Psychology of marketing and selling cybersecurity
A deep dive into what makes us buy cybersecurity products and how different types of security vendors leverage this knowledge.
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Thanks for supporting Venture in Security!
I recently saw a TEDx talk about the psychology of insurance. In her talk, Prof. Orit Tykocinski explored the connection between insurance and “magical thinking”. It turns out that we get insurance against the events we fear the most but once we have coverage, we assume we are somehow protected against these events. She argues that we are not that good at assessing the risk rationally and that the insurance companies are in the business of selling magical happiness.
Prof. Tykocinski’s talk is great and I highly recommend watching it. But, this piece is not going to be about insurance. It is about the psychology of cybersecurity marketing and sales which, in my opinion, are even more nuanced.
Introduction & two ways to market and sell cybersecurity
Cybersecurity is an example of a product that is often viewed as an overhead cost, rather than the cost of doing business. I think there are three obvious reasons for it:
Security is intangible (you can’t feel, touch or see it), and the success of cybersecurity efforts is very hard to measure. You can, for example, invest in the newest technology and still get breached when one employee clicks on a fishing link. Or, you can get lucky and magically avoid attacks for five years (the probability of such luck has decreased dramatically but it is still possible). And, you can never fully answer the question “How secure is my organization today?”
By and large, business owners and people making business decisions do not understand security. There is no doubt that the implementation of security is complex and very technical, and people tend to gloss over the things they don’t understand while overemphasizing the things they do. Many senior executives assume that security is a problem that someone else in the “technical” department will take care of.
Security professionals are not generally great at explaining the technical nuances to non-technical people. They often struggle to convey the importance of implementing one or another security measure from the ROI (return on investment) perspective and tend to see their role as “configuring firewalls and EDRs” instead of “protecting the business assets and ensuring the business continuity”.
I have observed that depending on the type of security product and the type of buyers (business or technical), there are two ways in which cybersecurity products are bought:
Purchases based on leveraging people’s biases and behavioral psychology (let’s call it “selling to hearts”), and
Purchases based on transparently evaluating the technical security capabilities (I would call it “selling to minds”)
The basic characteristics of each and the differences I have observed between the two are summarized in the below table. A broader discussion will follow.
Psychological principles that affect our buying decisions: an overview
Most buying decisions are subconscious. Think about the car you bought or a pair of shoes you have. Did you list the features you value, rated them in order of importance, conducted the ROI analysis based on the expected useful life, compared return policies and the quality features, etc.? Probably not. When making purchasing decisions in our daily life, we default to heuristics — mental shortcuts that facilitate problem-solving and simplify decision-making. Not only that — we are affected by biases and predispositions that make us avoid rational economic evaluation altogether.
Buying cybersecurity is subject to all the same factors, so let’s quickly go over a few of them.
Loss aversion — our fear of losing — is the biggest motivating factor that drives cybersecurity sales. This bias is most commonly exploited by companies selling to non-technical users (“selling to hearts”). You don’t need to be a marketing or psychology buff to observe that the vast majority of the messaging in cybersecurity is a form of the following: “You are in grave danger. Bad guys are out there to get you, and there is a 100% chance you will be under attack. The only way for you to survive is to buy our magic box. With our magic box, all you need to do is to press the “Activate Shield” button, and you are safe, guaranteed”.
The mass media is a great tool for highlighting the loss implications (most often in a dramatic and fear-mongering fashion).
Recency bias is a cognitive bias that places higher importance on recent events compared to historic ones. This bias is very pronounced in the cybersecurity space: after the SolarWinds hack, companies have suddenly prioritized their supply chain security efforts while shifting their attention away from other, equally important, attack vectors.
We tend to overestimate our expected success and downplay our future failures. In cybersecurity marketing and sales, this bias is often coupled with the Loss Aversion discussed before.
Hindsight bias happens when someone sees an event as predictable (“I knew that would happen”) even if they have no objective reason for making that prediction. When marketing cybersecurity to customers, you want them to hit a point where they choose your product and are later so satisfied that they congratulate themselves (“I knew this would be the best company to work with”).
Wikipedia defines the halo effect as the tendency for positive impressions of a person, company, brand, or product in one area to positively influence one’s opinion or feelings in other areas. An example of the halo effect is the attractiveness stereotype when we assume that a good-looking person is also an overall good person.
In cybersecurity sales, this shows, for example, when an ex-CISO of a famous brand is now selling or has co-founded a new security tool. When this happens, we subconsciously feel that if this person was able to build a good security team and their organization was fortunate to not get in the news because of a massive breach, their tool must be good at helping us secure our organization as well.
