Why Encryption is a Hard Sell

My last posting generated a few comments condemning vendors who exaggerate the capabilities of their security products. The security market is now fairly mature so it’s surprising that vendors are naïve enough to think that slick marketing is the way to boost their sales. Product spin is a complete turn off for security professionals. Encryption products, in particular, require careful marketing, because they are one of the hardest sells of all. And that’s not just because of the aversion of the security community to bad marketing campaigns. It’s also because there are fundamental difficulties in introducing new encryption systems. Here’s why.

First there’s the business case. Encryption is usually expensive to buy, disruptive to implement and difficult to manage. And it adds little obvious direct business value. It’s one of those invisible assets that you only notice when it messes up your communications. Business managers and Boards won’t be excited by the prospect of having unbreakable security protection for their information. They’re more interested in the business benefits. And these are more likely to be a leap of faith rather than a certain bet.

Secondly there is the enormous gestation period between conception and market acceptance for a new encryption system. New algorithms have to be peer-reviewed, debated, tested and accepted by the international community before they can be productised. And new products have to be evaluated, certified and in many cases approved by government or regulatory authorities before many customers will even consider them.

Then there is the marketing of the product. If it’s revolutionary and offers competitive edge, then it probably won’t be suitable for communicating with the rest of the business world. If it simply meets the latest standard, then it will lack a unique selling point. If it’s claimed to be foolproof, nobody will believe it. If it makes false claims it will be discredited. And if it’s questioned by a leading guru, it’s dead in the water.

Finally there is the long sales cycle, as customers consider the numerous implications of rolling out a new encryption system. Will it satisfy the standards of the service manager? Does it require a refresh of the desktop? Will legacy applications or hardware (e.g. ATMs) need to be adapted? Does an engineer have to visit each user site? These requirements might take months, if not years to implement. And in the meantime, the venture capitalists that originally backed the product will be developing ulcers and considering pulling the plug on their investment with little prospect of an early sale to prove the concept.

Content Continues Below

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I tend to agree with this to a great extent. However you do fail to mention that there are exceptions to the notion that it's difficult or disruptive to implement. Believe it or not, there are some platforms out there that are not that difficult to implement and that doesn't disrupt the workflow. Without naming any certain companies, there are solution out there that promises a lot but actually do deliver. Of course, there are an equal amount of them who deliver substantially less than what they promise. Then again, I'm pretty sure that implementing something like Vista is less likely than implementing something that will actually help organizations instead of stifle them ;)
As a financial organisation we have seen an increase in the need for secure communication with our business partners and end customers. For many years with have been investing in external threat protection. This has now changed to protecting against data leakage and securing our business communication. The problem with email encryption is the administration overhead of working with inherently old PKI systems that use keys and certificates, which is a flawed system when it comes to archiving or disaster recovery of encrypted emails. Fortunately we came across and Email Encryption Service called VSN Encrpyt http://vsn.visus-it.com which leverages IBE technology which uses a users email address as a Public Key. This completely took away the administration overhead of Email Encryption and allows our users to encrypt their communications with a just one click! Simple.
Making the business case to encrypt is a major challenge. No senior IT or corporate executive is going to get excited about encryption and encryption management--it's too "in the weeds." There's a business case from both the IT Ops and InfoSec perspective available at: http://www.venafi.com/Collateral_Library/Venafi_Business_Case.pdf. I handed these out last week in our booth at Gartner ITxpo and they went like hot cakes.
Generally agree with the post David, would add a few of things if I may: 1) A good security product should be easy to install and use, if it isn't it isn't a good security product as it forces the users to try and work around it. 2) My interactions with senior security professionals all point to one thing. They are under so much pressure with their day to day work they do not get time to look at innovation in the way they would like to. They have trouble making time to strategise and evaluate new technologies as they are fighting the latest fire. When the "latest fire" requires that technology then they want to talk. 3) From a vendor's perspective it is important to have resonated with that senior security professional so they remember your company when the "latest fire" could be addressed using your technology. Totally agree that the marketing hype can detract from that, but trying to get on their radar is so hard some vendors resort to unverifiable claims or marketing stunts. Not saying they are right to at all, just trying to explain why they do what is ultimately a very short term strategy to sell product.