When I began my career in the 80s, I worked for a firm (NCR Comten) that competed against IBM. We provided communication processors for the mainframe/cluster controller/terminal industry. In the 90s, I worked for firms (Network Systems, Xylan, Alcatel) that sold channel extension, security appliances and switching products against Cisco. In both cases, were with outsider, trying unseat the incumbent. Outside of feature/function/benefit/pricing comparisons and long-term personal relationships between the sales team and customer, we had to combat fear, uncertainly and doubt (FUD).
FUD is based on the notion that if you — the customer — buy the incumbent’s product, you will regret it. Comments might include: “it will not work as advertised;” “the long-term costs will be greater than what you think;” “it will be a support nightmare;” and “your administrators and end users will not like the new solution.” In the security space, the points are the same but the infosec vendors add a new spin to fear.
Security entrepreneurs recognize a problem that is not being properly addressed by current products. They design, develop, test and market a new mousetrap. The challenge for all of them is to find a market large enough to cover the investment and to build a business upon the new market. Few people are aware that many of these problems exist. Enter marketing.
The infosec firm needs to define the problem so more people are aware of it. They need to expand the scope of it. They need to make you feel like if you don’t have this product, you are opening yourself up to a security disaster.
We all know technology and the exploitations evolve. Many of these new products do have merit but most do not. That’s why so many of these firms go out of business or cannot grow beyond $5-20 million in annual revenue. The lucky ones find an exit strategy by being acquired.
I was reading an article in CSO magazine, 7 Reasons Websites Are No Longer Safe. Though not a infosec vendor, it makes the read think that all Web sites are insecure and you might as well forget about it trying to secure them. Hum. So all of the e-commerce, banking and investment sites are unsafe?
The infosec industry makes its money by making people feel insecure. Fear is key to the marketing message. For most businesses, they do not need all of these leading-edge security devices or software. The sky is not following, despite the vendor-speak.