Marketing plays a critical role in turning the cogs of the IT security machine. Helen Yeatman explores some of the more effective marketing methods that have so far not been implemented by the industry.
Despite all the signs pointing towards positive growth in IT security, there is a range of impediments that continue to stunt the sector’s growth, with ineffective marketing practices weighing heavily into the equation.
According to the latest statistics from market analyst IDC, the security market performed strongly during the 2001 calendar year compared to other IT sectors. IDC’s preliminary results for the first half of 2002 also indicate that the Australian security software market is slightly larger than forecast.
“We expected end-user budgets for software spending to drop because of heavy spending on e-commerce and supply-chain initiatives,” says Natasha David, IDC senior analyst of security software. "Security was not considered when these initiatives were designed." She forecasts the security software market will experience 29 per cent compound annual growth over the next five years (from 2001 to 2006).
Analysts and industry pundits agree that the number of vulnerabilities and serious threats to mission-critical data and IT infrastructure is growing exponentially. According to recent findings from security vendor Symantec, the number of system vulnerabilities found has doubled each year since 1996. And these are only the ones we know about. Furthermore, there has been a 64 per cent annualised increase in the number of attacks launched since last year and the nature of the attacks is far more sophisticated.
All of these factors suggest enormous opportunities looming in the IT security market; however, resellers hoping to make it big in the security space have some significant hurdles to jump. Perhaps one of the biggest challenges facing such contenders is in devising effective marketing practices.
Arguably, marketing plays a far more important role in the security market than in any other IT sector because of the extent to which the market depends on education.
A combination of customers demanding immediate ROI (return on investment) on restricted IT budgets, a healthy dose of scepticism fuelled by vendors’ endless hype, and end-users’ ignorance, all make marketing security products a complex business.
ROI is particularly difficult because, unlike other technologies, customers will only see a visible return on their security products after they have been subject to an attack. It is a cost they must absorb yet gain no benefit from in normal times.
“Many enterprise customers become unstuck because they rely on the old ‘due diligence’ methodology in evaluating the cost-effectiveness of a product,” says Eric Krieger, regional manager of security vendor Secure Computing.
Like the latest NRMA advertising campaign, which uses images of bushfires threatening properties to spur sales, the security industry has relied heavily on generating fear to market its products.
“One of the most common marketing ploys is to beat up on just how ‘dangerous’ the world is, how many hackers there are and how much damage they can do,” says independent security consultant Peter Sandilands, formerly regional manager of Check Point Software Technologies. “I even know of resellers that look for sites to hack and then approach that user to sell them security showing how easy it was to hack them.”
In the case of scare-mongering, Sandilands believes people just get weary of the warnings. “They become oblivious to the constant drone of hacking stories.”
Janteknology managing director Glenn Miller agrees, adding that this strategy has created a backlash. “This FUD [fear, uncertainty and doubt] phenomenon is not new. We have seen this cycle in our industry many times before, the big difference today is that the marketplace is far more sceptical of the pronouncements of IT vendors than in the past. It’s our own fault. As an industry we have historically promised much and disappointingly delivered less. We have trained the market to be suspicious.”
Sandilands suggests that rather than promoting the need for security products by generating fear, resellers should focus their marketing efforts on promoting the enabling aspects of the technology. “Vendors, commentators and even CIOs have failed to position security as an enabling tool for companies to engender confidence internally and throughout their customer base, suppliers and partners,” he says. “Having good security allows a company to do more in its IT systems and procedures to interact with customers, suppliers and so on. Poor security means that a company does little or bears a great risk in dealing externally.”
What is required, according to Sandilands, is quality, well-positioned security marketing that highlights the benefits of being secure to a company.
Get educated or get out
As the most important information source for customers, it is imperative that security resellers understand the nature of the various and constantly changing security technologies. They must also have sufficient general product knowledge to be able to filter and assess the information they receive from vendors, not just parrot the words of vendors. Gaining the customer’s trust is essential when selling security solutions, and to do so, resellers must be seen to be holding unbiased opinions.
Just as important as understanding the benefits and limitations of individual security products is comprehending the types of policies that companies, your customers, must have in place to render the technology effective. Despite what vendors would have us believe, security is not a technology issue. For too long the industry has marketed technology as the solution to security problems when they are in fact merely tools that enable customers to carry out their security policies.
When it comes to educating the end user, the most important task is ensuring the customer has effective company policies in place regarding the security of its information assets and prioritising the protection and the distribution of those assets.
According to Sandilands, security policies, and the technologies deployed under those policies, need regular care and attention to ensure they match the current and ever-changing risk profile of the company, which translates into yet another service opportunity for a reseller.
“The first things to sell are services rather than products -- something that should be very attractive to resellers,” says Sandilands. He suggests that resellers should conduct a risk assessment on the customer to identify the physical, technical and commercial risks threatening their business. After identifying these risks, resellers should then educate the customer about what kind of policy it requires to effectively mitigate them.
Once the reseller is confident that the customer has developed effective procedures in line with those risk mitigation strategies defined in its company policy, they can then offer security technologies that implement portions of the policy.
“The industry must realise that the market for security service providers going forward is in building expertise, not just in supplying product,” explains Scott Ferguson, regional manager of Check Point, Australia/NZ. “As the squeeze on IT spend continues, margins in product supply will continue to shrink. The smart vendors have already recognised this and have moved a lot of their business to the provision of expert services, whether this is consulting, implementation, maintenance or management of infrastructure.
“In fact, many of these vendors are also supplying services to telcos and service providers in the implementation and management of security infrastructure.”
Gaining a clear understanding of the customer’s environment and the issues they are trying to deal with is a critical factor in determining the most effective security solution. This is no easy feat as business environments vary widely as do the types of security products on offer.
“It is convenient to define security needs by company size but a more effective approach is to define need based on the customer’s type of network and business model,” Miller says. “The most simple and logical starting point for a reseller to determine the physical requirement is to run a vulnerability report, which will provide a picture of the customer’s network security profile.
“This then becomes the blueprint for a proposal to secure the system based on the reality of the customer, not abstract generalised theory.”