I’ve worked in the infosec industry for a little over 20 years now and while it isn’t new, the practice of fear selling is something that appears to be on rise. As the CEO of a cybersecurity company myself, I’m often the subject of such approaches and techniques. I often get some arrogant vendor sales rep telling me that our business is at risk and that if we don’t buy their solution we’re doomed for failure – without at any point taking the time to understand our business.
It’s frustrating, unhelpful and damaging and makes me less inclined to engage with them or others like them in the future. It adds no value.
Ultimately, such practices give security vendors a bad reputation. It breaks trust and damages the already fragile dynamic between security professionals and vendors. Yet, now more than ever, we need to keep lines of communications well and truly open between vendors and security professionals if we’re to make any progress in this industry.
Vendors need to start acting more responsibly and think longer term about their engagement tactics. I urge vendors to stop treating security professionals as the ‘target’ and start working with them as ‘partners,’ and when I use the term ‘partners,’ I’m talking about the kind of partnership where both parties are open about their pains and challenges to jointly find a solution to a problem. Diagnosis before prescription is the key here.
Apart from the damage that fear selling does to the relationship, based on a study we conducted last year, it’s also counterproductive. While negative motivations typically motivate change faster than goal orientated approaches, ‘fear selling’ in over 62% of prospects we surveyed made people less likely to engage (or buy) from a vendor.
Fear selling simply doesn’t work, it will not generate more revenue. If it is sustainable revenue growth you’re driving for, spend time to partner and listen carefully to the customers’ problems, be ethical and be honest and listen to understand, don’t just listen to the pitch. You’re much more likely of to get positive engagement through trust over fear.
The other concern with fear selling is it creates completely the wrong dynamic and context for security professionals to communicate security risks and challenges internally within their organizations. It’s important that the language and the way in which risk is communicated is relevant, balanced and credible. If we use fear as a mechanism to persuade others either at the top or the bottom of your organization’s hierarchy, it will ultimately fail.
Doom and gloom does not influence and will eventually lead to an immunity to your cause, which means if and when something really does present a significant risk it will be a struggle to get the attention it deserves. We don’t want to get to a position where security pros become known as the ‘boy who cried wolf’.
While I understand (in an ideal world) the selection process for a security solution should be based on logic, the reality is that, in many cases, it’s emotional. It’s based on buying from vendors that are trusted, recommended and known. However, using fear to provoke an emotional response is not effective. You need to first build trust through genuine empathy and understanding, neither of which will be achieved through fear.
One of the main gripes we have heard time and time again is how difficult vendors make it for security professionals to actually understand the problems they solve. If vendors spent more time fine-tuning their messages it would make things a lot easier and would likely yield much better results, then leading with fear.
Vendors need to stop patronizing security professionals and accept they know their business much better than you do. They will each have different priorities based on where they are in their infosec journey. While I’m not saying all security professionals are perfect, let’s not make prey on them with fear.
If we don’t stamp out such terrible sales practices within the industry it will damage communication and trust and ultimately impact our ability to create and deliver solutions that protect the actual issues being faced. Essentially, we need to stop fighting amongst each other and come together. We cannot have a world where security is driven by vendors, investors or sales and marketing departments, which I fear in some areas is exactly what’s happening.
What’s needed are solutions to actual problems with feedback from real people, on the ground. Perhaps the answer is to boycott vendors pushing claims based on FUD-selling and talk more.