[ISN] Message to Vendors: Drop the Mind Games

From: kwalker2at_private
Date: Fri Jun 29 2001 - 03:12:41 PDT

  • Next message: Jonathan Rickman: "Re: [ISN] WWW.huh?: You Are the First Line of Defense"

    (I would like a squeezy key chain... :)
    Message to Vendors: Drop the Mind Games
    Trinkets and tricky sales techniques won't impress - how about products 
    that work as advertised?
    By Vince Tuesday
    (Jun. 25, 2001) I have a competent security team that deals with a wide 
    range of situations, but there's one task that sends a shiver down my team 
    members' spines: a cold call from a security product salesperson. They pass 
    these calls along to me as fast as they can.
    As a large financial institution, my company is an ideal target for such 
    calls. We have a big budget and a well-known name that, if associated with 
    their products, would help security vendors sell to other financial 
    institutions. We are also a bit of a hassle for vendors to sell to - we 
    have a long-term security plan and rigorous evaluation criteria, so we 
    don't generally select products based on cold calls.
    Neurolinguistic programming (NLP): This is a sales psychology fad that 
    involves reaching consensus by mirroring the actions of your prospective 
    customer. The technique is meant to convince the customer that you share 
    the same attitude because you share the same body language.
    Host-based firewalls: These systems provide the same controls as firewall 
    gateways but reside on the actual machine to be protected, rather than on 
    the edge of the network. They're useful for home users and companies that 
    don't trust users within their networks.
    I hope these people will someday learn what a security manager really 
    wants. In the meantime, here are a few tricks to beware of that salespeople 
    have tried on my organization, and some responses security managers can try.
    Challenge and Response
    Don't get me wrong. I get on well with those few sales teams that bother to 
    learn what I'm looking for and don't hassle me when they don't have the 
    right product or service. But many use obvious tricks when a little honesty 
    and patience would advance both our causes considerably.
    I don't know who trains sales teams, but one trick that really doesn't work 
    is neurolinguistic programming (NLP), or body-language mirroring.
    Once you catch on that a salesman is using NLP, you can have a bit of fun 
    with him. When someone on my team spots a salesman trying this trick, the 
    spotter gives a previously agreed-upon signal, asking a specific question 
    to let everyone know the games have begun. We try to work the salesman into 
    the most unusual position or to get him to carry out the most ridiculous 
    It starts simply. For example, I might lean forward and then back, or hook 
    one arm over my head. With each silly position, if the salesman copies me, 
    I push it further. I've not yet gotten one to stand on the table, but I can 
    Another common trick that salespeople use is to continually repeat our 
    names: "So, Vince, are you interested in buying an intrusion detection 
    system, Vince?" I think this is meant to make me feel friendly, and I 
    suppose they might think the technique is working when I reply in kind 
    with, "Well, Dave, I can see, Dave, that your product, Dave, is good, but 
    it isn't, Dave, for us, Dave."
    If they don't use cheap psychological tricks, they use blatant bribery. 
    Like everyone else, we get free mouse pads, T-shirts and stress balls. We 
    also collect more unusual freebies. We have those little curved mirrors 
    that you stick to the corner of your monitor so you can subtly look over 
    your shoulder. We like them so much that they have become a major component 
    of our user awareness campaign, and we've put little slogans on them.
    The oddest thing we have ever received has since become our team mascot, on 
    proud display in our office. We were evaluating host-based firewalls. The 
    technology was developed primarily for home users, so they can protect 
    themselves from attacks while dialed in to a network. We wanted similar 
    technology to let us divide our networks into logically distinct 
    compartments without having to add filters at the switch or router level. 
    So we were looking for a system that had the same technology as the 
    home-based systems but allows centralized management and reporting.
    One company we approached was Lichtenfels, Germany-based Biodata 
    Information Technology AG. Biodata's Sphinx PC Firewall isn't suited to our 
    needs, since it isn't aimed at multiple-machine organizations. But the 
    company hopes to include the firewall technology in a more 
    corporate-focused product later this year, so it sent us a copy for review.
    What's this got to do with freebies? Right on the front of the box, it says 
    in bold letters, "Now, with free squeezy key chain!" with a huge arrow 
    pointing to the top right of the box, where a key-chain sphinx is proudly 
    I can't imagine what goes through a retail customer's mind when he selects 
    a firewall product. Would you buy software for your home machine because it 
    came with a free key chain?
    But the squeezy is no ordinary key chain. When you squeeze it, bright green 
    gunk bulges from its eyes and mouth. I don't know why, but I find it 
    strangely compelling. If you've been given something weirder to try to 
    persuade you to buy a product, let me know in the Security Manager's 
    Journal forum.
    An Offer You Can't Refuse
    Recently, one company used a hook that I couldn't resist. I've mentioned 
    before that we have looked at outsourcing parts of our security 
    infrastructure where it makes sense, and one good area for outsourcing was 
    external e-mail antivirus scanning.
    We use MIMEsweeper from Dublin-based Baltimore Technologies PLC for gateway 
    protection. As an alternative, there are products that offer an outsourced 
    scan of all Internet e-mail before it's delivered by sending it via the 
    outsourcing company's mail servers for checking.
    U.K.-based managed service provider MessageLabs Ltd. has always stood out 
    in this field with its comprehensive published data, including real-time 
    mapping of the global spread of viruses. Now the company's pulled a very 
    clever offer out of its hat.
    MessageLabs' contract guarantees that users of its service won't receive 
    viruses. If a virus slips through, the company says it will give you your 
    money back. Any security company that puts its money where its hype is 
    should be rewarded with plenty of business. Do any other companies want to 
    step up to the mark and start offering the same deal?
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Mon Jul 02 2001 - 17:59:26 PDT