The Good, the Bad, and the Ugly. Making the best of Information Security Marketing.

Information security as a market has progressed in maturity and size to the point where it can now be safely described as an industry. As such there are numerous security oriented companies vying for customer dollars through competitive products, solutions, pricing and of course marketing/advertising. While each of these arenas have their issues, the latter has the most public deficiencies. With few exceptions most security marketing campaigns range from the woefully ineffective to the realm of flat out embarrassing (see Symantec’s “Hack is Wack” campaign). This post will explore some of these deficiencies as well as discuss a few do’s and don’ts of information security marketing.

One will note that much of this article focuses around things that will resonate with operational security professionals and is not necessarily focused around C-level messaging. This is due to a primary belief on our behalf that C-level executives are a much smaller portion of purchasing decisions than we give them credit for. Granted the ultimate decision to make a purchase lies with higher-levels of management, however, the influencers that are pushing for purchases are the operational professionals behind the scenes. It is within this community that some of the biggest marketing issues exist.

FALSE! Any Visibility is Good Publicity
That said, let’s begin the exploration by first addressing one of the most common mistakes of security marketing. Namely that any visibility is good publicity even if that publicity is bad. In some circles the notion of bad publicity actually contributing to the recognition of the brand is certainly one that holds water. Heck, look at Paris Hilton. In the realm of information security however, this is not the case, bad publicity is simply that, bad. In fact the earlier mentioned “Hack is Wack” campaign is an excellent example as the campaign fell flat on its face. Beyond giving rise to twitter hash tags like #NortonAntivirusStillSucks and drawing the ire of several journalists, including Andy Greenberg over at Forbes (Forbes Article), Symantec failed to reach their target market in a positive manner. Today all that is left of the campaign are negative press and photos of infosec people who were able to catch paid spokesperson Snoop Dogg at Symantec events, even NortonSocial.com is more or less dead, with no signs of a comeback.

Really the only positive message that came out of the campaign was that if a security vendor pays a famous spokesperson, a significant portion of the community will get to meet them. Hence why there have been so many people likely requesting marketing dollars to hire Mila Kunis, Angelina Jolie, and Jessica Alba as spokespeople (or at least it was the driver behind all my requests). It may seem like I’m picking on Symantec here, I’m not, it’s merely one example how bad visibility reflects poorly on a company, there are many others (and believe me this post is going to cover several). Another solid example of a marketing bomb could be seen over at Cisco.

Market Research is Not Always the Best Option
Years ago during an analyst meeting, Cisco discussed the results of a study they had conducted regarding what resonated with security professionals. The results showed that security professionals were partial to superheros and comic book characters. Cisco thus decided to seize the opportunity and leverage cartoon superheros to draw the attention of security professionals everywhere. This was a fantastic effort on behalf of Cisco (the end product, not so much, but we’ll get to that).

First they made the investment to truly explore the base of people they were attempting to market to. Second, they were willing to break from their normal routine to try something new, even daring. All of this is very exciting, even executives were enthuiastic (check out this VP’s blog post). Unfortunately, Cisco’s attempt to reach information security professionals ended in the awfulness we now remember as “The Realm” (whose videos can now be viewed on YouTube). The mistake they made was to assume that security professionals would like any comic book superhero Cisco produced. They didn’t.

Instead the effort was seen as pandering by much of the target demographic and laughed at before being immediately dismissed. If anything Cisco’s campaign showed just how little they really thought of operational security professionals. Comic book superheros are awesome but don’t assume that the geekiness of the information security demographic is non-selective. When there is a gap between a marketing team and the people they are marketing to, it shows. The end result is a campaign that comes off as cheesy or silly. Understanding not just “what” resonates with an audience, but also the “how” and “why” it resonates is important. Of course cheesiness and silliness are not necessarily “don’ts” in security marketing. Rather silliness and cheesiness are pretty successful in security marketing when the marketer does it purposefully.

A great example of a marketing campaign using a superhero cartoon character is the one conducted by Sourcefire. Sourcefire leverages a cartoon superhero commonly known as “the Snort Pig” or “Snorty.” Unlike the characters of Cisco’s the Realm, the Snort Pig is very well received by the security community. In fact, the Snort Calendar, which features the Snort Pig in multiple pop culture scenes (e.g. the Snort Pig as Neo from the Matrix), is highly sought after by the community.

The reason why the Sourcefire campaign works but the Cisco campaign largely failed is that the Sourcefire campaign is honest. There is a certain genuine aspect of the Sourcefire campaign that makes it successful. The Sourcefire team almost makes fun of the Snort Pig by placing him in funny parodies as opposed to Cisco, who leveraged their cartoons in an overly serious tone. Honesty in marketing goes a long way with the security community. That doesn’t mean start a new slogan that says, “Actually our stuff is only second best in the market.” Rather it means that as a security vendor, take the things that are cool to your operational security people and leverage them. Generally this is a no-no in marketing/advertising (thinking the target demographic is like you), but in the realm of security, for several reasons, this actually works. The message it sends is, “Hey we’ve got people very good at this stuff, they thought this was cool, you might think it’s cool too.” As opposed to, “we ran a giant market study, this is what it said you liked. Let us try to relate it to you.” Though the difference is subtle, it can make or break a marketing campaign.

