Psychology of marketing and selling cybersecurity

This is a shortened version of the article. Full article can be found on Medium.

A deep dive into what makes us buy cybersecurity products and how different types of security vendors leverage this knowledge.

Introduction & two ways to market and sell cybersecurity

Cybersecurity is an example of a product that is often viewed as an overhead cost, rather than the cost of doing business. I think there are three obvious reasons for it:

1. Security is intangible (you can’t feel, touch or see it), and the success of cybersecurity efforts is very hard to measure. You can, for example, invest in the newest technology and still get breached when one employee clicks on a fishing link. Or, you can get lucky and magically avoid attacks for five years (the probability of such luck has decreased dramatically but it is still possible). And, you can never fully answer the question “How secure is my organization today?”
2. By and large, business owners and people making business decisions do not understand security. There is no doubt that the implementation of security is complex and very technical, and people tend to gloss over the things they don’t understand while overemphasizing the things they do. Many senior executives assume that security is a problem that someone else in the “technical” department will take care of.
3. Security professionals are not generally great at explaining the technical nuances to non-technical people. They often struggle to convey the importance of implementing one or another security measure from the ROI (return on investment) perspective and tend to see their role as “configuring firewalls and EDRs” instead of “protecting the business assets and ensuring the business continuity”.

I have observed that depending on the type of security product and the type of buyers (business or technical), there are two ways in which cybersecurity products are bought:

• Purchases based on leveraging people’s biases and behavioral psychology (let’s call it “selling to hearts”), and
• Purchases based on transparently evaluating the technical security capabilities (I would call it “selling to minds”)

The basic characteristics of each and the differences I have observed between the two are summarized in the below table. A broader discussion will follow.

Promise-based security (“selling to hearts”)

The first category of products I would like to look at is products offering promise-based security (“selling to hearts”).

Vendors that fit this criteria include various security platforms, most EDRs/XDRs (endpoint detection and response/extended detection and response), antivirus tools, and others. These tools do not offer the ability to evaluate/test what exactly you are being secured against, and such transparency is outside of their core value proposition which is the “feeling of safety”. This is why I categorize them as “promise-based” security tools.

Vendors who fall into this category tend to, first and foremost, sell by appealing to fear (loss aversion), and leveraging other cognitive biases to support the sale such as social proof, authority, commitment, and consistency.

People who buy these products are not technical and generally (not always) incapable of evaluating the technical capabilities of these offerings. It is common for mature cybersecurity professionals to dismiss this category of products as too “marketing-y” and “sales-y”.

Marketing of the vendors “selling to hearts” is based on promises of “100% security” (screenshots from some of the top security vendors’ websites are listed below).

Because the value proposition of vendors “selling to hearts” is somewhat blurry, the vast majority of the companies in this segment are sales-led as opposed to product-led. Being sales-led gives the sales team room to convince the company that “product A is what they need”. Without a salesperson’s guidance, evaluating how product A is better than product B in this segment is close to impossible.

There haven’t been many major innovations in the AV/EDR/MDR space in a long time, and the market is incredibly commoditized. Because of this, companies make attempts to differentiate by claiming to infuse all and every one of the innovative technologies (AI, ML, blockchain, — you name it) in their products, and making generic marketing statements (“stops all breaches” or “the world’s only autonomous fully bulletproof AI-powered cloud-native blockchain security platform”).

Evidence-based security (“selling to minds”)

Products that are “sold to minds” are different bread. These are vendors offering security tools and infrastructure to mature security professionals. Examples of such vendors are security automation platforms, DevSecOps, code security, and security infrastructure providers. Most (if not all) open-source cybersecurity tools fall into this category as well.

The end users are technical security professionals with titles of security engineers, security architects, and security automation engineers, to name a few. With some exceptions, they are not looking for a “magic box to keep them safe”; their needs are technical — software and hardware that help them to secure their organization.

