News of epic data breaches now hit headlines almost every week. If 2017 has proven to be a record-setting year for high-profile cyber-attacks (think Equifax, Verizon, Uber, Kmart, etc.), then 2018 is shaping up to be an even bigger year for cyber security threats. In fact, a recent World Economic Forum (WEF) report names cyber-attacks as one of the biggest risks the world faces in 2018.
In the first two months of the year alone, there’s already been a number of large-scale data breaches with tens of millions of records compromised. Each minute, cybercriminals launch more than 1,200 ransomware attacks, unleash 818 new malware strains, and send out 108,300 phishing emails. That’s not even counting the potentially massive amount of exploits available to hackers from the Meltdown and Specter vulnerabilities lurking in almost every computer on the planet.
According to data compiled by CSO Online, around 58 records are stolen every second at an average cost of $141 each. Almost half of businesses say they incur at least $10,000 in losses with each hour of downtime, and 60% of small businesses never recover after an attack. Cyber security Ventures predicts that the annual cost of global cybercrime damage will reach $6 trillion in 2021.
There’s no doubt that the business impact of cyber security incidents can be staggering, and vendors know this very well. That’s why a lot of cybersecurity sellers and service providers often peddle their wares under an atmosphere of FUD.
FUD stands for fear, uncertainty, and doubt. When a vendor pitches FUD, it’s trying to influence a prospect’s perception of the problem by focusing too much on negative outcomes. While a little FUD works well at starting a conversation, it stops being useful when FUD turns into the main message itself.
Writing for Forbes, Lior Div argues that FUD has now been overused as a tool to produce instant buy-in from stakeholders. FUD creates short-term alignment of priorities. After all, what company would want to end up as the next Equifax? But to really prepare for cyber security threats, vendors must inspire confidence, not sow panic.
Why FUD No Longer Cuts It
FUD allows vendors to hammer home the idea that something terrible is going to happen unless prospects do something about it. It provides a way for sellers to quickly boil down oftentimes complex ideas into easily digestible points. But this oversimplification does little to help potential customers make informed decisions. Here’s why:
#1 Security is now business-critical.
A recent Ernst & Young survey shows that cyber security is now a bigger business priority for most companies, especially for those in the tech sector.
- 53% of companies have increased their IT security budget.
- 65% of businesses say customer data is the most valuable asset to protect, while 36% focus on protecting customer passwords.
- Organizations also ramp up security for company financial information (19.5%), corporate plans (18.4%), senior executive information (15.1%), M&A information (11.5%), and patented intellectual property (10.1%).
Clearly, businesses are now acutely aware of the risks posed by cyber security threats, which means there’s little need for FUD.
#2 Buyers want to see the fine details, not just the broad strokes.
From DDoS to SQL injection attacks, cybercriminals have a long list of methods to choose from, and businesses want to protect themselves against these threats (not just against the ones that get covered in the news).
McAfee Labs’ latest threat report shows just how diversified the cyber security threat landscape has grown. According to the study, the leading cyber attack categories for Q3 2017 include SMB protocol (44%), browser-based (16%), DoS (13%), brute force (12%), malware (7%), and DNS (4%). Newsjacking only allows a vendor to cover a thin slice of this spectrum. You can’t really cite fallout from a major DDoS attack when you’re selling encryption.
Besides, now that cyber security is a top company priority, more stakeholders are involved in the buying decision. Different buyer roles (risk managers, C-level information security officers, IT stakeholders, operations, finance, etc.) need different messaging strategies, instead of the one-size-fits-all FUD pitch.
#3 Everybody’s still doing it.
As an article published in Selling Cybersecurity magazine explains, FUD remains a go-to pitch despite many leading figures in the industry conceding that the age-old tactic has already run its course. Since it can be difficult to show how complex products like an end-point system or a network solution work, FUD fills the messaging gap by standing in for subtle details.
But that only means vendors are simply echoing each other, and as the scale and severity of cyber-attacks in the news continue to increase, the noise will only grow louder, making it difficult for any single vendor to be heard.
Even if FUD lets you reach an audience, scare tactics can only take you so far. To drive action and conversions, it’s about being able to meet specific business needs.
How to Move Past FUD
The size of the global cyber security market clocks in at around $96 billion, with thousands of vendors competing in more than 150 product/service categories. Sellers clearly need a more proactive strategy to stand out in such a fragmented industry. Here’s how to start taking steps in this direction.
#1 Replace FUD with the 4 Rs of cyber security
Instead of fear, uncertainty, and doubt, why not focus on reality, response, resilience, and rehearsal? These are the 4 Rs of cyber security, according to Jeremy Kajendran. Vendors that thrive in today’s threat landscape are those that demonstrate exactly how their solution fits in or enables this process.
- Reality – It’s no longer a matter of if a business suffers a cyber-attack, but when.
- Response – This includes considerations like how quickly the incident can be identified, how fast the response team/process can be deployed, how affected staff and customers are supported, how external stakeholders (investors, regulators, and the media) are managed.
- Resilience – Solutions also need to address how companies learn from incidents and how they implement changes that prepare them the next time an attack happens.
- Rehearsal – The only way to ensure a solution really mitigates a given threat is to repeatedly and realistically rehearse attack scenarios.
#2 Tailor your message to the different buyers
Up to 7 stakeholders are now involved in buying B2B solutions. This shift is also taking place in cyber security purchases, as cyber security becomes a company-wide concern rather than a purely IT problem. This means that your marketing message needs to appeal to what each decision-maker requires to arrive at a choice.
As Impact B&D explains, the target audience depends on whether you’re marketing to large enterprises or SMBs. For enterprise solutions, the following typically comprise the purchasing committee:
- Risk managers – These prospects measure risk, as well as justify and monitor risk management initiatives.
- CISO or CSO – This decision-maker is responsible for communicating cyber security risk to the rest of the organization and overseeing risk mitigation programs.
- IT staff – These stakeholders carry out the day-to-day task of identifying and handling threats.
For SMBs, Impact B&D says the target audience for cyber security solutions usually consists of:
- CEO or CFO – This decision-maker controls the budget and manages costs.
- Operations – These stakeholders care about one thing when it comes to cyber security: business continuity.
- IT staff – IT teams in SMBs are commonly understaffed and overworked. All they want to know about a solution (other than it works) is that it makes their lives easier.
Related: Analysis: The Information Gathering Process of B2B Buyers
#3 Talk about the solution, not just the problem.
It’s clear that each buyer role requires its own marketing message, and it involves almost zero FUD. Cyber security vendors need to talk about how their solution mitigates specific risks or protects against given threats. This is best done through marketing collaterals that add value and educate (read: not scare) potential customers.
The top content types that B2B tech buyers consume are:
- Product reviews – Nearly all (99%) of B2B tech decision-makers use reviews to make informed buying decisions.
- Articles – At least 92% of B2B tech buyers turn to blog posts and articles when researching a solution.
- Webinars – This tactic drives the purchase decisions of 80% of tech buyers.
- Case studies – Around 72% of tech buyers refer to case studies when evaluating a solution.
- Whitepapers – More than 71% of tech buyers say whitepapers with actionable information influence their decisions.
These materials can then be mapped to different buyer roles and to different stages (top, middle, and bottom of funnel) using both inbound and outbound strategies.
Scaring potential customers into a buying decision no longer works. Even if prospects continue to read chilling headlines about high-profile data breaches week in and week out, they’re now well aware of the threats and risks they face. Cyber security vendors’ responsibility is to offer a real solution, not spread panic.