“Attackers can get in within seconds.” “Data can be extracted within minutes.”
If you are in IT (especially if you manage IT), chances are that you have sat through a security product sales presentation. It contains scare stories of vulnerabilities and attackers and tells you about just the product to solve the problem.
It starts with a few recent headlines. There will typically be one about a security breach that lost a company many credit card numbers belonging to its clients. This might be followed by another headline that talks about lost social security numbers or other personal information. (5 minutes)
Step 2 is the scariness of the task of the IT team. There are plenty of vulnerabilities that any IT infrastructure may have. The ante is quickly upped to introduce “zero-day” – vulnerabilities that are only known to the attacker and not even to the vendor who created the security products that are in use. The scares are further escalated to show how quickly data can be extracted and for how long the attackers can remain in your network before they are typically detected. (5 – 10 minutes)
Then comes the question. What can we do about this? The answer immediately follows. “We need something that … does A, B, C and D!” (1 minute, typically just one slide)
The big reveal that we have been waiting for! Introducing PRODUCT!!! (5 minutes)
An explanation follows as to how A, B, C and D are done by the product. There is an additional explanation as to why no other product compares (20 – 30 minutes).
What is shameful about the aforementioned presentations is the amount of time that they waste in an attempt to scare people into buying a product. Not only that, the security product is presented as the necessary solution that will fix the problems that none of your existing products could fix.
No security product will secure your IT infrastructure by itself. See this previous post that I made for more information. There are plenty of situations where the existing products in one’s infrastructure, effectively used, can provide the level of security that is required by management. A direct question to the salesperson as to the measurable effectiveness of the product will always be met with caution. One would just not expect it, coming so soon after the wonders of the newly introduced product.
Security devices need to keep one-upping each other. So do security sales pitches. Perhaps a good way to improve them would be to not waste the customer’s time and patience attempting to scare them.