We Must Do More
10 years ago, there were what, 100 companies in cybersecurity?
Names like TrendMicro, Intel, McAfee and Cisco dominated the space, trying to get their products to work together to identify viruses and block bad guys at the firewall.
Prior to 2010, cybersecurity was its own, weird and isolated domain. No one really cared what happened there, until something the user community were using didn’t work anymore. The rare malware or adware event caused machines to disappear or become non-responsive.
It was still the IT Help desk’s problem.
The Emergence of the Rock Star CISO
By 2018, the cyber threat world had changed a lot. Suddenly, it seemed, there were cybersecurity experts and security and risk pros becoming fixtures in boardrooms and newsrooms, and the phrase, “Rock Star CISO” emerged.
When the Cyber World Changed
In 2013, Mandiant published a report known as the APT1 Report, and the cyber world changed forever.
The APT1 report, pushed cybersecurity into a narrative spy novel and changed industry marketing for good. The report summarized what most of us knew: China was stealing intellectual property from firms in the US at a rapid rate, Russia was funding proxies for growth in ransomware. But for regular quotidian folks, it brought them onto a journey made personal, with nation-states engaged in cyber conflict with personalities, countries, international police forces, CISOs as hyper-valuable bastions of sensitive IP like the WHO and the World Economic Forum and the NSA.
It unleashed the ubiquitous annual threat and intel report which company after company would use as content marketing to generate leads and demonstrate their brand authority.
Getting on the Same Page
Lockheed Martin published their Kill Chain report which dumbed down the process that a malware attack would follow so that all could understand. The report made cybersecurity more accessible and created a taxonomy that could be used to explain what happened, why it happened, how it was classified, and what could be done in the future about each stage of an attack kill chain.
While doing nothing to resolve the widening communication gap between technical and nontechnical audiences, it did solve some internal communication gaps within cybersecurity when it came to framing attacks, and provided a useful frame of reference so all could read from the same hymnal.
Combining the APT1 intel with the discovery that Stuxnet had been developed by our own National Security Agency broke through a consciousness fog about our government’s role in international, cyber-geo-politics and forced us all to face the growing threat from both within and without.
The Perfect Storm of Ransomware
WannaCry and NotPetya were the two ground-breaking examples of sophisticated ransomware. And suddenly, many were following and creating the perfect storm, as they now regularly cripple telecoms, logistics, utilities, municipalities and many future targets to come. While those two biggies brought the first serious attention to the challenges of identifying and stopping runaway ransomware, and the first from non-cybersecurity practitioners as well, they helped underscore the importance of cybersecurity to the overall connected enterprise.
Target became the straw dog for every vendor using FUD, and could be found as default pages 3 and 4 in every vendor’s VC pitch deck, and shared by every cybersecurity solution rep in their product pitches.
Poster Children for What Not to Do
OPM, Sony Pictures, RSA, Equifax, Yahoo, Marriott and SWIFT became the gold standard for “See what could happen to you too,” as each carried with it, its own unique foot-print and signature. But they also joined forces with two key vulnerabilities of the era, one that would shake the infrastructure of the internet and another that would accelerate our current explosion in ransomware.
Heartbleed spotlighted an issue in OpenSSL, hitting everything from websites, appliances, data and applications, all of it. The yield? Private keys, usernames, passwords, emails, data, access, authentication, etc., so if a crazy person wanted to find a bug that could disrupt almost everything in technology, this was for them.
EternalBlue simply gave credibility to the notion that the NSA is really good at developing exploits and bad guy accelerants. It also proved that cyber weapons are really dangerous as EternalBlue continues to be used in attacks, despite patches being widely available since 2017. WannaCry and NotPetya have also used EternalBlue for initial compromise and lateral movement by exploiting the big flaw in Microsoft’s SMB Protocol.
Out with the Old …
So what began in 2010, picked up speed in 2013, started running hard in 2018, has now become our reality in 2021, one in which we are nowhere near the lead horse.
The last decade is gone. The new decade looks as different from the last as a Tesla does to a 1956 Buick. And in every way.
Instead of 4-5 true competitors, marketers now find themselves staring at 20-25 alleged competitors, all saying essentially the same thing as each other. CISOs have gone from polite, available to all, denizens of a commercial threat protection landscape, to isolated, impossible to reach, and grouchy recipients of sales and marketing pitches, even if you are lucky enough to contact one directly.
The wall of noise is high and thick, and no one believes that everyone can lead you to the Zero Trust Promised Land.
The Wrong Tools for the Job
The problem is that most marketers have approached this near-impossible state with the exact same tools and perhaps mentalities they were using to penetrate the prior markets, which may have worked then, but will surely not work now.
Every CISO I know has been to a dozen Virtual Roundtables – no one has not figured out at least 5 ways to accommodate the “new” (now 18 months old) work from home environment. No one I know want’s the 2021 Cybersecurity Awareness Month Resource Kit and absolutely no one wants to know what can be done to predict or prevent an incident like “SolarWinds, Accellion, Codecov, and Kaseya” from happening in the future.
If they are all doing their jobs, none of this is relevant. If they are not all doing their jobs, why do you want them as prospects? They will have smaller budgets, more bureaucracy, less focus and a sub-optimal understanding of their condition.
The CAC for these folks is very high and the ARR will be very low – in fact, it is likely you will have increased churn as these personas will have little or no idea how to extract value from your product or service, post-install.
Focus on Your Brand Story
What you as vendor marketers need to do today is focus on who you are, how you do what you do, a mapping of that process to the industry’s most popular trends, and the most unique and credible way to deliver that message.
In journalism, there are myriad rules that govern professional reporting. This is why we rarely see deeper dives into main or sub-story lines that take us to a place that actually makes us think about a problem.
Quality Over Quantity
If I told you that I was hosting a discussion with Joe Lock, the CISO at GrowRich and an industry expert from the money management business on personal finance care in an age of cyber threats, and at the same time, you received an invite to a fireside chat with Chris Bosh on his views of technology in the workplace, which would you attend?
If my invite had Art Coviello on the current and future threat landscape, and yours had anyone else, which would you attend?
If the godmother of SAML and UMA sat down with one of your SME’s to discuss the first and last mile challenges of decentralized identity, would your prospect audience be more or less inclined to choose that over your invite to the webinar on how the Chief Security Officer should work with the Chief Privacy Officer, by a vendor CISO?
How about instead of $200K spent on 1-2% conversion rate content syndication campaign leads, you spent it instead on lighting up the sky over Orlando at this Fall’s Gartner Security & Risk Management Summit with 300 drones dancing out your brand story and tying your solution indelibly in prospect’s minds to Infrastructure Protection Strategies.
You get the point.
Find a Partner Who Understands Cybersecurity
Whatever you do and however you decide to change your resource allocation, do it with a partner who understands cybersecurity, your target personas, and the connections, creativity and influence to develop memorable marketing campaigns with industry leaders who are in it to make a difference.
The more passion, the better.
If you’re interested in learning more about CyberTheory or our marketing services, please send us a message.