June 23rd, 2022
Is cybersecurity sales culture bad for cybersecurity?
The market for cybersecurity solutions is changing, but the way vendors sell security products seems stuck in the past. There’s a lot that can be said about this, but here we want to raise an issue that isn’t talked about enough: Is cybersecurity sales culture, itself, bad for cybersecurity?
What do businesses need from security vendors?
To discuss problems with cybersecurity sales culture, it’s important to begin by asking a fundamental question: What do companies today need most from their cybersecurity providers?
The answer could fill a book—but at a high level, it’s possible to point to four key trends:
A need for transparency. Companies are competing in a market in which customer trust in their cybersecurity posture is crucial. In some sectors, such as finance and healthcare, cybersecurity has now become an issue of regulatory compliance as well. With so much at stake, firms are no longer content to take a cybersecurity vendor’s promises at face value. Put another way, they need to be able to know that a security product is doing what it claims to do!
Help with the fragmented state of security products. The complexity of digital infrastructure in the enterprise—and the increasing risk and cost of breaches—has led many CISOs to adopt a “better safe than sorry” policy when it comes to selecting security tools. This has created a situation in which companies often rely on 100+ third-party security solutions in order to protect themselves. It’s unwieldy, and expensive. This is why many businesses are eager to turn to security vendors for integration and/or simplification.
The ability to adapt to sudden changes in the threat landscape. As the COVID-19 pandemic taught us, the security needs of companies can change virtually overnight. Two years on, enterprise security teams are still grappling with the challenges of remote work, hybrid work, and distributed workforces. But one thing all companies are acutely aware of is the need for greater agility going forward.
Solutions that allow for expert customization. The cybersecurity industry is growing up—and companies expect solution providers to keep pace. Internal enterprise security teams are more capable than ever, and MSSPs and third-party consultancies now have the skills needed to engineer highly effective, tailored solutions for their clients. Because of this, businesses want greater control over the products they purchase in order to take advantage of the level of expertise in the marketplace.
How cybersecurity sales culture gets it wrong
That’s what companies want from their vendors. One would expect sales teams at large security providers to respond accordingly. Yet surprisingly, cybersecurity sales culture frequently falls short of what’s required. In fact, at times it’s so far out of step with what businesses need that it seems downright inimical to the ultimate goal of better security!
Here are the main problems with cybersecurity sales culture today:
A “just trust us” mentality.
In a highly competitive industry like cybersecurity, it’s perhaps understandable that the big vendors want to keep their source code proprietary. But the result of this is that security products are often treated as “magic black-boxes” by the companies that produce them.
Sales teams, however, still need to convince prospects to buy these solutions—creating a situation in which they’re incentivized (or even required) to make promises that can’t be verified by the end users.
At a time when companies are striving for more transparency, not less, this is problematic to say the least!
A pricing model that stifles agility.
The business model for most major cybersecurity vendors is fundamentally subscription-based.
In order to hit their MRR goals, cybersecurity providers aim for vendor lock-in, and usually require mandatory long-term contracts. In addition, security products are priced in such a way as to guarantee predictable revenue for vendors. This, however, leaves clients to do the hard work of capacity planning if they want to keep their budgets stable—and can become a serious problem if they run into an unpredictable scenario.
All of this, of course, makes perfect sense from the perspective of the vendors. But the way cybersecurity products are sold, by its very nature, makes it hard for companies to respond quickly to sudden changes in the global security landscape. As businesses look to create a future-proof security infrastructure, such a pricing model will be increasingly untenable.
Integration that overpromises and underdelivers.
In an attempt to address solution sprawl, large cybersecurity vendors have started offering tools that “do it all.”
But being large vendors, these companies are simultaneously secretive about their solutions, protective of their turf, and eager to get products to market as quickly as possible. And so, rather than engineering an integrated product from the ground up, or allowing security teams the API access needed to build their own integrated solutions, they acquire smaller companies and shoehorn them into their existing platform instead.
Sales teams tell potential buyers that these “all-in-one” solutions will adequately replace their existing, multifarious security stacks. But unfortunately, the supposedly integrated solution often feels more like a Frankenstein's monster, held together with tenuous code and C-suite optimism—and fails to live up to the hype.
"At LimaCharlie we are not like other vendors. We are 100% a technology company and do not compete with the people and companies we provide tools and infrastructure for. We are vendor-neutral providers of tools and infrastructure for security professionals. We believe that this on-demand and engineering-centric approach is the way to move the industry forward." ~ Maxime Lamothe-Brassard, Founder & CEO - LimaCharlie
Is there a better way to deliver cybersecurity solutions?
The cybersecurity sales culture we have today is unfortunate but unsurprising. In many ways, it’s the inevitable outcome of how so many cybersecurity companies see themselves: as one-size-fits-all purveyors of a mysterious and valuable commodity called “security.”
That vision of security might have been understandable 10 or 20 years ago. But in today’s world, it’s simply out of touch with the needs of most companies—and with the DevSecOps philosophy embraced by more and more cybersecurity professionals. In short: It’s unsustainable.
The good news is that there’s an alternative to this legacy approach to security, and cybersecurity sales: Security Infrastructure as a Service (SIaaS). In SIaaS, cloud-native cybersecurity tools and infrastructure—the “building blocks” of cybersecurity—are made available on-demand to security engineering teams.
At LimaCharlie, we’ve been pioneering SIaaS for years. We offer an open API, so there’s no need to believe or disbelieve anyone’s promises: If security teams want to see what’s happening under the hood, they can just take a look! In addition, pricing is designed to be transparent, predictable, and flexible. There are no contracts or fixed minimums, so making a change is fast and seamless. And perhaps most importantly, every single component of LimaCharlie (including EDR, SASE, and over 100 other capabilities) is delivered as an interoperable primitive in a common data format. In other words, SIaaS means security teams will be able to build truly integrated, highly customized security solutions from scratch—and retain full control over their data.