The Search for Goldilocks Messaging and the Business Value of Security
Categories
The Search for Goldilocks Messaging and the Business Value of Security
Walking around the business expo at Black Hat 2024 and talking with vendors, I was dumbfounded by the messaging I saw at many of the booths. I felt like Goldilocks. I was reading messages and listening to talks trying to find the one that was just right.
- This messaging was too technical
- This messaging was too abstract
- This messaging tried to do too much
- This messaging … well, there wasn’t one
I am certainly not trying to disrespect my fellow technology marketers. But far too often people working demo stations (often from sales teams) would just shrug when asked about what the messages in the booth were trying to convey. Obviously, the lack of alignment between sales and marketing can be a business killer.
We all know messaging is difficult. Too succinct and you lose too much context; too wordy and you lose your punch. How do we do better? In this blog post, we will focus on something that was universally missing from messaging at Black Hat – strategic business value.
Risk Reduction and Cost Reduction – That’s Nice
By and large when security vendors are discussing the value of their solutions, the discussion is limited to reducing risks and reducing the cost of security. While risk reduction is important, it’s a hard sell. Which then drives a ton of conversation to the reduced cost argument. Achieve the same risk footprint at a lower cost.
As an example, I bet there were more than 50 vendors selling SIEM (Security Information and Event Management) products at Black Hat. “Reduce your SIEM costs” was a recurring theme. If everyone is pitching reduced costs, it’s undifferentiated. SIEM is an older space, but there were vendors differentiating around human-factors:
- Using Machine Learning (ML) based AI to do things like event analysis, aggregation, and classification to reduce the amount of data humans need to sift thru and identifying high-priority issues
- Using Gen AI to output descriptions, task lists, and reports to make information more accessible and less cryptic
But, to the key point made earlier, this is very much a feature-function comparison discussion. Necessary during the sales process, but what’s the umbrella message that unifies these points? And, specifically, something that helps a CISO talk to his C-suite colleagues?
The Budget Conundrum
One of the truisms in the security industry is that budgets are tight. Talking with people at Black fHat 2024 it was a refrain that I heard over and over again. I also couldn’t help but notice how frequently and quickly vendors dropped into techno-jargon when asked business questions. For example, I asked one vendor how they differentiate. The response was something like, “Our PCAP libraries have a lot of metadata that helps us generate better traffic signatures”. While the quote is not 100% verbatim, it accurately captures the immediate jump to technical discussions of low-level product features, as opposed to discussing the vendor’s overall position and capabilities to address its customer’s security needs.
I can’t help but think the two items are related. When vendors focus on technical capabilities, as opposed to business benefits, they remove themselves from the C-suite conversation and, consequently, from the strategic budgeting processes. Harkening back to a book I read a few years ago, “A Seat at the Table” by Mark Schwartz, where he systematically deconstructs the evolution of the role of the CIO, how the CIO became a “lesser” C-level role at most companies, and what CIOs must do to regain their place in the boardroom. CISOs may be suffering more than CIOs when it comes to their seat at the table. But, it isn’t all the CISOs fault – CISOs are not getting any help from their vendors.
At a networking event I started a conversation with a random stranger, Tamara Schwartz (to the best of my knowledge no relation to the aforementioned Mark Schwartz). Without knowing who she was or her background, I brought up what I saw as woefully inadequate messaging and the techno-jargon laced conversations I was having with vendors. Turns out Tamara is a professor at York College and teaches security, at the business school! A key point Tamara made was that security should be a top-level plank in the business operations of the company – not an adjunct, isolated program that’s relegated to the realm of risk reduction. In one of her papers, The Next Big Strategic Play: Cybersecurity as Competitive Advantage, Tamara discusses the potential for security as competitive advantage. Drawing a parallel to Digital Transformation initiatives, the paper elucidates how businesses can better integrate security into their operations to drive competitive advantage. A vastly different way of thinking about security than vendors were at Black Hat.
Summary
With Digital Transformation, businesses changed their operating model to integrate Information Technology as a leading component of customer engagement. Vendors changed their messaging to help business leaders understand the role of Information Technology and how IT could be used to drive business advantage.
The same thought-processes need to be applied to security. When I previously said that “CISOs aren’t getting much help from their vendors”, I was alluding to this gap in messaging to security leaders. Vendors or not helping executives who shoulder the burden of security with thought-leadership on how security programs can lead to business advantage. The conversations are all NIST, MITRE, CTI, SOAR, SIEM, red team, blue team and the like … not operational business advantage. While it’s important to speak the technical language of your customers, it’s also important to speak the business language of your customers.
Struggling to find the right balance between technical detail and business value in your messaging? You’re not alone. Discover how to align your security solutions with business success by watching our recent webinar with cybersecurity expert Bill Reed and our COO and co-founder Sridhar Ramanathan to make your messaging resonate with both the C-suite and technical teams and turn security into a competitive advantage.
