You Shot the Arrow. The Bow Went With It.
By Sean Martin, CISSP
Lens Four — Where business, innovation, and messaging come into focus
April 8, 2026
Listen to this article, read by TAPE9
I look at the world of cybersecurity regularly through three lenses: the business operations and programs lens, the innovation and market lens, and the messaging and language lens. The fourth lens — the one that connects all three — is mine. This week, all three are pointed at the same thing.
I've been doing this work for a long time. Go-to-market strategy, messaging and positioning, content development, analyst and journalist relations — helping organizations connect what they've built to the audiences that actually care. I started a podcast and a lot of people think that's what I do. They forget the decades that came before it.
I say that not as a credential flex but as context for what I'm about to say — because what I observed walking the RSAC 2026 expo floor in San Francisco isn't new. It's the same pattern I've watched run on a loop since the early days of this industry. It's just louder now. And the cost is higher.
In a conversation recorded on location at RSAC 2026, Madelein van der Hout — senior analyst at Forrester covering cybersecurity and risk, and the person she describes as cutting through the noise for CISOs — made an observation that stopped me. Standing in the middle of the expo floor, surrounded by six hundred booths, she said she found herself wondering whether every vendor had used the same AI model to produce their marketing.
That's not a marketing critique from someone outside the industry. That's a signal failure observed by someone whose entire job is to cut through noise on behalf of security leaders making real purchasing decisions. And if Madelein can't distinguish one vendor's story from another on that floor — if the analyst whose job is signal clarity is standing in the noise wondering if it was all machine-generated — then the message isn't landing. It's just arriving.
LENS ONE — BUSINESS PROGRAMS
Has the industry's messaging gotten any closer to the decision-maker's real problem?
No. And the gap is getting harder to bridge.
I sat with a group of security leaders at a breakfast during RSAC. No press, no vendor pitches, no decks. Just people comparing notes. I came in with my own observation — that I was finding little to no connection between what was on the floor and what actually moves a business — and the conversation that followed confirmed it from the inside.
What came up, not once but as a through-line, was a version of the same frustration: the less I can connect what a vendor is saying to my job, the less likely I am to connect it back to the business. That's not a comprehension problem. These are technically sophisticated people who understand what they're being shown. It's a translation problem. The vendor's message never gets the CISO to their CEO. And the CISO can't translate what the vendor won't explain.
Two of those leaders described the same reality independently: their organizations view security as a compliance function — stay compliant, stay out of the news, keep the infrastructure running — not as part of how the business grows. The business doesn't think about security as a growth enabler. The security team does its job. The business does its job. The wall between those two things is still standing — after years of the industry claiming it was coming down, after years of keynotes declaring that security is a business enabler, after years of vendors promising transformational outcomes.
That wall isn't accidental. It's been built, brick by brick, by messaging that talks about technology instead of outcomes. Features instead of impact. Threat surface instead of business risk.
Marco Ciappelli, co-founder of ITSPmagazine and Studio C60, has been framing this problem since before most of this industry's current generation of marketers entered the field. We were on the floor together at RSAC, doing what we've done at events for more than a decade: watching, asking, comparing observations. He made the point he always makes — the one that has been true since 2012 and remains true in 2026: "The pill is not the product. The product is what it does for them. You're selling the outcome. Security. The sense of being safe."
He first said that version of it to me the first time I brought him to RSAC back in 2012, and his immediate observation standing on that expo floor was: "They're still selling the box." The product photo. The feature list. The appliance with the LED lights.
It's 2026. Different box. Same observation. This year the box has an AI badge on it.
BETWEEN THE LENSES
If the message doesn't connect to the business, who bridges the gap — and at what cost?
The CISO is the translator. But they can only translate what the vendor gave them to work with.
The frustration I heard from security leaders at that breakfast wasn't about vendor quality. It was about vendor language. The CISO who can't connect a vendor's pitch to a business outcome isn't failing to understand the technology — they're failing to find the thread the vendor never gave them. The message gets to the CISO and stops there, because the CISO can't carry it further without the business context the vendor never provided.