Security professionals understand that cybersecurity is much more nuanced and complex than the vendors “selling to hearts” make it look. They value evidence-based security — the ability to see, control, and fully customize what is under the hood of the tool they are using. A great example of evidence-based security is the development of MITRE ATT&CK, a “globally-accessible knowledge base of adversary tactics and techniques based on real-world observations”. With the help of tools such as Atomic Red Team which is based on the MITRE ATT&CK framework, security teams can test their defenses.

At LimaCharlie, our thesis is that the security industry is maturing and this maturation is going to lead to a more evidence-based approach to security. Maturity means that professionals are not looking to monitor a tool and click a “panic” button when a red light on the dashboard flashes; they understand the security fundamentals, are able to hunt for threats, and more. There is enough evidence to support this thesis; take the most recent Tines’ “Voice of the SOC Analyst report” where the #1 skill security analysts identified as needed for their growth is “learning to code”.

The cognitive biases that can be observed when looking at this product category are the need for control, social proof (examples include testimonials of technical leaders), and the endowment effect. People in this segment are able to more rationally evaluate vendors and their product offerings, although the timing of this evaluation is affected by the biases we have described, especially the recency bias.

Products in this category are much more likely to be product-led (in general, security professionals strongly prefer to test a product in their lab instead of going through multiple sales demos).

Products “sold to minds” have the potential to suffer from technical jargon that is hard to understand to outsiders, thereby making them less accessible to non-security professionals.

Psychological factors affect all buyers

It might be tempting to think that the solution to the problem of cybersecurity voodoo marketing is to have technical people simply choose the tools that solve security problems best. However, technical buyers cannot escape the psychological factors either. At the end of the day, we are all human.

What to secure first

The recency bias impacts the areas security professionals choose to focus on. For example, if the most recent highly publicized security breach happened due to passwords mismanagement, most security teams will start reviewing their password management practices even if there are other, more critical areas that their specific organization would benefit from addressing first.

It is tempting to see the latest highly publicized attack vector as “the most important to look into today”, but the reality is that zero-days and critical vulnerabilities aside, companies should focus on what is most important for their unique environments.

Making the arguments stronger

Both types of companies — those “selling to minds” as well as those “selling to hearts” — benefit from the recency and the hindsight biases, because the timing of attacks creates windows of opportunity to acquire new customers.

While companies are becoming more open to increasing their security budgets following the highly publicized breaches, security vendors aren’t passively waiting for the customers to knock on their doors. From sending speakers to the events, organizing webinars, and sponsoring conferences to betting on Google keywords, vendors pour marketing dollars into what sells (the latest massive breach).

Conclusion

Similar to insurance companies who, as Prof. Tykocinski highlighted, “sell magical happiness”, most security companies sell a sense of safety by offering a magic tool that would “stop breaches, prevent 100% of malware, protect from ransomware and keep customers safe”. Fear is a strong driver of purchasing decisions, and ironically, these “magic tools” often achieve the opposite of what they promise: they end up creating a false sense of security which makes companies disregard the most basic cyber hygiene and ultimately leads to a breach. The number of times you can hear “oh, we don’t need to worry about security as we have a next-generation antivirus” is incredible.

Security is maturing. More and more organizations are moving away from promise-based security when they have to trust vendor’s assurances, to provable, evidence-based security when the exact set of malicious activity and behavior a company is protected from are known and the security teams can prove this. This shift is starting to happen in the enterprise companies and security service providers with a number of vendors like Panther, SOC Prime, and LimaCharlie leading the way in making threat detection fully transparent and controlled. I anticipate this shift toward transparency and away from marketing buzz will be getting more widespread in the next five to ten years as the number of cyber-attacks goes up and as a consequence, fewer and fewer people are taking the promises of “100% protection” seriously.

Next time you are buying a security product, make sure you are making an economically and technologically sound decision, not a decision driven by fear and a vendor’s promise of safety. While it is not possible to fully escape the psychological factors in our decision-making, being aware of them will most certainly help to reduce impact.

This is a shortened version of the article. Full article can be found on Medium.