"Security" is a meaningless word
“We’re a cloud security company.”
At first glance, this seems to meet some of my requirements for decent positioning — everyone knows what ‘cloud’ is, everyone knows what ‘security’ is. It’s not overly wordy. And yet this is, in my opinion, among the worst positioning out there, and also perhaps the most common crappy positioning that I hear.
Indeed, I think the ‘security’ industry in general suffers from even more positioning malaise than the (overlapping) cloud native industry, open source industry, ML industry, etc. I also think that some of the problems facing these security companies (which I’ll get to in a second) hold lessons for companies that don’t touch security in any way.
First of all, though, at one point in time there were relatively few ‘cybersecurity’ companies out there, and in fact being in cybersecurity could be a niche market. But those days are over — there are over 5,000 companies at RSA. With so many companies who are ostensibly in the security business, you need to be much, much more specific if you want to stand out. Here are some things to think about
Security is multifaceted
If you say that your tool will “solve security” for customers, you will get laughed out of the room and deserve it. First of all, any savvy security expert knows that tools are only part of the security equation, there’s also processes, incentives, org structures, etc. Second, the idea that one single tool would solve everything security-related that can be solved by a tool is not very believable. It’s just too complicated.
I’m picking on security folks here, but the same could be said about, for example, operations. “Our platform will solve cloud native operations,” would be a ridiculous statement, because there are so many components to operations.
But what do you actually do?
The problem is if you say ‘we do cloud security,’ the expectation you’re setting up is that you solve everything. But there’s another, related problem. People will guess that you don’t in fact do everything. But they won’t know what part of the security puzzle you do solve if you use a vague description like ‘cloud security.”
For example, an encryption tool for data at rest and in transit, identity management and tracking and breach forensics are all types of forensics tools. But if the piece you’re trying to solve is encryption, the forensics stuff really doesn’t help you. When you call yourself a ‘security’ tool or platform or whatever, people can’t tell immediately whether or not you will solve the need they have.
Make your positioning meaningful
The problem with positioning your product or project as ‘cloud security’ is that when you really examine that term, it’s meaningless. It doesn’t tell potential customers what problem you solve, how you fit into their existing security tools, which options are competitive and which options are complementary. People have short attention spans, and calling your product ‘cloud security’ forces them to either invest more time than they want to figuring out what that actually means … or to just move on and ignore your product. Most people end up choosing the later option.
I honestly think security companies get this wrong more often than others, perhaps because there’s still a feeling that ‘security’ is unique enough. It’s not. It’s like saying “I have a software startup.”
If you want to break through people’s apathy and get interest in your product, open source project or whole company, you need to get specific about what you do and make it clear that you are part of the security landscape, but that you solve this one very specific (but very important) aspect of it that no one else does. If you can do that, people will pay attention.