2 min read

The “boogedy-boo” approach to selling IT security

The security vendors seem determined to scare the pants off businesses to sell them security tools. Is it really necessary?rn

I know a certain element of fear has always been part of the pitch for IT security solutions. It’s only natural; identifying and quantifying the threat and the risk is key to an effective security solution. However, a few recent incidents have me wondering if threat awareness isn’t in danger of crossing into fear-mongering.

McAfee (NYSE: MFE)CEO Dave DeWalt was in Toronto recently for an event at the Steamwhistle Brewery. Alas, as a breakfast event it was too early for a pint, but if one took a shot every time fear was invoked from the podium you’d have really felt it the next day.

Malware levels are rising. Spam volume is skyrocketing. Malicious botnets. Cyber-warfare. Cyber-terrorism. Stuxnet and compromised nuclear power plants. Scary, scary stuff. And so I’m not just picking on McAfee, Kaspersky Lab was in town the next week and it seemed like they were reading from the same script.And these are hardly unique examples. Vendors like McAfee and Symantec (NASDAQ: SYMC) regularly release Internet security reports, measuring malware levels like pork bellies. We get releases on the most malicious domains in the world, the top holiday threats, and so on. Fear seems to be a central part of the security vendors’ sales pitch, and when we start talking about cyber-warfare and nuclear power plants, certainly the volume is being amped-up.

In the press conference following his keynote, I put the issue to DeWalt. I said the level of fear emanating from the security vendors seems to have reached a fever pitch. I said I thought we were past the era that security vendors had to justify their existence — most businesses know they need security — it’s just a matter of the right level of protection for their specific architecture and risk level. I asked if customers are still receptive to this marketing approach, or if there was a risk they were becoming desensitized to the ever-increasing threat warnings.

DeWalt took issue with the charge of “fear-mongering” but he did say customers aren’t as cognisant of the need for security and the threat landscape as you may think. He said the ever evolving threats businesses are facing require vigilant education on the part of vendors such as McAfee, adding too many companies still see security as an install and forget about it exercise, rather than the exercise in steady vigilance it needs to be.

While I still feel the scary rhetoric is over the top, I agree with the essence of what DeWalt said. However, if I’m a business owner, I don’t want to have to constantly think about security threats. That’s why I engaged McAfee (and a trusted channel partner, of course) in the first place: to handle security for me.

It’s an emerging model, but it’s a problem that cries out for a security as a service model. I pay a monthly fee, the vendor and partner keep me secure and I focus on my business. And, hopefully, don’t need to hear frightening stories of nuclear power plants in Iran.