The screaming headlines have been running for years. Whether they’re in press releases about cybercrime exceeding international drug profits or the billions of dollars lost to breach disclosures or videos highlighting the meltdown of power generators due to a myriad of vulnerabilities, the anti-malware industry has long relied on fear to move their products.
Granted, malware criminals do not wish their business and government victims well, but after a decade of scare mongering, the sight of malware vendors putting on a sheet and saying “boo!” fails to incite excitement.
Fear-factor marketing of anti-malware products is falling flat for a number of reasons. First, as the anti-malware market has matured, product differentiation among vendors has narrowed. Well known anti-malware products from leading vendors all pretty much work the same way — an endpoint client relying on recognized malware signatures to block their execution and propagation — and rely on widely available information sources to discover and ultimately develop counters for new species of malware found in the field.
Market shares among the leading vendors have remained stable for the past few years. These symptomize a market free from any recent technical breakthroughs and where perceived high switching costs dissuade buyers from changing vendors. Vendor lock-in leads to escalating license renewal costs, as renewal pricing always seems to come in a bit lower than switching cost plus the price quoted by the next lowest bidder for the customer’s anti-spyware dollars.
The biggest downside of fear factor marketing is that it restricts anti-malware defense to its niche as a low process-effectiveness component of enterprise security and system-management programs. As it stands, IT managers view anti-spyware and anti-virus functions as reactive and potentially disruptive activities that distract them from attaining higher-level business value delivery goals. The security people in an organization are always the ones sounding the alarm against the latest threat and demanding immediate remediation to stop it. Dire warnings of this kind run counter to system managers’ focus on SLAs, quality of service, availability, return on cost and utilization.
Beyond the fear factor
For information security to shed its reputation as the disruptors of rational management of IT assets, it needs to replace the event-driven security concept with a risk-management focused approach. In this way, security becomes a manageable cost of doing business, where managers can decide how much time, effort and money to devote to security balanced by perceived risks and returns. This approach requires cool calculation of security costs and benefits. This may sound strange to a business traditionally focused on catastrophic damage avoidance. After all, it is hard to put a value on things that didn’t happen. But the insurance industry has been doing this for hundreds of years in pricing risks as diverse as sinking ships and arthritis afflicting concert pianists.
Refusing to play the fear factor game can prove liberating to IT organizations. It can help align anti-malware defense with other infrastructure management disciplines at the organization. This can open the door to bringing anti-malware defense up the operational effectiveness ladder from reactive fire-fighting to rationally priced and smoothly delivered service to end-users. Finally, service-oriented anti-malware concepts can turn the tables on vendors, forcing them to re-think their value propositions as well as how and what they charge customers.
Profiting from commoditization
The maturing anti-malware market, the recognition that its emperors wear undifferentiated clothes and re-valuation of what anti-malware defense brings to an IT program, creates conditions conducive to commoditization and cost reduction. If a bracket of anti-malware software competitors offer similar effectiveness, the vendor that combines low price, easy switching from incumbent to alternative products, and the potential for consolidating anti-malware defense with other infrastructure management processes (vulnerability management, access control, software distribution, asset discovery, data leak prevention, security policy enforcement, etc.) will be preferred over other entrants.
Fear factor marketing will continue for at least the next couple of years. Old habits die hard and as real differentiation evaporates, fear factor vendors will amp up their repertoire of ghost stories. Commoditization, however, has an irresistible logic of its own. Forward thinking IT leaders will learn how to leverage commoditization to do more than to drive harder bargains with vendors. They will see it as a pathway for moving security up the operational maturity pyramid and in doing so, moving the organization to IT value delivery excellence.
– Amrit Williams is chief technology officer of BigFix Inc.