Fear is Not a Marketing Tool


@author Randy Gingeleski

@since 04/14/2017

@see philosophy, soapbox


Years ago, the mafia would strongarm small businesses into buying “protection.” Fear was used as a marketing tool.

Today, the mafia has been replaced with various information security firms.

The CEOs get in front of business decision-makers at conferences like “NY Tech Summit.” Ones that are far from technical (DEFCON would be technical) but instead are traps to sell IT services like security and “cloud.”

Anyway, these wannabe thought leaders get onstage to scare attendees. They do presentations on ransomware and underground haxxor forumz and how much these could cost your business!!

“CYBERTERRORISTS could steal YOUR SERVER and look here is a BLACK MARKET forum where many HACKED SERVERZ are being sold for BITCOINS”

Now the attendees view the presenter as an expert on the topic. Someone who can protect them, saving the millions of dollars they showed on a graph.

But really, these “security professionals” just get up and say HEY LOOK HERE’S A PROBLEM LET ME EXPLAIN IT.

If you normally have a problem, would you hire the first guy who restated the problem to you with fancier prose? Who showed a graph related to the problem that made you feel worse?

Now the CEO gets a bunch of leads from conference attendees. He sells them Kaspersky licenses and calls it a day. Ka-ching.

(If they really get ransomware, they’re screwed with this guy unless an unlock script already exists… he can upsell them a whole bunch for that free script… he’s practically the ransom requester!)

“Okay Randy where is this soapbox going”

The whole point of information security is for people not to be scared. To use the technology they love, stuff that makes for a better world, without being afraid. It sickens me that many security shops use fear as their sales pitch.

Now presenting on the true costs of trojan horses and picking the right company to reverse-hack them…

I want them to get on that NY Tech Summit stage and give away the “secret sauce.” I want them to say, hey, you can do a good job preventing this stuff by just installing KIS on all your devices, etc etc.

THEN tack on, hey, my company happens to be a Kaspersky vendor. If you want to get this stuff through someone else, that’s cool too. We want you to be protected regardless.

Or here are two more approaches to demonstrating expertise.

Example A – a netsec engineer is at DEFCON. His company is looking for appsec professionals to come in and consult on a tough problem. An appsec guy gives a great presentation. Netsec guy gets his boss to hire the presenter’s company, because they’re smart people.

Example B – take Example A and replace “netsec” with “software”. Optionally, replace “at DEFCON” with “looking at YouTube videos.”

Hopefully you get it, dear reader. The media does enough hack-scaring of people. We know better. There’s even less class when we do it.

This isn’t Monsters Inc.