If you know anything about FRSecure, you likely know our founder, Evan Francen. If you don’t, let me enlighten you. When Evan founded the company just over a decade ago, it was predicated on his experiences working in the trenches of security programs for years and his realization that there was a lot wrong with the industry. It quickly became his mission (and FRSecure’s) to fix what he found to be broken within it.
There is still work to be done.
In this series, we’ll take a dive into some of the issues that remain within the industry, discuss why they need to be addressed, and provide some input as to how you can combat them at your organization.
As the facilitator of this series but someone who often operates in the background of these posts, I will begin with a topic that is near to my heart. It is not free of issues of its own, but it is infrequently discussed in the industry: marketing.
Setting the Stage
Marketing is a broad job function. At its core, though, marketing is the creative side of sales. The end goal is to get the attention of people who may be interested in your brand, product, company, etc., so that your sales team has warmer leads to sell to.
Maybe you can already see where this may cause issues.
As marketing professionals in an industry as critical as information security, we need to be extra attentive to how we’re portraying the concepts, challenges, and solutions within it.
The majority of this stems from our messaging. Here are some of the concerns with how we (as information security marketers) talk about information security to prospective buyers and some ways to make positive changes instead of contributing to the brokenness.
What the FUD?
This the single most concerning thing I’ve seen with the way security companies tend to discuss concepts to prospects.
FUD, or “fear, uncertainty, and doubt,” is the unfortunate message that is often sent in the infosec industry—especially when it comes to vulnerabilities and breaches.
It’s a thin line to teeter on, but there’s a difference between making people aware of legitimate concerns and casting an ominous cloud over those who may look to you as a trusted confidant.
And it’s not just shady companies that do this. Great cyber security service providers and product companies can easily stumble into this type of messaging without intending to. It’s important to be deliberate and delicate with how we portray information.
One of the most hypercritical things we can do as marketers in this industry is continue to be a useful resource, a reassuring voice, and a tactical guide—not one that preys on a daunting situation.
Take the Ryuk ransomware event that threatened a number of hospitals recently, for example.
One headline reads: “Watch Out! A Tsunami of Ryuk Ransomware Attacks Hits U.S. Hospitals”
In fairness, it was easy to look at a situation like the recent string of Ryuk attacks, pair it with the timeline for COVID-19 testing and vaccines, and think the worst about the motivations surrounding these threats.
Was it a nation-state-sponsored attack determined to suppress testing in the US? How many millions of dollars were hospitals going to lose? Was anyone going to be physically harmed?
Now, we could certainly speculate about concerns like this. We could use the sensationalism of the issue to drive page views, search results, and quick sales from fearful businesses—but that wouldn’t provide protection to people.
Be an Expert Voice of Reason
As industry professionals, we know two things:
- We know that there is no possible way to stop all security incidents from happening.
- We know that the majority of good security habits lie in doing the fundamentals well.
Given this experience, I implore you as a messenger and trusted expert to be mindful about this when you discuss security concepts—especially the daunting ones.
Rather than focusing on pushing your product or service in a time of need, divert your attention towards helping.
Ease minds about nerve-wracking security incidents. We know that security incidents are inevitable—it’s impossible to avoid one hundred percent of incidents. As security professionals, we can (and should) use that understanding to convey that an incident isn’t the end of the world.
But, we also need to use our subject matter expertise to share how organizations can ensure it doesn’t spiral in that direction. That means being transparent about what we’ve learned about incidents, placing an emphasis on preemptive incident response planning, and sharing general security program fundamental best practices.
Now, let’s go back to the Ryuk example. We knew it was geared towards hospitals, affected certain file types and locations, and that making sure necessary business information was backed up and stored offline was the most important mitigation effort.
Instead of getting people worked up about who was orchestrating these attacks and how devastating they can be, we focused on tailoring our messaging around the incident with the learned facts mentioned above specifically to those who fell in the healthcare space and its supply chain.
And yes, we made sure that these organizations knew they could rely on us to help them with their preventative measures and if they did need more urgent assistance.
See the difference between using fear, uncertainty, and doubt to drive business versus gaining the trust and loyalty of prospects by being an informed voice of truth? Trust and truth lead to loyal customers and meaningful change.
The Silver Bullet
There is no one solution or technology or service provider in security to rule them all. Every solution will have its limitations.
But you wouldn’t know that by the way some companies market their cyber security services and products.
As marketers in this industry, it’s irresponsible to pretend like a product or service you offer can solve the majority of a security program’s challenges.
We tie back to this concept of nailing the fundamentals.
