Appealing to Dr. Jekyll AND Mr. Hyde: Get the Exec and the Tech On Your Side
Info security, network management and I.T. operations products are notoriously hard to sell. They're expensive. They have long sales cycles due to their complexity. Their failure can land you on the cover of Dark Reading (in a bad way). Even in the modern era of tens of billions of dollars lost to fraud and downtimes, even with outright warfare conducted over the Internet, security and operations teams are budget-starved. There are big opportunities here, but also daunting chasms to cross as a producer of I.T. and SecOps products. What can be done about this? How do you win where others have gone down in flames?
These are just my opinions, and I'm far more an engineer than a marketing or sales person; that said, there are patterns and truths I've noticed and have learned from the excellent coworkers in other-than-engineering disciplines I've worked with over the years. As someone who has many years on the engineering side, and a goodly few years on the operations/infosec side, I understand the pain of your prospective customer (chances are I am aprospective customer, though don't spam me!); I also understand what it takes to actually develop and deliver a complex product. Hear my plea, O Makers of Infosec Software, for I am of your tribe!
Sneak preview: dashboards and reports are for execs and managers. Operational functions are for analysts and engineers. These are very different needs that cannot be served through the same interface. If you can't make both of these personas happy, no sale for you!
It's critical to realize you're selling to two different personas. One is the controller of the checkbook: the executive or director that actually signs the contract. The other is the "soldier in the trenches"; the security engineers and analysts and IT people who actually have to live with your product on a day-to-day basis, and the ones whose opinion will make or break you with the exec. These personas have two separate needs, and will interact with your product in completely different ways.
Without getting too detailed on any given class of product, we can generically say that there are two critical questions a security product has to answer and two different personas asking these questions:
Faced with questions, we have answers.
The Exec: "What's actually happening?"
The first addresses what keeps execs, managers and compliance people up at night. Not knowing what's happening on their watch, getting blindsided by a bad event or failed audit, and being unable to justify how they're using their budget and headcount are all part of their worries. This is where your product's shiny dashboard, on-demand reports and weekly automatic summary emails stand out. It's not about details or any specific event; it's about trends, numbers, and the sigh of relief that comes from knowing that their team has their back covered. They want to quickly be able to see for yourself and demonstrate to others that their team is on top of things, that the product was worth the spend, and that it's doing what it says it was. This is the persona that your animated graphs, pivotable tables and PDF generators are for. They're the ones with the fear, and they're the ones with the company credit card.
Their primary interaction with your product will be on the very first dashboard of your product after they log in, or (better yet) the PDF attached to their Monday morning email so they don't have to log in at all. Logins and needing to drill down into the interface makes them sad. That top-level view, single pane of glass, whatever the buzzword of the week is, needs to be uncluttered and to the point, presenting its information in a manner that every stakeholder can immediately understand. That PDF has to have a one-paragraph summary at the top, with a few numbers to back it up; if it takes more than one printed page it's probably too long.
Also, remember that your dashboard's audience is not always technical. They aren't writers of SQL or Lucene queries (seriously, does your "no code" infosec product require that to be usable?), so keep that off of your top-level dashboards. Remember:
What you're selling an exec or manager is peace of mind.
领英推荐
The Tech: "How do I fix what's broken?"
The second question is what the overworked infosec and IT people care about. They need to know at a glance if there's something bad they need to fix, to quickly have the details to know exactly what to do, and the ability to then do it. They aren't interested in graphs or trends; what they want is to prevent and solve problems as quickly as possible. They will want to be taken straight to the incident that woke them up at 3am, with the needs for that incident spelled out right there. What they want is is the ability to stop the ship from sinking now, and the ability to dive deep later.
This also means that their primary user interface isn't a dashboard; it's their phone. They want big bold letters saying THIS IS THE PROBLEM, a big green button that says MAKE IT BETTER, and another button that takes them to details (but they won't click it right away, they'll generally do that on their desktop instead of on that tiny screen). Incident management requires enough info to make a decision on the spot, the ability to respond to it on the spot, and to do so with the available user interface. Your product will need a phone-friendly interface for incident management; don't skimp on this. Nobody wants to have to boot up their laptop and wait for Windows Update to finish patching... again... while their company's network is on fire.
Another fallacy is the assumption that the infosec soldiers are going to spend a lot of time staring lovingly at your admittedly-slick interface, clicking on this-and-that, drilling deep here-and-there. They won't. They can't.
Consider their world: they have ninety-nine different security products already, and now there's a mandate for number one hundred. Oh great, now instead of going home at 9pm I'm going home at 9:30. Gee, thanks, New Product. That's not how you get a technical champion in a company. The play here is to show that no, you're not making their work day longer; you're making it shorter. They're not going home at 9pm any more, they're going home at 8:30! These techies are massively overworked already. It's your task to make their lives better, not worse.
What you're selling a SecOps or I.T. person is an additional 15 minutes of sleep.
It's two small worlds after all
It's also worth mentioning that as large as the world is, the worlds of infosec and I.T. operations are surprisingly small. The people you are trying to sell to talk to each other, and typically don't engage in the marketplace-competive "I'm not gonna help you!" mindset that other departments of big companies gleefully take to. They recognize that we all sink or swim as one, when it comes to defending infrastructure. If they find a good product that makes their lives easier, they're going to tell their peers.
All of this comes down to a basic conclusion: you have two personas to convince to buy your product, and they're looking for very different things. This means you almost certainly can't have a one-interface-fits-all mindset; you have to have a user experience tailored to both of these personas; they are going to interact with your product in ways that don't involve a traditional web-page admin interface. Cater to them both. You need them both.
The winning products are the ones that ease the most existing pain while inflicting the least new pain. Do both of these tasks, and we'll be seeing your CEO ringing the opening bell at the NASDAQ someday.
whether the "exec" or the "tech" is Jekyll or Hyde is left as as exercise to the reader
and I just realized the article title has a beat to it... cool!