In unfamiliar situations, we tend to assume the actions of others. This tendency is pronounced by following experts, celebrities, or similar users.
Cybersecurity actively leverages the social proof bias. Gartner peer insights, a multitude of industry awards, customer testimonials, and similar badges of social proof are a critical part of security marketing.
While there is no correlation between the number of awards and the effectiveness of the security vendor, it is surely “better to work with a trusted company”.
Items that stand out from their peers are more memorable, a phenomenon known as the “isolation effect”. Cybersecurity is a crowded market full of marketing voodoo, and therefore companies try any possible ways to distinguish themselves from the competition. This is how cybersecurity ended up having so many product categories that do very similar things.
Tailored information is more effective in persuading people to change their attitudes and beliefs than generic information. That’s why tools like industry-specific case studies are used widely in cybersecurity.
We have a strong tendency to comply with authority figures, and this social bias is actively exploited by cybersecurity companies. Experts and analysts such as Gartner act as the authority when it comes to the future of cybersecurity and cyber defense.
Thankfully, many industry leaders value their professional reputation and are of high integrity to endorse cybersecurity products they have never tried or can personally vouch for. On the other hand, actors are happy to promote security as well.
We are more likely to make a decision when presented with fewer options to choose from. While this is one of the most basic and well-researched psychological principles, many cybersecurity companies fail at it miserably. Here is an example of the cognitive overload a customer would experience when visiting a website of a security vendor. I can deduce the attempt to create an impression that “we can take care of all security needs”; the resulting experience is overwhelming, to say the least.
We learn by comparing our behavior with the actions of others. This principle is actively used to mimic the terminology used by the customers and showcase actual consumers (often big brands) using the product. It is closely coupled with social proof & authority.
Other cognitive biases and factors that impact decision-making
Sequencing — makes it easier to take action when large, complex tasks (such as running the proof of concept and onboarding) are broken into smaller and more manageable tasks.
Commitment and consistency — make people want to appear consistent with their stated beliefs and prior actions. It is often combined with sequencing to get people to slowly, step by step, make progress towards closing a sale.
Sunk cost effect — having put time, effort, and money into something makes us motivated to make it work. It is largely because of this bias that slow enterprise companies can retain their customers even after the service somewhat deteriorates (though long-term contracts are a stronger factor).
Status-quo bias — people tend to accept the default option instead of doing their own cost-benefit analysis. This bias is the reason people don’t opt out from paying for the features they don’t need, which is incredibly common in security (having multiple tools that do a similar thing).
Autonomy — a perception of greater control increases the feeling of certainty and reduces stress. This is one of the factors that makes transparent, engineer-focused security products so successful. Another example of this at work is open-source tools.
Endowment effect — we place a greater value on things we own over things we do not. This contributes to the above-mentioned loss aversion.
Now that we have discussed how psychology impacts decision-making, let’s see how this can inform the two approaches to selling cybersecurity: “selling to hearts” and “selling two minds”.
Promise-based security (“selling to hearts”)
The first category of products I would like to look at is products offering promise-based security (“selling to hearts”).
Vendors that fit this criteria include various security platforms, most EDRs/XDRs (endpoint detection and response/extended detection and response), antivirus tools, and others. These tools do not offer the ability to evaluate/test what exactly you are being secured against, and such transparency is outside of their core value proposition which is the “feeling of safety”. This is why I categorize them as “promise-based” security tools.
Vendors who fall into this category tend to, first and foremost, sell by appealing to fear (loss aversion), and leveraging other cognitive biases to support the sale such as social proof, authority, commitment, and consistency.
People who buy these products are not technical and generally (not always) incapable of evaluating the technical capabilities of these offerings. It is common for mature cybersecurity professionals to dismiss this category of products as too “marketing-y” and “sales-y”.
Marketing of the vendors “selling to hearts” is based on promises of “100% security” (screenshots from some of the top security vendors’ websites are listed below).
Because the value proposition of vendors “selling to hearts” is somewhat blurry, the vast majority of the companies in this segment are sales-led as opposed to product-led. Being sales-led gives the sales team room to convince the company that “product A is what they need”. Without a salesperson’s guidance, evaluating how product A is better than product B in this segment is close to impossible.
There haven’t been many major innovations in the AV/EDR/MDR space in a long time, and the market is incredibly commoditized. Because of this, companies make attempts to differentiate by claiming to infuse all and every one of the innovative technologies (AI, ML, blockchain, — you name it) in their products, and making generic marketing statements (“stops all breaches” or “the world’s only autonomous fully bulletproof AI-powered cloud-native blockchain security platform”).
