Home page logo

isn logo Information Security News mailing list archives

Message to Vendors: Drop the Mind Games
From: kwalker2 () gte net
Date: Fri, 29 Jun 2001 06:12:41 -0400


(I would like a squeezy key chain... :)

Message to Vendors: Drop the Mind Games

Trinkets and tricky sales techniques won't impress - how about products that work as advertised?

By Vince Tuesday
(Jun. 25, 2001) I have a competent security team that deals with a wide range of situations, but there's one task that sends a shiver down my team members' spines: a cold call from a security product salesperson. They pass these calls along to me as fast as they can. As a large financial institution, my company is an ideal target for such calls. We have a big budget and a well-known name that, if associated with their products, would help security vendors sell to other financial institutions. We are also a bit of a hassle for vendors to sell to - we have a long-term security plan and rigorous evaluation criteria, so we don't generally select products based on cold calls.


Neurolinguistic programming (NLP): This is a sales psychology fad that involves reaching consensus by mirroring the actions of your prospective customer. The technique is meant to convince the customer that you share the same attitude because you share the same body language. Host-based firewalls: These systems provide the same controls as firewall gateways but reside on the actual machine to be protected, rather than on the edge of the network. They're useful for home users and companies that don't trust users within their networks.

I hope these people will someday learn what a security manager really wants. In the meantime, here are a few tricks to beware of that salespeople have tried on my organization, and some responses security managers can try.

Challenge and Response

Don't get me wrong. I get on well with those few sales teams that bother to learn what I'm looking for and don't hassle me when they don't have the right product or service. But many use obvious tricks when a little honesty and patience would advance both our causes considerably.

I don't know who trains sales teams, but one trick that really doesn't work is neurolinguistic programming (NLP), or body-language mirroring.

Once you catch on that a salesman is using NLP, you can have a bit of fun with him. When someone on my team spots a salesman trying this trick, the spotter gives a previously agreed-upon signal, asking a specific question to let everyone know the games have begun. We try to work the salesman into the most unusual position or to get him to carry out the most ridiculous action.

It starts simply. For example, I might lean forward and then back, or hook one arm over my head. With each silly position, if the salesman copies me, I push it further. I've not yet gotten one to stand on the table, but I can hope.

Another common trick that salespeople use is to continually repeat our names: "So, Vince, are you interested in buying an intrusion detection system, Vince?" I think this is meant to make me feel friendly, and I suppose they might think the technique is working when I reply in kind with, "Well, Dave, I can see, Dave, that your product, Dave, is good, but it isn't, Dave, for us, Dave."

If they don't use cheap psychological tricks, they use blatant bribery. Like everyone else, we get free mouse pads, T-shirts and stress balls. We also collect more unusual freebies. We have those little curved mirrors that you stick to the corner of your monitor so you can subtly look over your shoulder. We like them so much that they have become a major component of our user awareness campaign, and we've put little slogans on them.

The oddest thing we have ever received has since become our team mascot, on proud display in our office. We were evaluating host-based firewalls. The technology was developed primarily for home users, so they can protect themselves from attacks while dialed in to a network. We wanted similar technology to let us divide our networks into logically distinct compartments without having to add filters at the switch or router level. So we were looking for a system that had the same technology as the home-based systems but allows centralized management and reporting.

One company we approached was Lichtenfels, Germany-based Biodata Information Technology AG. Biodata's Sphinx PC Firewall isn't suited to our needs, since it isn't aimed at multiple-machine organizations. But the company hopes to include the firewall technology in a more corporate-focused product later this year, so it sent us a copy for review.

What's this got to do with freebies? Right on the front of the box, it says in bold letters, "Now, with free squeezy key chain!" with a huge arrow pointing to the top right of the box, where a key-chain sphinx is proudly displayed.

I can't imagine what goes through a retail customer's mind when he selects a firewall product. Would you buy software for your home machine because it came with a free key chain?

But the squeezy is no ordinary key chain. When you squeeze it, bright green gunk bulges from its eyes and mouth. I don't know why, but I find it strangely compelling. If you've been given something weirder to try to persuade you to buy a product, let me know in the Security Manager's Journal forum.

An Offer You Can't Refuse

Recently, one company used a hook that I couldn't resist. I've mentioned before that we have looked at outsourcing parts of our security infrastructure where it makes sense, and one good area for outsourcing was external e-mail antivirus scanning.

We use MIMEsweeper from Dublin-based Baltimore Technologies PLC for gateway protection. As an alternative, there are products that offer an outsourced scan of all Internet e-mail before it's delivered by sending it via the outsourcing company's mail servers for checking.

U.K.-based managed service provider MessageLabs Ltd. has always stood out in this field with its comprehensive published data, including real-time mapping of the global spread of viruses. Now the company's pulled a very clever offer out of its hat.

MessageLabs' contract guarantees that users of its service won't receive viruses. If a virus slips through, the company says it will give you your money back. Any security company that puts its money where its hype is should be rewarded with plenty of business. Do any other companies want to step up to the mark and start offering the same deal?

ISN is hosted by SecurityFocus.com
To unsubscribe email isn-unsubscribe () SecurityFocus com

  By Date           By Thread  

Current thread:
  • Message to Vendors: Drop the Mind Games kwalker2 (Jul 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]