Does this mean that there isn't a place for awareness of industry problems? Of course not! I will simply tell you that you have to know your audience, as that is the first rule of marketing and sales, right? I spent a good bit of time in sales and that was rule number 1 - know your audience.
If you're talking to a CTO turned CISO, then maybe you need to give that person a primer on the state of the industry, but I'd give you 10:1 odds if that person has been in technology or business for more than 10 minutes they've heard and read the headlines about how hackers are tearing up the planet. This isn't news.
Alright you say, so I've established FUD stinks as a selling lead-in. Maybe you're curious how I would build slide decks, email introductions or marketing material? Let me give you some guidelines I've lived by, and helped build sane, value-based marketing campaigns from:
- Start with a value-statement | Be up-front about the business value of what you're proposing and forget the FUD! Identify a problem you're going to help the reader solve, then explain the value proposition of what you're proposing. Position based on value and not alleviating FUD. Example: "Cut development re-work costs due to security issues up to 50%."
- Offer a solution not products/services | A follow-up for the value-statement should include how you propose to make the value real and the issue disappear (or to what degree). You should acknowledge that you'll never "truly solve" most problems, but you'll be able to make them manageable - and ultimately your customer decides what is acceptable, not you. Example: "Automate repetitive tasks so developers can focus on code generation, triage of defects."
- Explain your product/service relevant to the solution | Once you've got a clear understanding of how you're proposing to reduce risks, lower expenses, automate compliancy or whatever it is you're doing, demonstrate how your products/services make that real. Example: "Our product provides that automation, reducing time spent on repetitive tasks by up to 50%".
This post, obviously, is just my opinion on the whole problem with selling, marketing and perpetuating FUD. While I'm not entirely delusional in thinking that one day we'll wake up and FUD will be a thing of the past, I work every day to find it, and stomp it out in my organization, and invite you to do the same.
If you see it from a vendor - point it out in a manner that accurately reflects your disposition, and let people who perpetuate FUD know that you simply don't have the time to be preached Security 101... let's all make a better vendor / customer relationship out there!
- A friend of mine, Gal Shpantzer (aka @shpantzer ), sent me a link to an article he wrote on the FudSec blog back in May of 2010, I laughed so hard that I simply had to post it - "SCSOVLF (aka, the Shpantzer Coma Scale of Vendor Lameness and FUD" and worth the read.
- Bob Rudis (aka @hrbrmstr ) has a gem of a game for us as well - "You're the mayor of FUDville!"
Cross-posted from Following the White Rabbit