If you were a car tire manufacturer, you probably wouldn’t go to the scene of a horrific car accident, approach the driver, and suggest that if the driver had used a product like yours, their crash could have been avoided. Yet this is what many cybersecurity vendors do every time a major breach occurs — and it’s got to stop.
When did fear mongering become a Go-to-Market strategy? I don’t know, but it’s still a thing. We saw the same tired pattern only recently, when Disney+ appeared to fall victim to a credential stuffing attack. Cue the parade of solutions providers, with their blog posts and “thought leadership” pieces, designed to poke at the problem and suggest a purchasable solution that looks a lot like their own. My head hurts every time I read an article like that and I know I’m not the only one.
Look around you at industry events and online communities and you’ll find security professionals have started rolling their eyes and voicing disdain for opportunistic vendors who swoop in to feed on a prospective customer’s misfortune. The frustration goes beyond angry LinkedIn posts.
Who doesn’t remember the Capital One breach? We’re reminded constantly by vendors, and at the time it was like an avalanche of cybersecurity and cloud merchants suddenly appeared to bury our LinkedIn feeds with their cynical public pronouncements. I recall seeing IT professionals in the banking industry publishing responses of their own, informing the vendors – “if you’re going to use our breach as a means to sell your product, forget about working with us in the future.”
More recently, there was word on the street that technology teams at companies like Disney had blacklisted such opportunists who used the recent attack to preach their miracle cures. Honestly I’m not surprised. Security professionals have been expressing disdain for cyber fear mongering for years. Back in 2015, John Masserini, CISO of Millicom (Tigo) Telecommunications wrote An Open Letter to Security Vendors, and stated:
“While I’m sure your solution is great and the technology is revolutionary, in no way, shape or form do you have my ‘silver bullet.’ Your solution will not ‘make me sleep better,’ ‘reduce the overall risk to my infrastructure,’ or ‘give me granular insight into my threats’ – and do you know why? It is because you don’t know what my concerns are.”
– John Masserini, CISO, Millicom (Tigo)
Look – we all know marketing is hard work – especially in a crowded IT industry. The instinct to offer your solution may seem natural but it’s actually counterproductive for a number of reasons. For starters, ridiculing your customers is probably a poor sales strategy. Telling a team of individuals they got it wrong because they didn’t listen to your white paper is not a great sales tactic. It turns out being pulled apart in public doesn’t make buyer-side security folks look or feel good, and it certainly doesn’t make them eager to buy your product. Constantly being reminded of the “If only you had Product X” scenario gets tiresome.
Mudslinging was rampant when Yahoo! progressively revealed breaches impacting 3 billion accounts around 2016. Every week there was another new post reminding us of the breach — and how different the outcome may have been had they brought in a different supplier’s approach. If you were to believe even 1% of these product pitches you would probably end up buying 5 of every item on the security shopping list.
Post-incident self-promotion became a normalized sales and marketing tactic, now sitting in every vendor’s playbook, even when proposed solutions have almost nothing to do with the original vulnerability. But CISOs and their teams aren’t stupid. Many of them loathe the ”blame the victim” mentality and they are starting to call out this practice.
Taking advantage of someone else’s misfortune doesn’t strike me as good marketing. We often forget that companies are made up of real people. When a major breach occurs, people may lose their job — lives are thrown up in the air. Cyber and infosec is a rough, brutal business. It’s often said that the Equifax breach occurred because one engineer missed applying a single security patch. I can’t imagine what it would be like to be demonized for months on end. I’m reminded of what Patricia Titus, CISO at Markel, once eloquently wrote about victim blaming:
“No CISO wanted to have that breach you’re referring too. And frankly speaking, some of my CISO colleagues have senselessly lost their jobs because a product or solution they bought may not have lived up to its claims and they got fired because of it. Worse is they never got the opportunity to launch an investigation to prove it. So leave the victim comment at the door and simply tell me what you can do to help me and do not harp on the breaches of the past.”
– Patricia Titus, CISO, Markel
If half of these security vendors stopped to think about this, they might realize they are burning bridges with large prospective customers in order to project positivity to a pool of smaller prospects that perhaps would be more responsive to fear and a reactive mindset.
At a recent FS-ISAC summit I attended, the Head of Infosecurity for a major credit union, in his speech said his company now keeps two lists of vendors — one of those which have positive takes on the ecosystem, and another of those who practice fear-mongering. I was surprised to hear this idea and was even more surprised to find out it was true.
Taylor Lehman, CISO at medical IT company Athena Health, wrote, “I am tired of the FUD and lies. I need you marketing teams to #BeBetter.” He railed against an “inside story” published by GreyCastle Security on its work helping a Buffalo, New York hospital avoid paying in a ransomware incident. Corrective measures cost the hospital approximately $10 million.
“I don’t love garbage marketing in cyber, it’s sickening to see marketing fodder like this,”
– Taylor Lehman, CISO, Athena Health.
So let’s give less attention to the Grim Reapers. Instead, we should celebrate the technologists, researchers, and solution providers whose public engagement brings value, insight and pre-emptive advice to security teams’ lives. There are many of them out there. I’m a fan of content pushed out by companies like CrowdStrike, whose insightful reports on industry trends and executives’ sentiments are a must-read. It is important that companies in the security community focus more on bringing positivity and empathy to a customer base that is among the global economy’s most tested and pressured.
Security leaders have an incredibly difficult responsibility. Often times it’s a thankless job. And for vendors it can be easy to forget that the prospects are people. They are people who can see through crass attempts to hitch solutions to the headline-grabbing breaches. With more breaches inevitably due to come in the next decade 2020, I hope more vendors recognize that.