2022 Black Hat USA Vendor Booth Analysis: Buzzword EditionAug 25, 2022
Two weeks ago, I left Las Vegas no longer a Black Hat USA rookie.
As a first-timer at the exhibition, it was an eye-opening, refreshing, and rewarding experience.
I wore several hats at the show:
- Cybersecurity marketer for Cybersixgill
- Podcaster for Audience 1st
- Drinking buddy for new and old friends
But what was more enlightening was taking a step back, removing those hats, and trying to view the exhibition space in the eyes of the security practitioner.
As a marketer, I’m used to seeing big, colorful booths with flashy lights, running demos, t-shirts flying, and coffee running.
But when I put on the security buyer goggles, I was completely overwhelmed.
Months ago, I spoke to Joseph Carson who told me how he roams the halls at events and plays buzzword bingo to evaluate vendors, keep up with the technology, and snif out what's useful and what's not.
So, I took it upon myself to do the same.
This mini-analysis is my take on cybersecurity buzzword bingo at tradeshows.
You’ll find the top used buzzwords at the show, the most prominent colors used, examples that I believe could be improved, and why.
- This is not a formal, commissioned analysis. Frankly, I thought about doing this on the first day of the show and thought it would be a cool exercise to share with all of you.
- Given I only analyzed 51% of the booths on the show floor, this analysis is not 100% accurate representation of all messaging at the show. It is a sample and indication of what was presented at the show.
- The commentary in this analysis is based on the personal opinion of security practitioners from qualitative user interviews I had with them.
- “Buzzwords” does not necessarily mean something bad. Though it has a negative connotation to it, buzzwords can be useful if used correctly.
The number one problem with using buzzwords in cybersecurity:
Vendors cannot back up their claims when they use them.
“Probably the biggest failure of anybody approaching is not knowing your audience. So coming in and spouting quantum and AI and ML, and not being able to back it up.
If you're not embedded in the industry, it's so hard to figure out what is true. Let's take zero trust as a perfect example.
The idea and the concept aren't bad, but the ability to execute it is horrendous to say the very least. And unfortunately, in most cases, it’s none other than impossible because no one vendor has the solution.
No one vendor is going to come in and be able to effectively do it and roll it out without some pretty major disruption. And they ignore that part.
For crying out, I got buzzword bingo cards. I give them out at the conferences and you can literally stand in front of it. Doesn't matter if it's sales, marketing, or the pay-to-play bullshit.”
- Chris Roberts, CISO of Boom Supersonic
Listen to Chris’ episode on Audience 1st
When is it okay to use buzzwords?
- If you understand what the buzzword actually means and what’s really behind it.
- If you can back it up with data and nuggets of how your tool or solution ties to the buzzword.
That’s when the buzzword becomes a reality.
“Come at me with XDR, come at me with SOAR, come at me with cyber resilience. That's fine. I get it. But then give me, you know, the meat and potatoes behind it. What it really means. I think vendors just have to change the way they lead with buzzwords.”
- Leo Cruz, CISO, St. Joseph’s School for the Deaf
This analysis only highlights vendor booths on the exhibition floor in Mandalay Bay.
It does not take into account vendors who secured suites or cabanas offsite or threw happy hours or parties.
Most of the booths I analyzed were in the main exhibition hall (the center spreading outward)
I did manage to capture many booths in Innovation City and in “the bleachers” or outskirts of the exhibition hall.
According to the Black Hat website, there were 336 total vendor booths on the exhibitor floor:
I photographed 173 out of 336 and looked at the:
- Primary Message (the words that stood out the most - towards the top of the booth or in the biggest letters)
- Secondary Messages (the words that were placed throughout the booth or under the primary message)
- Use Cases (the words that highlight what the solution can be used for)
- Primary Colors (the most prominent color used in the booth design)
- Secondary Colors (the supplement colors used as accents at the booth)
I then used Kelly Shortridge’s Infosec Startup Buzzword Bingo: 2022 Edition as a reference for this year’s buzzwords to map against the vendor booth message.
I also included buzzwords that I saw show up regularly across multiple booths and which, frankly (and subjectively), felt redundant to use at a cybersecurity tradeshow, i.e. Protect, Cyber, Most, Zero
- Protect - that is what practitioners are here to do, no?
- Cyber - I mean…
- Most - is there a most? Maybe, but it felt like leading with false promises.
- Zero - is there such thing as zero in security?
Using the 2022 Infosec Buzzword Bingo and what I saw were redundant words, I counted a total of 35 buzzwords.
