Why are case studies so rare in cybersecurity PR?

Case studies are one of the best ways to build credibility and trust with prospective clients but so often in the cybersecurity industry, customers don’t want to talk. But why? Let’s lift the lid on this and look at what cybersecurity marketers should be saying to their customers to get their buy-in on a case study… 

Yeah, we don’t really want to do a case study with you guys because we don’t want everyone to know how bad things were before and how we were constantly getting breached… You guys are doing a great job by the way! (…off the record)

This, or variations thereof, is a common response to cyber security vendors when they approach a major customer to collaborate on a case study. And in the early days of cyber, when attacks were rare, and victims achieved pariah status, this may have been an understandable response. However, being a victim of cybercrime is no longer an exclusive club. Cyberattacks can and do happen to anyone and any organisation.  

Let’s flip the argument on its head…  

If you were a major car manufacturer and you had just introduced a new safety feature that could detect when a driver was showing signs of fatigue on a motorway, you would want the whole world to know about it. Imagine all the lives that could be saved by introducing this feature. Driving, sadly, will never be 100% safe and corporations will continue to suffer cyberattacks. It’s a fact of life made all too clear over the last couple of years with cyberattacks disrupting every industry and every type of organisation, regardless of size.  In 2021 we saw the Colonial Pipeline attack disrupt fuel supplies to the whole of the eastern US but more recently, even a small Isle of Wight ferry company was targeted by malicious threat actors. Nobody is immune to the criminal cyber gangs. 

So, the message from you, as a cyber security solution vendor to your customers should be:  

You are a forward-thinking, responsible organisation that has implemented all possible measures to prevent cyber-attacks. This is something you should be celebrating, not hiding

In the same way that organisations make a big deal of their sustainability credentials and their record on inclusivity, this is positive news and speaks to their brand values. Indeed, when bidding for major contracts they will want their customers in turn to know that they are in safe hands, and they won’t be the weak link in the chain that introduces a vulnerability. 

Another classic response from customers when you ask them to collaborate on a case study in the cyber security sector is:  

Oh, but if we make a big deal of our investment in cyber it will invite the bad actors to come after us…

To this you need to, ever so gently, point out that threat actors are already targeting them, scanning their network, looking for a misconfigured port or unsecured cloud application. Keeping a low profile won’t make a blind bit of difference. The work you have done for them will. 

“Well, we have a policy not to endorse third-party vendors.” I can understand why a fashion brand might not want the world to know that the high street versions of their haute couture are not actually manufactured in Paris, but why a leading international bank would not want people to know that their customers’ accounts were secured using the very latest AI technology, makes no sense.  

If you can point out the positive benefits of  your customer showing the world that they are proactive on security, and demonstrate that they would be in good company with some of the other major organisations that have agreed to be a case study, it might just do the trick. If they still won’t budge, then consider involving them in your webinar programme. They may be happier giving a paper on how they solved a security problem, so it’s a vote of confidence by association. 

And finally, a “no” may in fact be a “not just now” and it’s worth revisiting the customer after six months or a year of incident free business. If you keep the sales team involved in the process of securing case studies, they will be likely to have a better idea of when the timing is right for another approach.