Evidence-based security (“selling to minds”)
Products that are “sold to minds” are different bread. These are vendors offering security tools and infrastructure to mature security professionals. Examples of such vendors are security automation platforms, DevSecOps, code security, and security infrastructure providers. Most (if not all) open-source cybersecurity tools fall into this category as well.
The end users are technical security professionals with titles of security engineers, security architects, and security automation engineers, to name a few. With some exceptions, they are not looking for a “magic box to keep them safe”; their needs are technical — software and hardware that help them to secure their organization.
Security professionals understand that cybersecurity is much more nuanced and complex than the vendors “selling to hearts” make it look. They value evidence-based security — the ability to see, control, and fully customize what is under the hood of the tool they are using. A great example of evidence-based security is the development of MITRE ATT&CK, a “globally-accessible knowledge base of adversary tactics and techniques based on real-world observations”. With the help of tools such as Atomic Red Team which is based on the MITRE ATT&CK framework, security teams can test their defenses.
At LimaCharlie, our thesis is that the security industry is maturing and this maturation is going to lead to a more evidence-based approach to security. Maturity means that professionals are not looking to monitor a tool and click a “panic” button when a red light on the dashboard flashes; they understand the security fundamentals, are able to hunt for threats, and more. There is enough evidence to support this thesis; take the most recent Tines’ “Voice of the SOC Analyst report” where the #1 skill security analysts identified as needed for their growth is “learning to code”.
The cognitive biases that can be observed when looking at this product category are the need for control, social proof (examples include testimonials of technical leaders), and the endowment effect. People in this segment are able to more rationally evaluate vendors and their product offerings, although the timing of this evaluation is affected by the biases we have described, especially the recency bias.
Products in this category are much more likely to be product-led (in general, security professionals strongly prefer to test a product in their lab instead of going through multiple sales demos).
Products “sold to minds” have the potential to suffer from technical jargon that is hard to understand to outsiders, thereby making them less accessible to non-security professionals. Here is a fun example of what that could look like.
Psychological factors affect all buyers
It might be tempting to think that the solution to the problem of cybersecurity voodoo marketing is to have technical people simply choose the tools that solve security problems best. However, technical buyers cannot escape the psychological factors either. At the end of the day, we are all human.
What to secure first
The recency bias impacts the areas security professionals choose to focus on. For example, if the most recent highly publicized security breach happened due to passwords mismanagement, most security teams will start reviewing their password management practices even if there are other, more critical areas that their specific organization would benefit from addressing first.
It is tempting to see the latest highly publicized attack vector as “the most important to look into today”, but the reality is that zero-days and critical vulnerabilities aside, companies should focus on what is most important for their unique environments.
Making the arguments stronger
Both types of companies — those “selling to minds” as well as those “selling to hearts” — benefit from the recency and the hindsight biases, because the timing of attacks creates windows of opportunity to acquire new customers.
While companies are becoming more open to increasing their security budgets following the highly publicized breaches, security vendors aren’t passively waiting for the customers to knock on their doors. From sending speakers to the events, organizing webinars, and sponsoring conferences to betting on Google keywords, vendors pour marketing dollars into what sells (the latest massive breach).
Similar to insurance companies who, as Prof. Tykocinski highlighted, “sell magical happiness”, most security companies sell a sense of safety by offering a magic tool that would “stop breaches, prevent 100% of malware, protect from ransomware and keep customers safe”. Fear is a strong driver of purchasing decisions, and ironically, these “magic tools” often achieve the opposite of what they promise: they end up creating a false sense of security which makes companies disregard the most basic cyber hygiene and ultimately leads to a breach. The number of times you can hear “oh, we don’t need to worry about security as we have a next-generation antivirus” is incredible.
Security is maturing. More and more organizations are moving away from promise-based security when they have to trust vendor’s assurances, to provable, evidence-based security when the exact set of malicious activity and behavior a company is protected from are known and the security teams can prove this. This shift is starting to happen in the enterprise companies and security service providers with a number of vendors like Panther, SOC Prime, and LimaCharlie leading the way in making threat detection fully transparent and controlled. I anticipate this shift toward transparency and away from marketing buzz will be getting more widespread in the next five to ten years as the number of cyber-attacks goes up and as a consequence, fewer and fewer people are taking the promises of “100% protection” seriously.
Next time you are buying a security product, make sure you are making an economically and technologically sound decision, not a decision driven by fear and a vendor’s promise of safety. While it is not possible to fully escape the psychological factors in our decision-making, being aware of them will most certainly help to reduce impact.