Tuesday, August 24, 2010

market-speak is a tough habit to quit

on of the anti-malware marketing world's greatest victories was installing their market-speak as the lingua franca of anti-malware security, and to have done so in such a way that hardly anyone even notices. i even catch myself sometimes talking about a product offering protection instead of a product offering assistance (products don't protect you, you protect you with the product's help).

i happened upon a marketing video produced by f-secure for their safe and savvy blog not too long ago. it's possible it wasn't intended to be a marketing video, but... well... i think the video speaks for itself in that regard. it clearly tries to sell product. let's follow along and play the market-speak bingo.

so did you notice the nice big "100%"? it didn't stay for very long. the correct answer to the question "how can i be 100% sure i'm safe?" is that you can't. there is no absolute protection and anyone who says differently is trying to sell you snake-oil. offering 100% certainty you're protected is basically equivalent to claiming 100% protection - which is one of the oldest AV snake-oil tricks in the book. for shame, f-secure, for shame.

how about the references to a "solution", did everyone catch that? yeah, unfortunately the only problems these products solve are the business (or similar) problems that state 'thou must useth anti-virus'. actual security problems are not solved by these products - they don't make the problem go away, they don't make it so you don't have to worry anymore (even though they intentionally lead you into a false sense of security by suggesting you can stop worrying). security products are tools, not solutions - they don't solve real problems anymore than hammers do.

and did you happen to catch all the times when they said they "protect" you or the product protects you without qualifying that it's only partial protection? <sarcasm>yeah, that's not going to lead to a false sense of security (where people treat the product as install-and-forget security) at all</sarcasm>. why would a person continue to think about security and how to be and stay secure when vendors tell that person that they'll take care of that for them?

now i could sit here continuing to roast f-secure for their snake-oil trifecta, but as i said before even i catch myself falling into the same language patterns - early anti-malware marketing has left quite a mark on us. besides which, there's actually a lot to like in that video. the portrayal of the threat landscape and the technologies brought to bear on it are humanized and relate-able. heck, there's even someone labeled "Customer" who takes a tool offered by someone labeled "F-Secure" to chase off a 3rd person labeled "Virus" - even when the words are wrong and give the impression "we protect you", the action itself is right.

oh well, maybe their next video will feature more of what was good in this video and less of what was bad. it's not easy to break out of the pattern. we can only hope they try.


Sean Sullivan said...

Hi Kurt,

It's Friday night... I'm home, alone, with my 10 month old, while my wife is out with her father, and I finally read this post on my RSS backlog.

And there I am... :-)

Those "question cards" came after the fact when our marketing department told our creative agency: more color!

I really like the folks at the agency, but, it's always hard to explain technical stuff to laymen...

Before they added the color inserts, it was me, talking more, asking the questions, and without the words 100%, etc. (Something that I try to avoid due to some of your "rants".)

Ah well, I do agree that more color was needed.

Next time, hopefully, we won't have to produce a video in just one week before the agency breaks for a four week Finnish summer holiday. And then I can help write the question cards as well. It was kind of a rush job in the face of vacation time... but that's a nice problem to have from my American point-of-view.

A reporter recently asked me what somebody is buying when they purchase AV. I told him: it's a bullet proof vest.

We can't stop a targeted attack (head shot). And if the customer shots themselves (due to social engineering)... we aren't protecting, but rather, we're providing technical support for the clean up and repair (hopefully limiting the damage).

But that's hard to explain in marketing speak to a creative agency. :-)

kurt wismer said...

i had the feeling i might be doing the opposite of making someone's day with that post, but i gotta call 'em like i see 'em.

i'm glad to hear i've had an impact in the "100%" arena, now if i can only stamp out "solution" and "X will protect you".

honestly, i really do think that video was a good way to get across things like cloud-based anti-malware technology or the dirty tricks the bad guys play. that part of it was great and i hope to see more in the future.

and by the way, "bulletproof"? seriously? maybe you should have gone for something like stab resistent vest. the layman doesn't necessarily think of the nuances of a bulletproof vest anymore than they would anti-malware software. there are those who would put on a BP vest and act like they're invincible even though they know in their heads they aren't.

this is why i try to always refer to anti-malware as a tool or collection of tools. if someone were to ask me what they're buying when then purchase AV i'd tell them they're buying a bunch of tools that help them stay safe. you can either buy the tools or be a tool.

i'm not totally against attempts to sell product, mind you, i just think that a lot of the techniques and verbiage comes from the "install and forget" paradigm, which i obviously have a problem with. i'd much rather see the products sold as tools that help people protect themselves than as 'solutions' that 'protect' people. why can't vendors say something like "you want to stay safe online. we can help with that."?

Sean Sullivan said...

(_shoots_ themselves, rather)

Stab resistant? I like to think AV is more affective than that.

I'm/we're not trying to sell Batman's awesome body armor... just a bulletproof vest. I think the reporter got the point; it isn't fireproof, you can't jump out in front of traffic, et cetera. It's a tool in the toolkit.

Now if only our “cloud” had access to the bat-computer...

kurt wismer said...

i guess i just can't abide by the allusion to bulletproof vests. at least not without pointing out that bulletproof vests aren't actually bulletproof, and as such are misleading. is that really the connection we want to make to anti-malware software? (nevermind the exceedingly sketchy notion of having "bulletproof" and anti-malware or any other kind of security in the same sentence)

i said market-speak is a tough habit to quit - and i believe that's because, having become the lingua franca of security, it has fundamentally altered our thought patterns.

it stands to reason, then, that some people's thought patterns may be more heavily influenced by it than others. as such they'd have an even tougher time quitting the habit.

don't take this the wrong way, but it appears to me that you've still got quite a ways to go. i'm sure you can do it, though.