Wannacry – If you work in the tech industry, it was the best of weeks, it was the worst of weeks, depending on how you view the world.
If my social feed was anything to go by however, if you work in either a Security Sales or Marketing role, you were probably the one group of people, slightly more demonised than those demanding a ransom.
Now don’t get me wrong, if you’re a CISO, I’m pretty certain last week was no picnic. Every social ping, email and phone call, was probably an unrelenting onslaught of sales people wanting to ‘help you’ (which I would imagine was about as productive as when my 7-year old offers to ‘help’ me cook).
One CISO that I know very well, within hours of the headline breaking, posted his disdain on Linkedin for the ‘cheap sales tactics’ used by vendors and partners alike and he conveyed it in his typical, dry, frankly brilliant, irreverent way.
Then I spotted the sheer number of sales and marketing people in the industry liking and sharing the post in stoic agreement.
Mmm, slice of irony anyone?
The next few days that followed were pretty similar. The average CISO’s post was (broadly speaking) a rinsed-and-repeated version of their dismay at the various sales tactics of the security firms and how (come the time of the next review etc), their decision would be swayed by the behaviour of those organisations during the Wannacry malaise.
Ok, that undoubtedly stacks up. We all know that some sales people have all the subtlety of Donald Trump at a W.I meeting, so I’m sure there’s substance there.
But this was the bit that bothered me – a number CISO’s heralded security companies that offered to ‘help, advise or consult’ as superior (and more professional) to those offering their product as a viable solution. One slightly paraphrased quote included “I will, in future strongly favour organisations that simply offered consultative advice, rather than use an event like Wannacry to position their product”.
Come on…really? I mean, really? We’re all grown-ups here, no? Whether you’re being offered advice, pre-sales assistance or heaven forbid, consultancy, I’ve got news for you sunshine, you are in their CRM system somewhere as part of a sales cycle. That’s not noble professionalism, that’s just window dressing.
Now don’t get me wrong, you may really like the supplier you’re dealing with, their acumen, their approach, their award-winning hair, you may even be one tentative step away from picking out curtains with them but I’ll save you the suspense, they’re still selling you something…Or you’re ‘buying it’, depending on which wanky business manual you read.
And I do get it – British people don’t like being ‘sold to’ but if you feel that strongly, I’m sure none of us will judge you when you also voluntarily unsubscribe for Amazon Prime, Netflix and demand daily written apologies from Google ads. It’s the principle after all.
I did in earnest, support the plight of many of my CISO friends because their argument carried in part, credible weight. If I’m being balanced, their comments were tame in contrast to organisations who sell security solutions for a living. Many spouting a cringe-worthy barrage of slurs citing the same variation of ‘bandwagons and ambulance chasing’ accusations aimed at their competitors. There’s no hypocrite, like a ‘Happy hypocrite’ after all.
Were there organisations out there offering answers to Wannacry who had ‘no real’ expertise that warranted the backlash? Probably.
Let’s be honest, they needed to take time out from reading up on what ‘GDPR really means’ months into their marketing campaign that positioned them as the ‘World leading authority’ on all things ‘Data’, ‘Europe’, ‘Acronym Compliancy’ and….um, really big fines.
But where does that leave the Security providers who were perfectly positioned to help?…Who already had the product and solution long before Wannacry even hit the headlines?
I know of at least one vendor who wanted to avoid drawing attention to the fact they have a world-class solution for Ransomware. You know, so they didn’t appear to be ‘selling’ during that week. That’s just insane.
What should these companies do? Say nothing…really? Is that how the business world should work? They shouldn’t offer a solution they have invested in heavily to solve this very issue to a market in clear need of its value? Give me a break.
Proving value requires relevancy, context, substance and timing and in instances where there is a clear need, can you really blame a company that offers the perfect solution, for trying to make themselves available to their prospects? I don’t think so.
No matter what your role, I can promise you the marketing department of the organisation you work for would do precisely the same thing if they saw an immediate requirement for a need they were well positioned to serve.
With all that said, if you do work in a sales or marketing role, I wouldn’t get too comfortable on that high horse if I were you. There is good reason why you p*ssed off the better part of the people that represent your perfect customers.
If you work in the world of security, you have the luxury of a very switched-on, informed audience – The majority of CISO’s that I know are forward-thinking, so they tend to get the hump if you point out to them what they already know.
Typically, they look to work with progressive companies that encourage a proactive, diverse approach to security – you know, the sort that takes into account the increasing sophistication of their adversaries ‘an all.
So, if the ‘Wannacry headline’, was the first time they knew something of you, then that’s a fairly poor reflection on your marketing and business in general. I would imagine this condition existed in your organisation, long before this particular strain of sh*t hit the fan, so don’t be too hard on yourself. We can’t all be good at everything.
I’d also think twice before openly slamming your competition on a public forum for capitalising on a compelling event relevant for the market you’re all looking to satisfy.
The poor behaviour that you’re looking to shine a big, uncompromising light on in full view of your customers and peers, could well transpire to be your very own.
And if you’re a CISO, then I’m afraid you need to reconcile yourself with the fact that security companies will look to work with you. Some will get their approach just right, others will do it poorly but no matter how they dress it, they’re a business and if you stifle their ability to make themselves available to you, then I’m afraid, they won’t be around for very much longer.
Businesses need to make money to survive and cyber security is no exception. Given we’re all faced with an increasingly sophisticated adversary, it makes sense to let those that can offer a meaningful solution, to make themselves known.