Bulletin 19 April 2019. Let’s talk about IT security… oh, let’s not
The art of changing conversations
I’m not going to lie. It’s not the 19th of April, it is indeed the 21st and I’m sitting in the garden in the shade. Where better to ponder the world of tech: I am reminded of the time I took myself off from an event in Nice, sat on the beach for a while and finished a report. “Of all the things to do on a beach in Nice, you chose to write a report,” someone said to me. My reply: “Yes, but of all the places to write a report…”
To business, and so to conversations. Markets are conversations, that’s what the Cluetrain luminaries told us (oh, I miss those optimistic, even if abjectly naive times); or in the parlance of sales, people buy from people. Within dialogues, words have alchemy: what we call charisma is often an artfully turned phrase, delivered with confidence.
The sometimes fast-moving world of tech offers a fascinating petri dish for the power of conversation. Get it right and you can perhaps change the world, that’s the theory. In reality, our verbal interactions more often hinder than help, as we trip each other up, debate irrelevancies or indeed, stymie progress by not saying anything at all.
Nowhere is this more clearly demonstrated, than in the IT security game. Nobody wants to pay for security, apart, that is, from a minority of paranoid types who see scary stuff everywhere (it doesn’t help that it really is there, if you look for it). No surprise that many of this group end up working as IT security professionals.
Meanwhile, the rest of us want to continue our naively optimistic journeys, on the basis that bad things only happen to other people. I’ve written before about how the best time to get money allocated to security is the day after a breach. We literally wait for the horse to bolt before we buy locks for the door.
All of which makes the job of security marketing just that little bit harder than other areas of tech. There’s no direct business benefit, however hard we bang the “you can take more calculated risks if you are better secured” drum; equally, it’s difficult to make security cool and aspirational, like (say) cycle helmet design; so security vendors are forced to resort to other conversation-changing tactics.
At one end of the process we have, “Let’s get the analysts and press to say how important it is.” I’m not saying that tech security firms are better at PR than other vendors, but in my experience they certainly have more appreciation of the need to be talked about in the right way.
Or indeed, the wrong way, as any way is better than no way. On the topic of breaches, one company’s disastrous security story offers cautionary gold dust, the foolishness of one (Talk Talk pops into my head) to be hollered from the rooftops in the hope that others might listen. In the absence of a real breach, why not create a near-miss scenario to generate coverage — such as handing out “Music CDs” outside London stations, which actually create a “You’ve been pwned” message.
This need continues into the “internal sale,” that is, the part of the conversation where someone working for a company needs to convince his peers, or boss, or boss’s boss, to allocate the funds. I’m not a betting man but I’m guessing more use is made of security-related magic quadrants (that Gartner tool for saying, “Look, mate, you’d be stupid if you didn’t get some of this — and here’s a shortlist of companies that can do it”) than in other areas.
Each of the above requires constant rejuvenation. Right now we talk more about cybersecurity rather than IT security: I stuck with the former because I’m a curmudgeon, who is also worried he might be misusing a term that he doesn’t understand as well as the old one. Nonetheless I understand the benefits of giving industry segments and terms a refresh, if it helps to keep them being talked about.
All of this to make a conversation happen when nobody wants to speak. Thinking back to my own experience of post-breach security budgeting, a common question from my Finance Director was, “Do we have to have it?”: if I couldn’t answer with absolute certainty or charismatic guile (I was never very good at either), then no money would come.
It was the case then and is still the case now, which is a significant factor in my view that we need to build security into products rather than add it on later: simply put, we won’t do the latter, which makes the former all the more important. In the meantime, our marketing representatives will continue to use every tactic in the book to make a dialogue happen, in the knowledge that otherwise, it simply wouldn’t. It was ever thus.
That’s all for this week. Happy Sunday, and thanks for reading.
All the best, Jon