That's not a small gap. The security decisions that protect organizations and enable them to grow require a chain of comprehension that runs from the vendor's product capability all the way to the board's risk appetite. When a link in that chain is missing — when the language stops being translatable somewhere between the booth and the boardroom — the decision either doesn't get made or gets made on incomplete information.
Madelein made a pointed observation in our on-location conversation: even among the vendors she spoke with about AI agents and optimization, the question she kept not getting answered was what her security team would actually do differently. The capability was described. The outcome for the program — for the people doing the work — was not. That gap is not unique to AI. It is the defining feature of how this industry has communicated for decades. The technology is the message. The outcome is left as an exercise for the buyer.
LENS TWO — INNOVATION AND MARKET
Does the funding and go-to-market cycle fix the messaging problem, or produce it?
It produces it. Structurally. Predictably. Every cycle.
Here's the dynamic I've watched repeat itself with enough consistency that I can almost set my calendar by it: significant capital enters a category. The pressure to claim market leadership creates an arms race of superlatives. Every company has to be the one that does everything, solves everything, kills the old thing, becomes the new thing. The claims expand to fill the available funding. And when everyone makes the same superlatives with the same urgency, the differentiation disappears — not just for the buyer, but for the market itself. It can no longer hear its own signal.
To be clear: this isn't a failure of character. It's a failure of structure. The marketing function in most cybersecurity companies is optimized for lead generation, not for buyer comprehension. The metrics that matter — MQLs, booth scans, demo requests, content downloads, email opens — measure whether someone raised their hand, not whether they understood what they were raising their hand for. A campaign that generates five hundred leads by claiming to solve everything outperforms one that generates two hundred leads by being honest about what the product does and doesn't do. The dashboard never shows the downstream cost: the deals that closed on false premises, the deployments that didn't deliver, the buyers who felt burned and stopped picking up the phone.
I even heard of one vendor instructing their booth team that AI had to be part of every conversation — regardless of whether the person they were talking to had asked about AI, needed AI, or would ever use AI. Not because the instruction was malicious. Because the pressure to be in the category was greater than the pressure to be relevant to the individual in front of them. Lead generation as the primary success metric creates a systematic incentive to overclaim — not because the people doing it don't know better, but because the system doesn't reward them for knowing better.
Theresa Lanowitz, cybersecurity evangelist and thought leader, captured the binary this creates with precision. In a conversation recorded on location at RSAC she described two camps emerging around AI: full throttle — just put everything out there and see what works — and full stop, complete avoidance. "Neither approach is the correct approach," she said, noting that the CrowdStrike keynote made the same point: there has to be a human in the loop, there have to be guidelines, you need to plan for resilience. Good advice. Nuanced advice. The kind of advice that doesn't fit on a booth graphic. So it gets replaced with the death announcement, the category-killing claim, the everything-in-one-platform promise.
Joe Carson, chief security evangelist and advisory CISO, was equally direct in a conversation recorded on location at RSAC. The buzzword of RSAC 2026 wasn't community — the official conference theme. It was agentic AI. "There's not a whole lot of differentiation," he said, "but everybody says they can help you secure your AI agents." Which is the market's way of saying: the differentiation has collapsed. The category ate itself before the buyers finished evaluating it.
This cycle ran on perimeter security. It ran on SIEM. It ran on Zero Trust. It ran on SOAR. It ran on XDR. It is currently running, with considerable momentum, on agentic AI. Each iteration produces the same floor — walk it and count how many times you see the word autonomous without a definition.
Marco put the right question to it, the one every company should have to answer before it earns floor space: "What instrument are you playing?" Because what you get on that floor isn't music. It's a cacophony of instruments all playing at once, each one convinced it's the lead.
LENS THREE — LANGUAGE AND MESSAGING
When the industry says everything at once, what does the buyer hear?
Nothing. And that silence is the most dangerous outcome.
There's a concept I keep coming back to from my own experience working on go-to-market strategy: the arrow and the bow. You nock the arrow, you pull, you release — and in your urgency to make the shot, you release the bow too. The arrow goes nowhere useful. The bow is gone. You've spent everything on a moment that didn't land. And now you can't shoot again. The next message — the real one, the one that actually matters, the one that could change how a buyer thinks about their risk or their program or their business — has nothing to travel on. You used the bow on the wrong shot.