The most used words were:
Threat, Protect, Data, Cloud, Cyber, Platform, Zero
The buzzwords that were not used at all were:
Accurate, Context, Scalable
Out of the 173 vendors evaluated on the floor:
115 used 1 buzzwords
57 used 2 buzzwords
30 used 3 buzzwords
13 used 4 buzzwords
4 used 5 or more buzzwords
The vendors that used four or more buzzwords were:
Of the 173 booths analyzed, I saw 40 booths highlight anywhere between 3 to 10 use cases in their messaging.
Of the use cases captured in my analysis, the top 5 were:
Cloud Security, Compliance, Threat Intelligence, Pentesting
Of the primary colors used at Black Hat booths, the top 5 most prominent were:
Blue, Purple, Green, Grey and Red
There were 3 main issues that I found in vendor booth messaging this year at Black Hat:
- Lack of context
- The use of FUD
- False claims or over-promising
Messages that lacked context (or marketing jargon)
- “Experience a Better Experience”
- “For Fix Sake”
- “The Power of Zero. Unleashed.”
What does this even mean?
As a passerby, it certainly stopped me - mostly because I had my critical hat on and it got me thinking, “dafuq?”.
How could this improve?
Say what you do as clearly and concisely as you can. Particularly, if you are a smaller vendor located in a spot on the exhibition floor that doesn’t necessarily get a lot of foot traffic.
“I want to be educated. If you're not going to teach me something, you're not gonna get my time. So it’s about knowing your audience and making sure that your message is clear to the audience.” - Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea
Listen to Joseph’s episode on Audience 1st
Messages that used fear, uncertainty, and doubt (FUD)
- “Don’t gamble with cloud vulnerabilities.”
- “Nothing good happens when you are in contact with the adversary.”
- “Sensitive data at rest is data at risk.”
Now, these examples are not extreme examples of FUD, but I couldn’t help but notice that it was a missed opportunity for these vendors to use more empowering messaging that is clear and concise to passersby.
How could this improve?
“It's best to just stick with the basics and the fundamentals. Like, ‘look, are you concerned about this particular area of cyber? If you are, come check us out, that's what we do.’
- Allan Alford, CISO of TrustMAPP
Listen to Allan’s episode on Audience 1st
Messages that used false claims or over-promises
- “One Agent. One Platform. Complete Security. A unified platform approach to stopping breaches.”
- “End Cyber Attacks. This is XDR. Experience True Defense.”
- “Complete Software Supply Chain Security”
- “Go hack yourself. Complete coverage of your evolving attack surface.”
- “Human error. Conquered.”
- “Building a future we can all trust.”
- “Experience your world secured.”
- “The easiest, most secure way to access all your infrastructure.”
- “See, Protect, Resolve it All”
- “See everything. Fear nothing.”
There is no other industry that is allowed to give a 100% guarantee of something without first being able to scientifically prove that that's true.
“What marketers could stand to learn is that they are a lot of times making claims that are outright lies. There's actually a law on the books regarding advertising and truth in advertising. And that law seems not to apply to our industry.
Part of the problem that, that marketers run into when they're trying to engage someone like myself, is that they're, they're coming at it from the wrong angle. I know that sales slick that says a hundred percent stops ransomware can't possibly be true.
It's, it's literally impossible. So, now you've already entered the conversation on the wrong foot.“
- Ryan Cloutier, President of SecurityStudio
Listen to Ryan’s episode on Audience 1st
How could this improve?
What you can do differently at Black Hat USA next year that will resonate:
Lead with genuine messaging, not false promises.
Engage with your clients.
Change up your booth game to include your clients at your booth vs. swag central.
“If you're going to want to reel people in, lead with a genuine story, right? Heck if I saw a vendor that said, we're just gonna be honest with you. It's 50/50. I'd take that conversation. What made you say 50/50? Because, you know, it's gonna happen either way, but what made you say it? Do you have statistics? Did you go based off of maybe your own clients, you know, that were impacted by a threat that you maybe might be able to disclose?
I think in going into the next Black Hat and future Black Hats, marketing has to change. And it starts with listening to the people. They should actually reach out to their clients and say, ‘what would you like to see us do at Black Hat? Not, ‘Hey guys, you know, Palo Alto's leading with this message or Cisco's leading with that message, Microsoft's leading with this. Just lead with a genuine message. Come to help.”
- Leo Cruz, CISO, St. Joseph’s School for the Deaf
Listen to Leo’s episode on Audience 1st
That’s it. Just a mini-analysis that stemmed from massive curiosity at Black Hat.
If you find this useful, I’d love to hear your feedback on how to improve it for next year.
Hell, maybe I’ll make it a thing!
If you’re interested in receiving the raw data, please let me know and I’ll send it over to you.