Less fear and better information from cybersecurity vendors will help potential buyers make rational, informed purchasing decisions.

At the Annual National Cybersecurity Summit in September Chris Krebs asked the cybersecurity industry to stop "selling fear." Krebs is the Director of the Cybersecurity and Infrastructure Security Agency Department (CISA) of the US Government.

Krebs also asked the cybersecurity industry to stop "selling fear." He understood FUD (Fear, Uncertainty, and Doubt) to be a useful marketing tool. However, he added that topics like election security needed measured and well-reasoned discussions, instead of hysteria. One of his concerns was of users "sliding into learned helplessness."

Aidan Simister, CEO of Lepide, a cybersecurity firm, wrote in Infosecurity Magazine, that "'fear-selling' in over 62% of prospects we surveyed made people less likely to engage (or buy) from a vendor."

The cacophony of fright in the marketplace drowns out the impact, causes, and solutions of industrial fear-mongering. Less fear and better information from vendors, however, will go a long way toward helping buyers better understand and prioritize their purchases.

The Only Thing We Have to Fear

Well, the only thing we used have to fear was fear itself, according to U.S. President Franklin D. Roosevelt in 1932. But these days we have hackers, scammers, fraudsters, identity thieves, phishers, and dodgy sales pitches to watch out for too.

CEOs, CIOs, CISOs, IT Department Heads, Small Business Owners, Managed Services Centers, and other decision-makers are inundated and disoriented about what the proper solution is to threats real and imagined.  

Business users and consumers are confused. Business users find IT on a weekly basis sending out announcements about changing passwords, not clicking on this or that link, avoiding this or that website, not giving up this or that information on the phone/over coffee/to our friends and loved ones.

Next on the list may be divulging private data to our pets. Corporate users have become so frightened about clicking on anything that one of the most significant challenges cybersecurity professionals have is identifying ground zero for an infection. Users are too frightened to admit they had indeed clicked on the link to an invitation to a professional conference they didn't know existed.

The Wages of Fear

The reason cybersecurity vendors are using this tactic is that it is easy, quick, and plays into an ecosystem of fear modern society has incubated. Heinz Bude writes in his book Society of Fear that Western society as a whole has become riven by fear.

Decades ago, news media and sales departments found that fear sells.

Consider the adage that "If it bleeds, it leads," which sets the format for most daily news reports. Publishers and editors know that death, disaster, and tragedy are far more alluring than the sort of news that makes everyone feel ok with the world.

Think about it: everyone will tune out of all news channels if they feel there's nothing to worry about. The adrenaline hits that viewers of 24/7-news experience fuel the news industry. The reaction probably goes back to our ancestral roots as indefatigable gossips.

Throughout history, humans have gossiped about the bad stuff. We tend to ignore the happy moments that occur. It's one of the reasons many cultures share some form of schadenfreude — the pleasure someone experiences from another person's misfortune.

Imagine a headline that read, "And today, no multinationals lost millions of customer records to hackers." And then imagine an entire news channel devoted to the good news. It would fold within a day (which would make the news, probably).

Salespeople of every ilk down through the ages, however, have been aware of the adage of finding people's pain and then peddling the solution to the discomfort.

Unfortunately, nowadays, with so many vendors offering so many cybersecurity solutions, it feels like a roomful of dentists all probing a single mouth to find that sore spot that needs remediation. So what happens instead is that the salespeople create the pain.

Just the Facts, Ma'am

CISA's Krebs and Lepide's Simister are all for capitalism, I'm confident. However, they are against a kind of salesmanship that thrives on fear to sell wares.

Now, there is so much noise in sales funnels that business decision-makers are shutting everyone out. Take email campaigns as an example.

Michael Coates, a former CISO, put it best when he said he would press the delete key when he saw an email from a cybersecurity vendor. Now that he has switched to the other side of the table as an officer of a cybersecurity startup, he is the one directing his staff toward sending out emails to potential customers. He suggested that vendors get straight to the point in their emails, drop the fear-baiting:

  1. Tell the recipient what the solution is.
  2. Briefly tell how the solution works (in one or two sentences).
  3. Quickly explain how the buyer integrates the solution into his cybersecurity ecosystem.
  4. Provide a link that enables a demo of the solution.
  5. The vendor gets what they should have, which is a visitor to their website who willingly shows their interest in the solution. And the prospect saves time and appreciates that an email has not jolted their blood pressure yet again.

Cybersecurity solutions sales approaches have reached a tipping point. The same applies to IT staff who are relentless in raining terror upon hapless end-users. Stop conjuring up ambulances to chase. Instead, inform, educate, and encourage the behavior you seek.

It would be nice if all we had to fear again was simply fear itself.

For further reading/listening: “Vendors Need to Stop Fear Selling, it’s Damaging the Whole Industry,” Infosecurity Magazine, June 3, 2019. - Society of Fear, by Heinz Bude - The Why Factor: Schadenfreude (BBC)

The awesome GIF used in this article is called FEAR and was created by Pavelas Laptevas.