That's what overclaiming does in real time. When a company claims their technology magically fixes every architecture problem, every identity gap, every flat network, every misconfigured permission — all at once, all in one purchase, all with AI — they win the day's attention. They lose the year's trust.
And here's the part that should worry the entire industry: the credibility debt doesn't get paid at launch. It gets paid later. At exactly the moment when something real needs to be said, when a genuine capability arrives that could actually change outcomes, when a real warning needs to land — that's when the accumulated noise debt comes due. The boy who cried wolf didn't fail on the first cry. He failed on the last one.
I've watched this pattern run long enough to know the sequence. The technology eventually catches up to the claim — or gets replaced by the technology that does. But the trust deficit persists. The buyer who felt burned by the SIEM revolution's overpromise was slower to move on Zero Trust. The buyer who got ahead of their skis on SOAR automated their way into more alerts without more answers. The buyer who heard the firewall was dead and ripped it out before the replacement was ready had a very bad quarter.
The buyer standing on the RSAC 2026 floor, looking at floor spectacles designed to generate foot traffic, trying to remember what any of those companies actually sell — that buyer is not becoming more trusting. They're becoming more tired.
Madelein raised the natural extension of this in our conversation: she considered collecting all the marketing pamphlets from the floor and running them through an AI model to see if they could be distinguished from one another. She didn't need to run the test. The answer was visible from where she was standing.
Tired buyers default to compliance. They buy what they already have. They renew what they know. They stop asking whether something new could actually help — because the signal that something new could actually help is now indistinguishable from the noise claiming everything is new.
I remember a specific moment on the floor this year. There was a booth with a spectacle that was genuinely impressive in the way a carnival is impressive. And I realized I remembered the brand — negatively. Step right up. The impression it left was not "I should talk to these people." It was the opposite. That's a marketing outcome. Just not the one they intended.
The question I find myself asking — and I'd argue every buyer should be demanding — isn't "what does your AI do?" It's simpler and harder: show me exactly how this reduces trust, limits movement, and contains the blast radius. In my environment. With specifics. With proof points. With use cases and case studies from organizations that look like mine. Not a reference list I have to chase down after the meeting — the story, told here, with enough detail to evaluate. That question cuts through every badge. Most booths on that floor couldn't answer it. The few that could didn't need the spectacle.
THE FOURTH LENS
What happens when the industry finally has something real to say — and nobody believes it anymore?
The arrow and the bow. There's a version of this that plays out quietly, year after year, and then all at once.
I've spent three decades helping organizations find the message that actually connects — the one that gets a CISO to their CEO, gets a CEO to their board, gets a board to make the decision that protects the business and enables it to grow. That work is hard, specific, and relentlessly focused on the outcome the buyer needs rather than the capability the seller has. It is the opposite of noise.
What I watched at RSAC 2026 was noise organized into booths, branded with AI, and delivered at scale.
The technology underneath some of it is real. The agentic capabilities emerging right now are genuinely consequential — in ways that will reshape how security programs operate, how organizations govern risk, and how the relationship between human judgment and machine action gets defined for the next decade. That is a real story. It deserves to be told with the precision and credibility it requires.
But the industry is spending down the credibility budget that story needs. Every overclaim today is a withdrawal from the account that tomorrow's legitimate warning depends on. And accounts don't go negative slowly. They go negative, and then they're empty.
The path out of this isn't complicated, even if it's uncomfortable. For vendors: build the message around the outcome, not the category. Say what you don't do. The security leader who hears a vendor acknowledge a limitation doesn't walk away less interested — they walk away more trusting. Trust is the asset the industry has been spending down. Specificity is how you rebuild it.
For buyers: the conversation you need isn't the one the pitch is designed to have. The vendor who can answer your specific problem — not the category problem, your problem — with a use case that sounds like your environment and a proof point you can verify, is the vendor worth your time. The one who can't is telling you something important about the distance between what they claim and what they've actually done.
