“How likely are you to recommend to a friend?”

We’re all familiar with this survey question, but we never seriously contemplated this question until we compared notes coming home from a recent conference. While our company has global reach, there’s no team like the home team, and just last month we were able to attend the TAGITM Conference in the biggest state around – our home turf of Texas.

As they say, everything’s bigger in Texas, and nowhere was this truer than in the larger than life “tell a friend” environment we witnessed. TAGITM is a tight-knit group of peers that trust each other, and we saw time and time again people willing to share what they really thought about their experience with a given cybersecurity solution.

It confirmed something that we’ve known for a long time: A good recommendation can be a game changer in a profession where trust of slick sales people is low, and expensive analyses, tradeshow presentations, and industry reviews may miss the mark.

Why “How likely are you…” surveys don’t always work in cybersecurity

There have been studies done on this question. For example, is the best metric mean or net promoter score? (Hint: it depends). It didn’t take too much digging to discover that asking people if you’re good enough for their trusted relationships is a good metric of how well they like you. Which is an undeniable barometer of how well you’re doing. However, when it comes to digging out the answer, are professional reviews and company-issued surveys the best way?

While the sentiment itself is good, it doesn’t always translate when you don’t know the person, or when the entity recommending it is presenting generalized results from a host of companies, instead of delivering true anecdotes from just one. CISO Alex Hanes explains that aggregated, study-like investigations from prominent cybersecurity sources like MITRE may give general yes/no reviews on certain aspects of a solution, but when it comes to protecting your network, can they really be specific enough to let you know how it will operate within the unique landscape of your environment?

He concludes by saying “Like with everything else, caveat emptor stands: draw up your requirements first, do your own research, perform your own testing and you’ll end up with something you actually need, rather than something a vendor wants you to have.”

So how do you do that, and is there no one that can help?

Why real-life, word-of-mouth recommendations are so useful

Of course, there are people to help you make those big-investment, high cyber spend decisions; your peers. People who have used the cybersecurity product you’re interested in. Your CISO or Network Admin counterpart at XYZ company that had to rely on this product in a pinch and can tell you firsthand how it came out.

Don’t take our word for it – and I’m speaking as a vendor. Vendors can and will put their best foot forward, always – and we’re proud of what we do – but what a vendor can’t hide is what other people say about their product. Ask the customers.

We saw this in action at the TAGITM conference. Forgive me as I use a little bit of self-promotion to illustrate the point. I’m sure any vendors out there that have done their best by their customers can relate.

As we stood there, in some crowded hotel lobby on a partly cloudy day in Galveston, we overheard conversations from our customers, talking within earshot about our solutions. “You haven’t heard of them? They’re amazing.” Or, “You’d be stupid not to buy them, this is your first choice.” You can’t pay for that kind of advertising, and if you could, it wouldn’t be sincere.

Nothing holds as much water as a genuine testimonial from someone “just like you”, and when it comes to solving their problems, your potential clients want to see how your solution performed in a company just like theirs. “If they could do it, so can we.”

The pros and cons of big-name reviews

What can you do in the absence of a personal recommendation? The big-name reviews are out there, with their mixed bag of downsides and benefits.

Pro: You’ve got a name like Gartner calling you out, putting you on the forefront of whatever Magic Quadrant you made and lifting you above your peers – it can be assumed for good reason. That’s great, and there’s nothing wrong with it – for you.

Con: As an SMB, when you are a school district, a municipal enterprise, or a manufacturer with three locations that was just told last week they need to hire a Network Administrator – do they know what Forrester, or MITRE, or a Gartner Magic Quadrant even is? And, although the recommendations might be well-suited for multi-billion-dollar corporations, do they translate equally in the vastly different realm of SMBs?

As a small business ourselves, our edge is getting on the level of our customers and having the luxury of looking them in the eye, talking straight, and giving them some real-world examples they can sink their teeth into. That’s where word of mouth wins the day.

Results (and people) talk

Yes, results are key in cybersecurity, and as a vendor you need prove yourself or you won’t be around for very long. But it’s those strong results combined with the personal relationships of small cybersecurity companies that build loyalty, engender trust, and provide the secret sauce that larger enterprises can’t duplicate.

No matter the result, people talk – and if you’re doing your job right as a small business cybersecurity provider, that’s the best you can hope for.