The IT security industry is littered with fear-mongering marketing messages designed to scare the bejesus out of potential buyers. But, savvy IT security professionals have heard it all before, and these communications strategies often fall flat with, or worse insult, its intended audience.
With the RSA Conference now in our rearview, Maria Varmazis, V2 agency friend and IT security marketing and content queen from Rapid7 and Sophos, shares her insights on effective communications strategies to break through infosec market noise — without defaulting to fear-mongering tactics.
In the information security industry, there are plenty of three letter acronyms to go around, but there’s one that’s particularly notorious: FUD (fear, uncertainty, and doubt). In an industry that seemingly peddles in dealing with preventing—or cleaning up—worst-case scenarios, it may seem appropriate to highlight your customers’ biggest fears to get them to evaluate or purchase a product; however, FUD is often the kiss of death for effectively communicating or marketing in the information security industry.
To see how much FUD is used as a crutch in our industry, you often need look no further than the vendor floor at RSA, the yearly mega-conference in San Francisco. RSA is notorious for firms using FUD-y pitches to get bodies into booths, and every year without fail egregious examples are lambasted on blogs and social media by security practitioners who’ve grown weary of this practice.
This highlights a key problem with relying on FUD in infosec communications: Much like using the oft-maligned “dark figure in a hoodie” stock image to represent an attacker, it signals that you don’t really understand or respect your audience. Whether your target audience is the C-level executive, a seasoned security pro, an entry-level practitioner, or all of the above, they know full well what’s at stake in their day-to-day—arguably much better than you do.
If they’re still in the field, they’re doing the work every day and see first-hand what kind of threats their organization must deal with, and they are grappling with tough challenges in balancing resources while trying to keep their organization secure. If they’re higher-level, they’re already incentivized to mitigate corporate risk while managing a tight budget. This industry doesn’t stand still, and anyone who takes their job seriously is constantly researching new defense tactics and strategies all while the ground beneath them constantly shifts, and attackers invent new tricks to infiltrate defenses.
As much as those of us who work to message or market to infosec would like to believe it, there is no silver bullet solution in security and your customers know this well. That’s why it’s incredibly patronizing to attract attention with something that boils down to: “Buy our solution, otherwise your organization will be breached and you’ll get fired.” Aside from being insulting it’s simply not true, so no wonder many in the industry don’t take kindly to this kind of messaging.
Security professionals are savvy media consumers, some of whom will not hesitate to publicly criticize vendors for reliance on FUD. Instead of trying to get attention by playing to industry fears, be an ally instead. Your prospects know quite well that there are evolving threats out there and gaps in their defenses, with attackers constantly devising new attack methods—you’re not telling them anything new by repeating that.
For more effective infosec communications, flip the FUD script: Instead of fear, uncertainty and doubt, emphasize confidence, certainty and empowerment.
— How can you empower your prospect and their teams, make their jobs easier, help them do more with few resources?
— What kind of certainty can you provide that they’re stopping threats more effectively, catching intrusions more quickly, investigating incidents more effectively?
— How can you give them more confidence in the job they’re doing, the data they’re gathering, the trends they’re reporting, the intelligence they’re using?
With this approach, you’ll find your prospects far more receptive and interested in learning what you provide and how it can help them combat the threats they face.