For the market: lead generation metrics measure reach, not comprehension. A buyer who raises their hand without understanding what they're buying is not a qualified lead — they're a future churn statistic and a future trust deficit. The industry will keep producing noise until the measurement changes. The companies that get ahead of that shift — that optimize for informed buyers rather than captured contacts — will own the credibility when the next real thing arrives and actually needs to be heard.
There's a useful parallel in how this gets fixed. In a previous Lens Four piece I traced how AI is taking over enterprise workflows — not through grand transformation announcements, but task by task, one small reasonable decision at a time, each one locally defensible, none of them examined as part of a whole. Nobody decided to remove the human from the workflow. It just assembled that way. The path back from a credibility deficit works on the same logic — not a grand repositioning, not a relaunch, not a new category name. One honest message at a time. One specific outcome claim instead of a broad superlative. One proof point instead of a promise. One use case that actually sounds like the buyer's environment instead of a generic reference win. The credibility that has been spent down over many cycles doesn't come back in a single campaign. It comes back the same way it left — incrementally, decision by decision, message by message. Start small. Aim toward an outcome. Build from there.
Marco's 2012 observation still holds. They're still selling the box. Now the box comes with an autonomous AI agent inside it, a floor spectacle around it, and a funding announcement behind it — and nobody at the booth can tell you what it actually does for your business.
What's the one question you'd ask if you only got one?
The conversations with Madelein van der Hout, Theresa Lanowitz, and Joe Carson were recorded on location at RSAC Conference 2026 in San Francisco as part of ITSPmagazine's annual event coverage. Explore the full coverage at itspmagazine.com/rsac26 and connect at seanmartin.com.
Topics Covered in This Analysis
cybersecurity marketing, RSAC 2026, vendor messaging, credibility debt, agentic AI hype, go-to-market strategy, CISO communication, security program investment, technology overclaiming, lead generation metrics, security outcomes vs. features, cybersecurity industry narrative, expo floor theater, analyst perspective, business value of security, security messaging failures, buyer trust erosion, Zero Trust messaging, SIEM evolution, SOAR overpromise, XDR consolidation, agentic AI claims, security vendor differentiation, cybersecurity branding, signal vs. noise, Madelein van der Hout, Forrester, Theresa Lanowitz, Joe Carson, Marco Ciappelli, ITSPmagazine, Studio C60
Frequently Asked Questions
What is the credibility debt in cybersecurity marketing?
Credibility debt accumulates when vendors consistently overclaim what their products do. Each overclaim spends down the trust that a legitimate message will need later — meaning that when something genuinely important needs to be communicated, the audience has already learned not to believe it.
Why does cybersecurity messaging tend toward overclaiming?
The marketing function in most cybersecurity companies is optimized for lead generation metrics — MQLs, booth scans, demo requests — rather than buyer comprehension. The system rewards volume and reach over specificity and honesty, which creates a structural incentive to overclaim regardless of individual intent.
What is the "arrow and the bow" in this context?
It's a metaphor for what happens when a company tries to claim everything at once. In releasing the arrow, they also release the bow — spending the capability and the credibility simultaneously on a moment that doesn't land. And once the bow is gone, there's nothing left to send the next message — the real one — when it actually needs to travel.
What should security buyers ask vendors that cuts through the noise?
The most effective question is not "what does your product do?" but rather "what does it not do?" Paired with: show me a use case from an organization that looks like mine, with a proof point I can verify. A vendor who can answer both honestly is a vendor whose broader claims are worth taking seriously.
How can vendors rebuild trust with security buyers?
The same way the trust was spent — incrementally. One honest message at a time. One specific outcome claim instead of a broad superlative. One proof point instead of a promise. Credibility that has been spent down over many cycles doesn't come back in a single campaign. It comes back message by message, decision by decision.
About the Author
Sean Martin is a cybersecurity market analyst, content strategist, and advisor with 30+ years across engineering, product development, marketing, and media. Co-founder of ITSPmagazine and Studio C60, host of the Redefining CyberSecurity Podcast and the Music Evolves Podcast. Sean works with CISOs and security leaders, vendors and service providers, go-to-market and marketing teams, and analyst firms to connect technology operations and cybersecurity programs to business outcomes. Connect at seanmartin.com.
Subscribe to Lens Four — Where business, innovation, and messaging come into focus.
