Why are IT security companies still selling on fear?

It’s the question I must keep asking myself every time I check my LinkedIn and see it filled up with IT security companies over hyping fear around security breaches, compliance failures and the latest fines. Last week was a prime example. The NHS was hit by a Ransomware virus and immediately LinkedIn is full of security specialists telling you how their products can help save you from such attacks. Then we have the GDPR brigade just talking about the fines of £16million and how their software can make you GDPR compliant.

Is it me alone that thinks that this is just lazy sales people trying to sell on fear?!

I was a techie before I moved to the “dark side” of sales but I pride myself on listening to a client’s needs and then seeing if I can find a solution that addresses their needs and helps their business, not ramming fear down their throats and telling them that if they don’t do this and buy that then they still get breached or fined.

That’s what being a proper sales professional is about but the IT security industry seems to lack consultative solution sales people in my humble opinion. It’s also interesting to see the amount of misinformation that these people disseminate into the industry. I am not tarring all IT security sales people with the same brush, and there are some excellent people in the market but a large number are damaging the reputation of those who are doing the right things by their clients.

Cyber AwarenessFear of IT Security

I completely agree that awareness of cyber threats and the repercussions of “doing nothing” is important but it’s the way that you go about it that builds trust and credibility. There isn’t a solution in the market that ticks all the security boxes and is the silver bullet fix. Nor will any vendor guarantee you that you will not have a security breach. Everyone knows it will happen at some point and the key is ensuring that clients have firstly understood and documented the perceived risks to their business, having taken reasonable steps to address, mitigate or accept those risks, and have a good process to respond to a potential security breach.

This is a “continual security improvement plan” which is regularly reviewed, updated, enhanced and tested. Absolutely there are technologies which will reduce and eliminate certain risks, vendors and sales people need to understand those use cases and sell on the value it brings to a client and how it forms part of a much larger picture rather than being blinkered and trying to sell on a point solution.

What can we learn?

The cryptolocker virus that hit the NHS and many other businesses was nothing new really. We see viruses of this nature every day in slightly different forms. The difference with this virus was that it hit critical infrastructure, the media grabbed hold of it and then so did the sales and marketing departments of the security industry. Panic seemed to creep in across the IT world. “Have we patched this?”, “Have we tested this?”, “What is the potential risk if it hits us?” etc. etc.

The truth was that many businesses were already adequately protected from this virus and had solid processes in place to ensure that they were patched. There were also many businesses, that already had a risk register, who had a patching strategy and who had a plan to deal with such cyber incidents. It was those clients who had good sales people advising them.

Stuart Grist

“Awareness about IT security is very important but exploiting fear is not clever marketing or selling. So, to all those still using the NHS story or GDPR fines, please give it a rest and start engaging with your clients so we can provide solid advice and solutions that will help them. You do the rest of us a bad service!”

Stuart GristSales Director, Metaphor IT

If you would like agnostic and unbiased advice on your IT Security Landscape then contact us today.