In the past few weeks, as various security companies have published multiple studies about the state of cybersecurity, a common theme has arisen: Executives running the companies that purchase security tools and services are not sure their purchases have made them any safer. This widespread position in the market confirms results of a months’ long investigation by Cyber Protection Magazine that marketing practices in the industry are failing to do the job and, in the process, making society less safe.
While every report skews data to convincing customers to add their company’s tools and services to their budgets. However, every report also reports that between 60 and 90 percent of managers have significant concerns and doubts that the tools they have, and the tools they are considering, will not do the job that needs doing. The reasons for that lack of confidence are three-fold.
Three reasons for lack of trust
First, stuff is moving fast. Governments are legislating controls and protections faster than normal. Sometimes this rules don’t make sense and many in the industry think they are holding back innovation and adoption. Criminals and nation states are stepping up attacks that bypass established protections, and lawsuits for negligence are growing. Second, while understanding the need for security best practices is at an all-time high, that’s mainly because weaknesses due to work-from-home, generative AI and news about data breaches is also high. That means while understanding of the need is high, inexperience and ignorance is creating new opportunities for attacks.
“Many executives may not exactly understand how (the tools) work,” said Cache Merrill, founder of software outsourcing company, Zibtek. “. When there is a concern on the functionality of the tools or when attention is on what the tech teams understand without listening to them, anxiety is experienced. To put it simply, if they cannot see it, they will not put faith in it.”
Carl DePrado, an SMB IT consultant based in New York, aid, “The sheer number of cybersecurity products and services can be overwhelming. This contributes to a sense of vulnerability, as they may not feel confident that they have covered all their bases.”
Understanding what you don’t know
Paul Robichaux, senior product director for Keepit, explained that lack of confidence is tied to a lack of investment in data visibility. “I had an engagement a month ago with a very large French company, about 150,000 employees. They had no disaster recovery plan for their cloud systems at all. It started from the sort of mistaken idea that they didn’t need one because the cloud vendors were going to make sure that everything was protected. Lack of awareness, lack of visibility is the root cause of the that problem. If you don’t know what your most important data is, you won’t know if it’s being protected adequately or not. In so many places that just didn’t exist, and it’s hard to get there, because the bigger you are, the more time you’ve had to accrete that data, the more difficult it is.”
Other respondents to our investigation were less diplomatic. “Most executives are just incompetent,” said anonymous vendor representative. Another called the customers “stupid.” In the technology sector, that is a common perception of customers. Whether incompetence or lack of understanding, it would seem that education would be a prerequisite, but in the cybersecurity industry in particular, that seems to be hard to come by.
“Often providers are not able to depict the real worth and how their tools are meant to function.” Merrill explained. “It is rare for the clients to witness these systems providing return on investment as simply preventing risks. When the vendors speak too much of the value of their products and shy away from a clear ROI, skepticism creeps in. The potential exists, (the vendors) simply cannot say it.”
The brings us to the third reason for the lack of confidence: Education.
Falling into chasms
Several studies in the past two years have shown that when it comes to marketing and communications, cybersecurity companies are as “incompetent” as their customers are in understanding security.
Buzzwords and positioning phrases are rampant in marketing documents, in particular in the technology sector. Marketing and C-suites in cybersecurity companies are populated by veterans that carry the practice with that same practice. Recent studies by the Journal of Advertising Research, the Journal of Consumer Research, and Forrester Research said terms like “leading” and “industry first” create immediate distrust, even when backed up by independent sources. The terms are almost always found in the first 50 words of any marketing document. To understand why this self-destructive practice continues, you have to go back to 1991, when the best-selling “Crossing then Chasm” by Geoffrey Moore.
Moore said, in short, start-ups must focus their entire efforts on a niche market to secure a foothold and use it as a base for further expansion. The narrower the market niche, the easier it is to focus on marketing efforts, deliver superior service, secure a pragmatist customer base, and collect references. CEOs made reading the book mandatory for a decade after it was published. Or, at least, they bought the book for their marketers and sales executives and told them to read it. Few went further than the first few chapters. The standard practice from that point was to just say they led their chosen niche without actually doing the work. As a result, various niches were made of up a dozen or more “leaders.”
Multiplying distrust
In the cybersecurity world, those generic terms that customers distrust are joined by “Zero trust,” “AI/ML,” and “people are the weakest link” among others. The Forrester study shows that B2B buyers, in particular, are wary of “self-promotional language and prefer brands that demonstrate leadership through data and expertise.”
So if the language of the marketing effort actually turns customers away, why do companies continue to use it?
A 2023 study done by Adam Galinsky, professor of leadership and ethics at Colombia Business School, said, “We use jargon when we’re feeling insecure, to try to help us feel like we have a higher status.” Galinsky said that actual leaders in a field can explain their positions to a wide variety of audiences because they know their subject. But when someone is unsure of their knowledge, or how they might be perceived by their audience, they fall into jargon to cover their insecurity.
That explains a lot. But there is more.
Misspent budgets
Generally, successful companies spend about 10-12 percent of their budgets on sales and marketing. According to the Gartner CMO survey technology companies spend significantly less, ranging from 2-5 percent of the budget. One third of those budgets generally go to event marketing, which could go as high as $100,000 per event, not including personnel salaries and travel costs. Another third of the budget goes to website development, not including content development. So, before a company invests in any content, two-thirds of the marketing budget disappears.
Jim Rice, vice president of sales engineering for Protegrity said he has attended ten trade shows and events in the past year. His company has the added burden of convincing customers to not just secure networks but secure the data, as well, while keeping it usable. That makes customer education a priority.
“If you think about what might have worked 20, 30 years ago, it is not going to necessarily address the challenges of today or 20 or 30 years from now.”
AI making it worse
Unfortunately, companies educate customers today the same way it was done 20 or 30 years ago. And the weakness in that approach are exacerbated by the growth of generative AI in marketing.
AI has been touted as a great way to speed content development while bypassing the cost of human authors. Pecan AI, a predictive analytics company, claims 60 percent of companies are employing generative AI to develop content. However, generative AI is trained on content that has been used over several decades and while it automates the process, it uses the same language that previously mentioned studies show devastates customer trust. Companies that still use humans to develop content are cutting those budgets to invest more in events and web presence
As critical as clear communication is to adoption of security best practices, companies are cutting back on communication investment, instead relying on mediocre automation techniques and content creators with limited experience in the field. The makes us all less secure.
Lou Covey is the Chief Editor for Cyber Protection Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.