Today is my first foray into the Core blogosphere. I’ve been at the company for six months as a director of solutions marketing and am basically the link between those who create our pen testing software and those who use it to protect their companies against online attacks.
Please don’t hold that title of mine against me. I spend a lot of my time away from the office talking to security pros, pen testers, CISOs (C-anything, really), industry analysts, and other experts who share what’s really needed to get the job done. We all have the same thing in common. We want to stop online attacks. Given this, I will take off the marketing hat and start a constructive dialogue based on these conversations. Now that we got that out of the way…
It’s a fact that many security companies communicate with the community in terms of fear, uncertainty and doubt, (or, FUD). It’s high time to stop because scare tactics are not helping people justify buying more security stuff on top of what they had to justify last time.
Case in point, according to the Forrester report entitled “Navigating the Future of the Organization”1 many security professionals continue to buy into the FUD factor when seeking the means to buy security products. No wonder the importance of security is starting to look more like a heavy burden than a solution to the problem. (To be fair, some IT pros are understandably driven to meet regulatory compliance mandates with a little bit of FUD behind the wheel.)
(BTW - the Forrester report is available for free on our website. Please help yourself.)
FUD can be constructive when it comes to sharing cautionary tales regarding breaches that hit hard -- simply because it increases awareness of the threat landscape and the risks they pose to everyone. Not just companies and government organizations but all of us who use the Internet.
We vendors can say “you need this” until the cows come home, but unfortunately it’s the big breaches that do that for us. It puts more pressure on the IT security folks, but isn’t necessarily making its point with the folks who fund more security stuff.
Security products are now line items on the budget and those who hold the purse strings need to get why the risk justifies the investment. If the IT pro or CISO isn’t equipped to provide a compelling reason – apart from pleasing regulators – they are not getting the respect they should have for knowing exactly where the company can go south, fast. As a result, security simply remains insurance against something that hasn’t happened. And that’s where things get risky.
We’re working to support security leaders and their teams to affect change and help them communicate – in the language of the business, not security. Their concerns should be everybody’s, and avoiding a breach isn’t a convenience, it’s necessary. Security pros simply need to have the means and the information to make their point to those who are charged with managing risk, but not charged with understanding the meaning of polymorphic malware or Patch Tuesday.
So how can people simplify security and show it’s necessary, not optional? Alas, there is no one single answer, but the Forrester report offers some really helpful recommendations on how to get started.
To all you Rodney Dangerfields out there, you deserve some respect.
- JD Daly, Director of Solutions Marketing