It’s been just over a month since InfoSec World 2018 concluded and less than a week since the vast majority of the security community returned from San Francisco and RSA Conference 2018. While these two shows are very different, both prominently feature vendor sponsors.

Running a successful conference requires the support of the vendor community, as does running a successful security organization; no security program could operate without tools and technologies—most of which are commercial commodities vs. those built and developed in-house. It is therefore with mixed emotions that non-vendor security practitioners roam the expo halls of security conferences.

On one hand, security tools and innovations are 100% mandatory for successful protection, detection, and response. On the other, given the overwhelming number of tools in any given category, a person returning from a security conference could spend weeks reading through follow-up vendor emails and invitations.

Vendor marketing teams are often measured by the number of badge scans collected at security conferences, then the number of appointments the sales teams can schedule based on those scans, and finally, how many “warm leads” or even closed deals result from the pipeline. This seems practical at a base level; measurement is an important part of goals achievement. Security practitioners constantly talk about measurement and how to refine metrics so that what they’re collecting, analyzing, and presenting aid the security team in aligning with the business and determining best courses of action for defending against adversaries.

When we’re talking about conference metrics, however, the problem with the type of measurement listed above is that it’s based on a faulty foundation: More scans at a booth or emails added to Marketo don’t automatically result in more qualified leads passed on to the sales team and more business booked. Selling security products in today’s environment isn’t a numbers game. It isn’t about obtaining the contact information of the greatest number of people who pass by your booth. It isn’t even about how many people click on an email you send post-event. And it certainly isn’t about getting your hands on a post-show list of every attendee—though every security conference production team can share stories of sponsors who insist on the full list as part of the sponsorship agreement.

Shifting away from old tactics

The reality is, today’s typical employee is inundated with emailed marketing messages (irrespective of what conferences they do or don’t attend), and unsolicited emails often are immediately deleted or even proactively filtered directly into trash. This means that any vendor marketing to full-conference lists are largely wasting time. That’s best case. In the worst case, if the vendor is too enthusiastic with the amount of emails sent to someone who hasn’t personally opted in for that vendor, there is potential to irritate that person—who might be a future prospect (just because they’re not a prospect today doesn’t mean they won’t be later).

For vendors who are adding full-conference contact lists to their email database, reconsider your strategy. Ask yourself: Is it likely that an attendee who didn’t stop by our booth or interact with staff will become a lead? If you are a complete optimist and answer “yes,” what is the actual likelihood (i.e., the percentage of conversion)? How much effort (e.g., time, resources) will go into converting a cold contact record into a lead? Would that effort be better served elsewhere?

Taking a step back, almost every marketer would have to agree that a blanket list of names doesn’t equal “lead.” The trick is convincing the higher-ups that old sales tactics need a complete rehab. But just like an enterprise wouldn’t slap antivirus on a network a declare it secure, that conversation is one worth having for the sake of productivity and efficacy.

For scanned “leads,” the assumption may be, “the attendee stopped by our booth and allowed the scan.” The truth is, though, that it’s awkward to deny a scan and most attendees figure it’s easier to delete an email than it is to tell a vendor “no,” especially if that attendee is wandering the expo floor to get a sense of what’s available, what’s new (but isn’t in a position to buy), or (gasp!) if they’re simply looking to stockpile swag. When this is the case, while it might be uncomfortable to tell booth staff, “just browsing,” it saves everyone a lot of time and aggravation. Of course, the more passive approach is deleting, filtering, or unsubscribing. That said, chances are that your email address will still end up on vendors’ partners’ marketing lists (thereby mushrooming the number of unwanted emails you receive), or that you will be re-subscribed after a period of time.

Take the consultative approach (i.e., don’t spray and pray)

At the end of the day, security vendors should be homing in on true prospective buyers rather than gathering as much contact information as possible. This means shifting tactics and engaging with attendees who say they’re actively looking for new tools or will be in the future. It means asking questions and listening—really listening. It may even mean getting off the expo floor, where it can be too loud and busy to think straight, and holding a private meeting where the prospect can talk about the needs for their specific environment and ask targeted questions.

While a pre-built product demo may be fun for attendees to view during their downtime, a real prospect will need a tailored deep dive into what the product can do for them (i.e., not out of the box). Further, ask attendees if they would like to receive marketing emails (opt in, a lá GDPR). Opt-ins will always yield more success than spamming attendees who just so happen to be on premises.

For attendees, be upfront and honest. “Just looking!” might feel kludgy at first, but experienced marketers understand that collecting **all the email addresses** isn’t the right measure and will appreciate the higher conversation rates that result from proper prospect engagements and interactions.

If you're looking to enhance your leadership skills and learn to align security with business priorities, attend MISTI's Security Leadership Exchange, May 20-22, 2018 in Ponte Vedra Beach, FL.

 

Anete Lūsiņa