Security Experts:

Solving Security Problems Isn't Sexy

Many Security Professionals Find Themselves Trapped in a Cycle of “Sexy” - What Can We Do About It?  

Recently, during a discussion around the current state of marketing and sales in the security industry, one of my colleagues said something that jarred me. I asked why more people in the security field, regardless of the specific role they are in, don’t focus marketing and sales messaging on problem solving.  His response was uncanny.  The “herd” isn’t looking for solutions to problems. They are on the prowl for “sexy”.

Though this statement initially jarred me, the more I thought about it, the more I realized how poignant it was.  I do know many talented security professionals who don’t follow the herd and who solve problems on a daily basis.  But, unfortunately, they are too few in number to control the herd mentality that too often prevails in our industry.  Sadly, solving problems simply isn’t sexy enough for the masses.

To explain what I mean by this, let’s take a closer look from a few different perspectives.

First, let’s begin with entrepreneurs in the security field.  There are certainly entrepreneurs in our field who are visionary and who are working to solve the problems of tomorrow. But, unfortunately, there are far too many who simply chase after the hot topic of the day. Or, to put it another way:  These entrepreneurs are solving the problems of today, or worse yet, yesterday, rather than the problems of tomorrow.

Unfortunately, with the lead time involved in building a company and bringing a product to market, by the time the product is ready to go out the door, the world has often moved on. I won’t name specific markets, but I can think of a few in the security space that were “on fire” one or two years ago. Now, you’d be hard pressed to find enough customers willing to buy the products that have been brought to market in those areas since then.

Of course, it’s hard to place the burden solely on entrepreneurs without also looking at the funding angle.  For obvious reasons, those who fund security start-ups tend to want to fund companies that have a high likelihood of a successful acquisition or an IPO. Sometimes it seems that this potential is more directly correlated to the “sexiness” of a company and its ability to function in a “hot” area, than it is to the company’s ability to address actual operational pain points for customers.

And why is this the case?  To answer that question, we need to take a look into the buyer angle. Of course, there are many experienced security buyers who have been around the block a few times and tend to acquire in a strategic and calculated manner. Sadly, however, they are not the majority of buyers. Far too many buyers buy products that are hot or en vogue. Perhaps because someone told them they had to have one. Or, perhaps because everyone is buying one.  Unfortunately, this type of approach is more grounded in pop culture than it is in strategically solving security problems.

It’s difficult to fault buyers, however, without looking at the diet of FUD (Fear, Uncertainty, and Doubt) they are being fed.  That brings me to the final angle I’d like to examine. Executives of established security vendors tend to repeatedly beat the drum of the latest hot item du jour. Over and over again.  Rather than focusing on messaging anchored around solving problems and addressing gaps, they tend to exploit the weaknesses of the cycle described above.

When we combine all of these angles, we find ourselves trapped in a cycle of “sexy” in the security field.  So what can we do about it?  How can we shift the discussion from one around sexiness to one around what pain points buyers are looking to address and what makes for a sustainable and profitable security business?

As entrepreneurs, we can found companies with sustainable business models that have the potential for long-term profitability.  We can focus on addressing real operational pain points that exist in the industry.  There is no shortage of them.

As those who fund start-ups, we can have the bravery and vision to look for companies that offer sustainable business models, together with real solutions to real problems.

As buyers, we can acquire in a strategic and calculated manner - not buying things we don’t need or that don’t help us address our operational pain points just because someone told us we had to have one or because everyone else is doing it.

Lastly, executives of established security vendors can focus on putting together value for buyers and messaging that value accordingly.  Value that solves problems, simplifies deployment, and helps customers mitigate risk.  Not over-selling them on sexiness.

Only when we each do our part can we break out of the cycle that our industry is currently caught in.  Will there be people who either misunderstand or disagree with the tone or content of this piece?  Most likely.  Does that mean that the time hasn’t come for some of these things to be said?  I don’t think so.

I realize I’m swimming upstream here. But, I’m fairly certain I’m not alone and that I’m not the only person who feels this way. History has shown repeatedly that it only takes a small number of people to think boldly and go against conventional wisdom to cause real change. Maybe a few of those people will come to the aid of our ailing security field.  We’re desperately in need of it.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently Co-Founder and Chief Product Officer at IDRRA. Prior to joining IDRRA, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.