Let’s wrap up the week of commentary and insights from this year’s RSA Conference with a discussion of the marketing hype and buzzwords. Vendors attend RSA and spend tons of money on booth space so they can share their brand messaging and attract customers. RSA Conference attendees pay for the event and visit the vendor booths to identify potential solutions that can help them be more secure. The problem is that everyone is saying the same thing.
The buzzwords are so common—so universal—on the show floor that it seems like it’s virtually impossible for someone who is not an information security expert to separate the hype from the value and choose the companies that can actually deliver. If every company has the same taglines, and makes the same claims, how is a potential customer supposed to figure out which company or product to choose?
“I didn’t see any buzzword bingo cards handed out this year, but I think that was a missed opportunity,” declares Grant Shirk, senior director of product marketing for Vera.
Morey Haber, VP of Technology at BeyondTrust, proclaims, “I did have a chance to walk the show floor and the buzzwords where deafening. The most common were “protect,” “detect,” “identify,” etc. I felt like I was reading the US Government CyberSecurity Framework spun into a marketing event.”
The challenge for attendees is that many are not tech or security savvy enough to separate reality from hype. As new markets in security develop—advanced threat detection, orchestration, microsegmentation, data-centric security, etc.—there will be a lot of vendors, new and old, jumping on the bandwagon. Some security solutions are actually innovative and truly address a need, but many are incremental improvements of existing concepts and don’t really deliver on the promise in the marketing literature.
Travis Greene, Identity Solutions Strategist for Micro Focus, explains, “In such a fragmented marketplace, vendors can feel forced to use messaging to gain attention through the use of buzzwords, often leading to overuse and the opposite of differentiation.”
Greene adds, “The struggle to understand even the fundamentals of what a vendor provides is real. There are resources available that can help narrow down a shortlist of vendors, such as peer review sites or analyst research. But they have their limitations—they don’t know your environment or unique requirements. That’s something only you (or a consultant) can gather.”
Cut through the hype
I’m a CISSP-ISSAP and I have worked in the security trenches. I’ve written about security, and produced security marketing collateral for years. Even as an expert to some extent within the security industry, I sometimes find it challenging to see past the buzzwords to what the products and services are actually capable of. The unfortunate part is that the vendors spewing buzzwords for the sake of hype confuse the market and make it more difficult to find the solutions that actually work.
There are some vendors at the RSA Conference—or in the security space in general—that only have buzzwords. Investing in a high-profile booth at RSA, throwing lavish parties for prospective customers, and displaying attractive bells and whistles that look like they should be in a high-tech security operations center from a James Bond movie all draw attention for the vendor. When it comes time to deliver results and solutions, though, these vendors have nothing to offer.
BeyondTrust’s Haber recommends, “For end users, the high level messages are nearly identical, and if you actually dig into the technologies, it becomes a feature war. This is no way helpful for companies since dial, widget, and dashboard features rarely dictate the effectiveness of any technology. For companies, I can only recommend staying far away from one trick pony companies unless absolutely needed.”
“In the end it is about the nuances,” declares Klaus Gheri, VP of Network Security for Barracuda. “If you really want to find out there are a couple of things you can do. Ideally test drive products in a realistic environment. Before doing that narrow down the meaningful choices by reading up on analyst research and checking out available test reports. These can provide some extra guidance. Also check what other people have to say about a product/feature on the Internet—support quality may make all the difference as esp. new products tend to be somewhat fragile.”
Gheri also points out that many of the smaller vendors at the RSA Conference showcasing cool or innovative capabilities are really there as an acquisition play. The purpose is to demonstrate features and capabilities to other vendors—potential suitors—more so than actual customers.
“Start by defining the problems you need to solve and ask vendors how they would approach solving them,” suggests Micro Focus’ Greene. “And don’t forget to ask the vendors you already work with first. You may already have something in place.”
Basically, what it comes down to is telling these vendors to show, rather than tell. You can start by looking at the pedigree of the company and the team behind it, and eliminate any products or services that can’t integrated well with the infrastructure and security tools you’ve already invested in.
Ultimately, though, it’s about direct interaction with the product or service in a real-world environment. Don’t pay attention to the buzzwords or marketing hype at all. Spend some time understanding the actual features and capabilities of the product or service in question, and let it sell itself. Or not.