Information Security News
mailing list archives
Message to Vendors: Drop the Mind Games
From: kwalker2 () gte net
Date: Fri, 29 Jun 2001 06:12:41 -0400
(I would like a squeezy key chain... :)
Message to Vendors: Drop the Mind Games
Trinkets and tricky sales techniques won't impress - how about products
that work as advertised?
By Vince Tuesday
(Jun. 25, 2001) I have a competent security team that deals with a wide
range of situations, but there's one task that sends a shiver down my team
members' spines: a cold call from a security product salesperson. They pass
these calls along to me as fast as they can.
As a large financial institution, my company is an ideal target for such
calls. We have a big budget and a well-known name that, if associated with
their products, would help security vendors sell to other financial
institutions. We are also a bit of a hassle for vendors to sell to - we
have a long-term security plan and rigorous evaluation criteria, so we
don't generally select products based on cold calls.
Neurolinguistic programming (NLP): This is a sales psychology fad that
involves reaching consensus by mirroring the actions of your prospective
customer. The technique is meant to convince the customer that you share
the same attitude because you share the same body language.
Host-based firewalls: These systems provide the same controls as firewall
gateways but reside on the actual machine to be protected, rather than on
the edge of the network. They're useful for home users and companies that
don't trust users within their networks.
I hope these people will someday learn what a security manager really
wants. In the meantime, here are a few tricks to beware of that salespeople
have tried on my organization, and some responses security managers can try.
Challenge and Response
Don't get me wrong. I get on well with those few sales teams that bother to
learn what I'm looking for and don't hassle me when they don't have the
right product or service. But many use obvious tricks when a little honesty
and patience would advance both our causes considerably.
I don't know who trains sales teams, but one trick that really doesn't work
is neurolinguistic programming (NLP), or body-language mirroring.
Once you catch on that a salesman is using NLP, you can have a bit of fun
with him. When someone on my team spots a salesman trying this trick, the
spotter gives a previously agreed-upon signal, asking a specific question
to let everyone know the games have begun. We try to work the salesman into
the most unusual position or to get him to carry out the most ridiculous
It starts simply. For example, I might lean forward and then back, or hook
one arm over my head. With each silly position, if the salesman copies me,
I push it further. I've not yet gotten one to stand on the table, but I can
Another common trick that salespeople use is to continually repeat our
names: "So, Vince, are you interested in buying an intrusion detection
system, Vince?" I think this is meant to make me feel friendly, and I
suppose they might think the technique is working when I reply in kind
with, "Well, Dave, I can see, Dave, that your product, Dave, is good, but
it isn't, Dave, for us, Dave."
If they don't use cheap psychological tricks, they use blatant bribery.
Like everyone else, we get free mouse pads, T-shirts and stress balls. We
also collect more unusual freebies. We have those little curved mirrors
that you stick to the corner of your monitor so you can subtly look over
your shoulder. We like them so much that they have become a major component
of our user awareness campaign, and we've put little slogans on them.
The oddest thing we have ever received has since become our team mascot, on
proud display in our office. We were evaluating host-based firewalls. The
technology was developed primarily for home users, so they can protect
themselves from attacks while dialed in to a network. We wanted similar
technology to let us divide our networks into logically distinct
compartments without having to add filters at the switch or router level.
So we were looking for a system that had the same technology as the
home-based systems but allows centralized management and reporting.
One company we approached was Lichtenfels, Germany-based Biodata
Information Technology AG. Biodata's Sphinx PC Firewall isn't suited to our
needs, since it isn't aimed at multiple-machine organizations. But the
company hopes to include the firewall technology in a more
corporate-focused product later this year, so it sent us a copy for review.
What's this got to do with freebies? Right on the front of the box, it says
in bold letters, "Now, with free squeezy key chain!" with a huge arrow
pointing to the top right of the box, where a key-chain sphinx is proudly
I can't imagine what goes through a retail customer's mind when he selects
a firewall product. Would you buy software for your home machine because it
came with a free key chain?
But the squeezy is no ordinary key chain. When you squeeze it, bright green
gunk bulges from its eyes and mouth. I don't know why, but I find it
strangely compelling. If you've been given something weirder to try to
persuade you to buy a product, let me know in the Security Manager's
An Offer You Can't Refuse
Recently, one company used a hook that I couldn't resist. I've mentioned
before that we have looked at outsourcing parts of our security
infrastructure where it makes sense, and one good area for outsourcing was
external e-mail antivirus scanning.
We use MIMEsweeper from Dublin-based Baltimore Technologies PLC for gateway
protection. As an alternative, there are products that offer an outsourced
scan of all Internet e-mail before it's delivered by sending it via the
outsourcing company's mail servers for checking.
U.K.-based managed service provider MessageLabs Ltd. has always stood out
in this field with its comprehensive published data, including real-time
mapping of the global spread of viruses. Now the company's pulled a very
clever offer out of its hat.
MessageLabs' contract guarantees that users of its service won't receive
viruses. If a virus slips through, the company says it will give you your
money back. Any security company that puts its money where its hype is
should be rewarded with plenty of business. Do any other companies want to
step up to the mark and start offering the same deal?
ISN is hosted by SecurityFocus.com
To unsubscribe email isn-unsubscribe () SecurityFocus com
- Message to Vendors: Drop the Mind Games kwalker2 (Jul 03)