Self-Actualization is Powerful
Though Cisco’s campaign struggled as it was too serious for the particular media, having a serious message is not necessarily wrong. Actually messages of self-actualization, or rather the tendency to actualize something as fully as possible, are very powerful in security marketing. This is especially true when the message helps individuals working within security recognize just how powerful their skill set is. Security professionals love the idea that what they can do, can make or break the world. Having a piece of collateral that expresses that belief has resonated very within the security community.

This does not mean start selling FUD (Fear, Uncertainty, Doubt). Though it is painful to admit, yes FUD moves products and services. It is however, not what one should want their company known for, therefore it should be used sparingly in a targeted nature. Which is not the type of self-actualization campaign that is being discussed here. Rather, this discussion is more focused around, “An Army of One” type of marketing campaign (which was a very successful US Army self-actualization based marketing/advertising campaign). In other words, these campaigns should focus around how powerful the individual is in information security. At the same time though, it should also allow them to leverage that marketing material to show others as well.

As a corporate emergency response team member once put it,marketing campaigns allow security professionals to internally recognize how important and powerful their field is, while at the same time, leverage that campaign to validate those beliefs with external sources. One of the best examples of this can be seen at Facebook, whose “Hack” campaign does not actually focus on security, it just happens to resonate really well with that community. However, it captures the mentality of security professionals to believe in the true power of hacking and hacker mentality. Take for example the image that Facebook utilizes in the form of a poster at the right. This image merely portrays the word “Hack” and a bundle of dynamite ready to explode. It may seem like a stretch to some but the subtle message says to many security professionals, that the ability to think creatively and to “hack” has the potential energy of bundle of dynamite ready to explode. This is a truly compelling propaganda message. So much so that Facebook marketing material is heavily sought after within pockets of the security community. Of course this is not due solely to the powerful message, but also due to the exclusive nature of their marketing efforts. Which leads us to our next point of self-actualization, elitism.

Self-actualization in it’s most potent form can be seen in the realm of elitism. The desire for elitism within the security community is palpable. Marketing campaigns that properly execute on this do very well. Consider some of the brands that are believed to be elite within the security market. Now look at their marketing, one will note that these organizations subtly support these messages. Take for example, the booth that the NSA sets up at RSA. In order to get into the booth one is given a faux security pass, as if to say, only a select few are ever allowed into NSA arenas. Similar messages are sent through the limited number of challenge coins that actual security team members give away each year. These coins represent a token telling others that this organization, or in particular team, is special or elite in nature.

Which leads us to the most key principal of security marketing in the realm of self-actualization. Market internally to gain notoriety externally. Build a brand that internal security players can get behind and believe in. This often translates into real public recognition of those beliefs.

Marketing Punts Suck. No One Notices Them or Likes Them
As much of a hard time as Cisco’s the Realm or Symantec’s Hack is Wack campaigns received, they are not anywhere near the worst. Credit must be given to both companies for making an effort, for breaking from the norm and at a minimum being somewhat daring. Which is far more than can be said for the vast majority of security vendors out there. No, the worst are far less discussed than Symantec and Cisco. Rather, by far the worst marketing campaigns are those that function as the equivalent to a punt in football.

Marketing is supposed to be powerful, memorable, and in most cases fun. All three of these areas are lacking from the vast majority of information security marketing campaigns. So much so that, posting any real examples here, would be picking on companies as virtually everyone does this. In some ways this is ok. Not every marketing campaign should hit with 1,000 lbs. of force. However, when it is the only campaign being run, well, then there is something wrong. Good security marketing is not about how many times someone can put “real-time”, “threat protection”, “intelligent”, “2.0″, “next-generation”, “advanced” into a product description. Worst yet, if the most creative, eye attracting image an organization can muster is a picture of the actual appliance, then it’s time to rethink the marketing scheme.

The one exception to that rule is if one runs a marketing campaign similar to Barracuda Networks, who, despite having several campaigns that merely include pictures of their appliances, still have done very well in the marketing arena. That however, is due to the fact that they first complement that campaign with a multitude of other unique campaigns (e.g. sponsoring sports like Indy car racing or professional cycling). Also, it is difficult to ignore that Barracuda has seemingly posted their advertisements everywhere! Again though, this is the exception and frankly it is only the exception because they have done so well to complement the boring stuff with a multitude of great marketing campaigns.

In general organizations finding themselves in the realm of predictable, easy, everyday marketing should consider drastic changes. To close, this article has provided some of the good and bad of security marketing. Please remember these simple guidelines for great marketing in the future, and always be unique!

As we close, take these simple guidelines to heart
1. Market to operational security professionals, not just C-level execatives
2. Bad publicity is not good
3. Self-actualization is powerful
4. Market research still leaves room for interpretation
5. Marketing punts suck! Don’t do it.

Comments are closed.