It’s imperative to not only have the right technology in place, but also software, personnel, training, budget, policies, and much more. Do you know of any one system or solution that accounts for all of these?
Good security programs combine all of these fundamental elements. How good is your log monitoring solution if your staff isn’t capable of deciphering between the nuances of a security event and a security incident?
We need to shift the narrative about how we discuss what it is we’re trying to sell.
Be Honest About Your Cyber Security Services
Look, I’m a marketer, too. I understand the creativity needed to get people to be excited about what you’re selling. You have to hype your product.
But, the danger of selling someone on an offering that claims to do more than it does is palpable when we’re talking about protecting people and businesses’ livelihoods.
There are no one-stop shops in security. No one technology can solve for all the issues a security program looks to minimize.
We’re the initial liaison between the company and the people who will ultimately buy from it. This puts a clear responsibility on us to be exciting and honest when we speak about what our offerings are able to do.
FRSecure is a services company. We’re never going to sell you hardware. We’re never going to replace your internal employees. So, it would be disingenuous of us to pretend our services are the answer to all of your problems.
Same thing with hardware and software companies, right? Your SIEM offering might be elite, but it’s not going to train your employees not to click on links or write acceptable use policies.
So, when you’re crafting messaging around your product or service, be cognizant that you’re not making it seem like a be-all-end-all, silver bullet, easy button, or one-stop-shop. Push the things that make it great and that differentiate yourself from your competition without the possibility of being misleading.
At FRSecure, we subscribe to the principle that telling the truth is the number one quality when it comes to doing business. When you’re honest and good at what you do, the rest seems to fall in line.
There’s a difference between lying and not telling the truth—but barely.
Ever set out to do some vendor research hoping to find some semblance of pricing on their site? The first place you look probably brings you to a spot to get a quote from one of their sales associates.
The second is maybe an article on their blog. “How Much Does a Log Aggregator Cost?”
Stop me if you already know the conclusion of the post—”it depends.”
Have you ever considered the disservice being done to the prospect when we do this? Have you ever considered the disservice we do to ourselves?
Let’s explore these disservices.
As an information security company, you are the subject matter expert. The goal for you as a marketer is to get purchase-ready people to find your company through your various efforts and channels.
But folks tend to stop there.
Now, you have an interested prospect hoping to have a question answered that you’re seemingly skirting around. This has the potential to do two things:
- It hurts the customer! We should be in this line of business to help people—not inconvenience them.
- It almost immediately removes our status of being a trusted confidant, potentially losing a customer before ever really getting the chance to have a conversation with them.
So, we tell the truth.
Look, I understand that the answer often is “it depends” for certain situations. I still think we can and should be a bit more transparent about why and how it depends—plus what that means for the prospect.
Pricing isn’t the only example in which this happens, but it is certainly an obvious one.
One article on a service provider’s site reads:
There are a few factors that determine the cost of your pen test:
• Length of engagement
• Experience of the tester
As you can see, the scope of your system test will help determine the cost. Complex systems with extensive data will take more time to test. The number of connected devices, access points, physical locations, networks, IP addresses, and various security layers will all play a role in determining a fair price.
I can’t tell you exactly how much a penetration test is going to cost you at FRSecure. The same factors listed above go into how we do pricing, and there’s a chance that penetration testing isn’t the correct or only need anyways.
We’ve been offering cyber security services for over a decade now, though.
So, we can tell you that an external penetration test will cost between $15,000-$20,000 for a medium-sized business (100-500 employees) with fewer than 25 active, public-facing IPs.
By putting this in our public-facing, marketing-focused content, we build trust with the person on the other end—regardless of whether or not the person on the other side is able to buy from us or not at that price.
See the difference in the level of trustworthiness you’re able to exude simply by reframing your messaging in a slightly more transparent way?
The perception of your brand is certainly going to improve the more truthful and helpful you can be to those looking to learn from and buy from you.
Marketing is a powerful tool. Not only does it set the tone for how the public perceives your organization, but it also tends to contribute to every single sale in the company whether it’s obvious or not.
So, marketers have a unique responsibility—especially in an industry where you’re protecting people’s livelihoods—to be deliberate with our messaging.
And it all boils down to two things: being a calm voice of reason and telling the truth even when the truth may not (immediately or obviously) play to your advantage.
If we can make strides to do these things as industry leaders, it’ll certainly make meaningful and lasting improvements to infosec as a whole.
What are some of the things that grind your gears about how cyber security services companies market their offerings? What have you seen that’s been successful in combatting these? Leave your thoughts in the comments!