A while back, I had a conversation with a friend that I went to school with (currently a senior member of the engineering team at a large retail chain) who was tasked with the job of identifying potential application security partners (he addressed vendors as partners, which I personally liked) that they could collaborate with on various areas as part of their product security initiative. The following piece emerged as an extension of my immediate thoughts when he shared his views of what could have made his experience of interacting with front line sales and marketing folks better.
In the context of DevSecOps, much has been said about the need for engineering to speak security, security to speak code, DevOps to speak security etc. But as a Technology Service Provider (TP), riding the current wave of application security, it’s almost mandatory for the Sales & Marketing teams to speak- Relevant Tech!
Application Security – No one size, fits all
Application Security as a practice area is dynamic. No two applications are the same, even if they belong in the same market domain, presumably operating on identical business use-cases. Some (of the many) factors that cause this variance include – technology stack of choice, programming style of developers, culture of the product engineering team, priority of the business, platforms used etc. This consequently results in a wide spectrum of unique customer needs.
Take penetration testing as an example. This is a practice area that is presumably well entrenched both as a need and as an offering in the application security market. However, in today’s age even a singular requirement such as this could make or break an initial conversation. While for one prospect, the need could be to conduct the test from a compliance (only) perspective, another’s need could stem from a proactive software security initiative. There are many others who have internal assessment teams and often look outside for a third-eye view. Few others who are quite up the maturity curve could be looking to up-their-game through a hybrid approach of tool automation with a complimenting methodology of manual assessments. I’m not even considering the added complexity involved in just the sheer nomenclature of such a service – penetration testing, security testing, vulnerability testing, VAPT (which actually is a combination of two independent practices) etc.
Each of these unique needs emerge from buyer personas who could come from varying degrees of informed decision making. TP’s would need to retrofit their positioning accordingly. They often run a risk of underwhelming a mature buyer or overwhelming an early practitioner, especially in high variance offerings such as security tooling, security regression and threat modeling for example. While some might argue that losing an overwhelmed prospect could be the result of their accurate customer segmentation, there are stories to tell of the other kind.
Scoping questions such as the ones below can significantly help technology marketers strike the right chord with their prospects and elevate the experience of the initial interaction.
- What is the motivation for the penetration test? (Compliance regulation, internal validation, business drivers, their customer’s need etc.)
- What are they specifically looking from a third-party partner? (External certification, specialized approach, uncovering logic flaws etc.)
- What is the current appetite (resource bandwidth, commerce) to take on your advanced offering? (Such as automation, regression etc.)
- How security aware are their developers? Can they take the findings to its logical conclusion through successful remediation?
DevSecOps is about GETTING there, rather than being there.
Ever since the surge of DevSecOps, marketers and practitioners have been vocal about the possibilities of advantages that smart automation brings with it. Think-Tanks too have statistically alluded to its benefits in terms of cost savings and bandwidth efficiency among others. Though recent, consistent and effective marketing campaigns have rather effectively communicated the “What” of DevSecOps and appsec automation. The need of the hour is awareness on the “How”s of DevSecOps. TP marketers would need to design and propagate content on use-cases focusing on the implementation challenges and suggested How-tos. Such content not just helps build trust/credibility but also allows segues for tech marketing to collaborate with security engineering. Some of these include practical guides on open-source tool automation and sample automation scripts & libraries, data sheets on resource optimization through automation, handbooks on vulnerability remediation to name a few.
This collaboration between marketing (and sales) and security would provide an opportunity for the former to get themselves well entrenched in the practical workings of the service or solution that they are responsible for positioning. Ironically, this also allows them to appreciate constraints that would prevent them from over or under committing business value to their prospects through their messaging. This is especially more relevant with the numerous myths that surround application automation and DevSecOps in general.
The Rolodex
In 2012, I had the opportunity to set up a calendar with one of the senior CISOs in the industry. After some initial small-talk, I got to the bit of introducing what we did and how we thought we could help his team. I was 70 seconds into what would be my planned 180 second pitch when he respectfully stopped me. Pulled out a rather impressive Rolodex from his cupboard and said – “I could point you to 15 companies in a 20-mile radius who could help me with exactly what you’ve offered me until now. I wonder if there’s any secret sauce”. Startled, embarrassed and after a brief pause, I gathered my thoughts and moved to the final 30 seconds of the pitch with much hesitation. As luck might have it, he found little bits of the secret sauce in there! The meeting obviously did not go exactly as how I had planned it would, but it didn’t go badly either. However, it made me realize that our customers and prospects know about our competition better than we do. Everybody is selling all the time. So, someone else has already made his 70 second pitch. Not everyone gets lucky to be given an opportunity for a pause. It’s up to us to step up in the final 30 seconds.
In conclusion, we are riding a very healthy wave of application security and it’s paramount that technologists and marketers collaborate in identifying and nurturing their own secret sauce in their messaging and positioning. After all, this is what is going to keep the person at the other end of the table from reaching out to the Rolodex!
- AppSec Marketing in the Age of DevSecOps - June 24, 2021