My last posting generated a few comments condemning vendors who exaggerate the capabilities of their security products. The security market is now fairly mature so it’s surprising that vendors are naïve enough to think that slick marketing is the way to boost their sales. Product spin is a complete turn off for security professionals. Encryption products, in particular, require careful marketing, because they are one of the hardest sells of all. And that’s not just because of the aversion of the security community to bad marketing campaigns. It’s also because there are fundamental difficulties in introducing new encryption systems. Here’s why.
First there’s the business case. Encryption is usually expensive to buy, disruptive to implement and difficult to manage. And it adds little obvious direct business value. It’s one of those invisible assets that you only notice when it messes up your communications. Business managers and Boards won’t be excited by the prospect of having unbreakable security protection for their information. They’re more interested in the business benefits. And these are more likely to be a leap of faith rather than a certain bet.
Secondly there is the enormous gestation period between conception and market acceptance for a new encryption system. New algorithms have to be peer-reviewed, debated, tested and accepted by the international community before they can be productised. And new products have to be evaluated, certified and in many cases approved by government or regulatory authorities before many customers will even consider them.
Then there is the marketing of the product. If it’s revolutionary and offers competitive edge, then it probably won’t be suitable for communicating with the rest of the business world. If it simply meets the latest standard, then it will lack a unique selling point. If it’s claimed to be foolproof, nobody will believe it. If it makes false claims it will be discredited. And if it’s questioned by a leading guru, it’s dead in the water.
Finally there is the long sales cycle, as customers consider the numerous implications of rolling out a new encryption system. Will it satisfy the standards of the service manager? Does it require a refresh of the desktop? Will legacy applications or hardware (e.g. ATMs) need to be adapted? Does an engineer have to visit each user site? These requirements might take months, if not years to implement. And in the meantime, the venture capitalists that originally backed the product will be developing ulcers and considering pulling the plug on their investment with little prospect of an early sale to prove the concept.