Does McAfee’s Sales Program Highlight A Morality Problem in the Cybersecurity Industry?

In order to steal accounts from archrival Symantec, McAfee cooked up a new sales campaign recently called, “Bring McAfee to the Game.” The description of the program which seems to pivot off the upcoming World Cup Soccer tournament reads as follows:“McAfee will pay partner sales reps $100 USD just for telling us about a Symantec 250+ node endpoint security renewal opportunity. Offer valid through end of Q1. McAfee will also pay $5,000 USD each to the eligible partner rep and SE for closing a 10,000+ node Symantec displacement in Q1, 2010.”Now direct or channel partner sales spiffs are nothing new in the high tech world. McAfee CEO Dave DeWalt has certainly seen his fair share of these programs while at Oracle, Documentum, and then EMC. The objective couldn’t be simpler: fatten the financial incentive to change sales behavior and push one product over another. Whether it is endpoint software, televisions, or used cars – this is how sales works. When it comes to cybersecurity however, I have a bit of a morality problem with these types of sales tactics. Should an organization’s security defenses really be influenced by how much money a sales rep receives? McAfee may have a truly competitive product to Symantec, but what if a vendor with a sub-par offering (or worse yet, a cybercrime organization posing as a security vendor) offered sales reps $10k for a Symantec displacement? Sales guys get rich while organizations’ security declines. Should we really trust the confidentiality, integrity, and availability of our critical infrastructure to the security vendor with the most creative sales/channel incentives – or should we focus on real security here instead? I think the answer is obvious. Congress often scrutinizes the medical industry to make sure that pharmaceutical companies do not have undue influence on physicians. While it is not a matter of life and death, the same moral argument should apply here.At the very least, sales reps should disclose that they are being incented during the sales cycle. If they aren’t willing to disclose this, security and purchasing managers should make sure to ask security sales reps and resellers whether they are being “spiffed” on sales. This information will help buyers understand the sales motivation and use this information as part of their decision process.I am not trying to knock McAfee as it sells a leading endpoint security product and it is simply following a long tradition of sales incentive tactics in the industry. That said, security is not a game – product decisions could ultimately make sensitive systems and information extremely vulnerable. When it comes to security, I’d like to see an industry moratorium on security spiffs or at least full disclosure. Sales numbers and individual salaries have no role to play in securing our digital assets.