One of the things I currently enjoy is being able to attend an event like RSAC without a vendor badge on. It enables me to have much more honest, and often diverse conversations. Below are my three top takeaways from this year that we, as vendors, need to take an interest in.
Abundance of choice is slowing down adoption
The inrush of investment capital we saw 3-4 years ago has resulted in fragmentation between and within categories. Buyers described to me being in states ranging from stuck in extended evaluation cycles through to complete decision-making paralysis. Many also said that coming to RSAC instead of helping them narrow their searches, has in fact complicated them as they run into vendors/solutions they did not previously know. I can absolutely sympathize with them, there is too much choice in the market and in many cases very narrow differentiation between them. Some customers have opted to play a waiting game. They expect strategic vendors to make some of these decisions for them, to acquire the best in breed and allow the rest of the market to rationalize through a combination of survival of the fittest and the natural attrition that follows market leaders being acquired.
Unless money becomes cheaper and exit expectations temper I do not see a corporate development-based solution to this any time soon. Instead vendors need to think how their messaging is either fueling the problem, through over reliance on marginal feature differentiation and FUD, or helping address it, by for example showing the strength of the product in terms of how it integrates with existing things the customer already has, or better with the vendor’s, or its partner’s other products. In many cases this is a tough pill to swallow as it means moving away from messaging that often verges on there being a silver bullet.
The Mid Market needs to be sold to as if they are Large Enterprises
This is something that I have been hearing from a minority of well informed sales and marketing people for a decade but has snowballed recently. An event with a big show floor like RSAC brings the issue front and center. In the era where cyber threats take one of the two top spots on the risk dashboards of most organizations we have seen a trend towards organizations of all sizes making someone directly responsible for these risks. They may still rely on channel partners to procure and implement solutions, but these people want to be much more deeply involved in product/service selection. At the same time the technologies they have in their environments, both in terms of the systems they have to protect but also the technologies they use to protect them have become more complex. At a time when many large organizations are simplifying their enterprise IT infrastructures it is getting increasingly hard to tell them apart.
So, the person walking up to a booth from a 1,000-person company a decade ago is very different from today. Yet by and large most vendors treat them the same as they did back then. Missing that this is not someone looking to make a simple product selection, but they are evaluating where to invest budget across technologies, are looking at complex issues such as cloud or supply chain, and are working in environments that often include competitive products that they cannot afford to displace as well as those that may complement your offering. Just the same as someone from a 100,000-person org.
On the stand and in the sales process, they need to benefit in a scale and deal size appropriate engagement that looks much more like what most vendors reserve for large enterprises. Less focus on feeds, speeds and product sheet differentiation. More consultative, more aware of the complexities of their technical and business environments and more leverage of what they have which means vendors open to partnering, even on occasion with vendors who may compete with them in some way. This is not easy as a lot of it is about developing your people and that requires significant investment, but for the vendors who crack the nut, it will provide significant ROI.
InfoSec vs. Cyber Insurance
At the beginning of RSAC week I read an open letter to conference attendees from Pascal Millaire, the CEO of Cybercube a provider of cyber risk analytics to the insurance industry. It aimed to dispel some of the myths or misinformation that exists around cyber insurance. In it he made some good points, but I was unsure who the intended audience was. After a week in San Francisco it is clear to me that his remarks are applicable to both customers and vendors alike. What I heard time and time again was misinformed opinion being used to form a defense against a perceived threat. A threat that could equally be an opportunity if it was better understood. Vendors believe budgets are being diverted or even worse directed at the whim of insurance companies. Customers fear the same loss of budgets and control, as it was put to me “I totally understand the process of transferring some of our risk to insurance providers, what I cannot live with is the transfer of budget that sends our security posture backwards”.
It is time that more InfoSec vendors work out how to work with the cyber insurance ecosystem. It is not going to go away and yes it will take a slice of the pie. Delivering products and services that help lower the cost of the coverage, reduce duplication and increase accuracy in the evaluation of risk will enable some of that money to be “recovered” and benefit customers by enabling them to make better decisions. It will just be a very different sales motion and involve working with an industry that moves at a very slow pace.