Cyber Security Case Study Critique – Shape Security Saves Retailer

Cyber Security Case Study Critique – Shape Security Saves Retailer

Free course: The Internet's Best Case Study Hacks.

If your case studies aren't igniting sales conversations, you need this free five-day email course.
Sign up now and get the first lesson immediately.
  • This field is for validation purposes and should be left unchanged.

In this post, you’ll learn these best practices for your cyber security case studies:
1. What your case studies’ titles absolutely cannot mention.
2. How to make an emotional connection with your readers.
3. The least you can do to promote your case studies.
4. How to make your offering look great without turning the case study into a sales sheet.
5. Why it’s important to mention your process.
6. The power of giving specific detail.

Hi, I’m Mike Russell from, the place where marketers go to win more customers with their customers’ wins.

Today’s case study comes from Shape Security. It’s about their work for an unnamed Global Retailer who was experiencing severe fraud with their gift cards. Shape Security stops automated web and mobile application attacks that bypass existing defenses.

To get the most out of this post, take a few minutes to read this cached version of the case study. (The case study has been reformatted since my critique. Although the example has changed, the underlying principles I discuss haven’t.)

Please note: I had no part in creating this case study. I’m just using it as an educational example.

Cyber Security Case Study Best Practice #1: Tell A Positive Story

How many readers get all the way to the conclusion? 30%? Less? I bet it’s less. You know what I’ll also bet: 100% of this case study’s readers saw the title. And it doesn’t promise to make a good association with Shape Security:

Cyber security case studies’ titles should summarize the results achieved, not the problems faced.

“Don’t get the wrong idea.”

This reflects poorly on Shape Security. Focusing on the problem the global retailer was facing insinuates that Shape Security was somehow involved in the loss. Of course, that’s not the case. No company is going to profile a blunder.

So why subject readers to tracing that line of reasoning? It wouldn’t have been hard for this cyber security case study’s writer to turn this around to something more favorable, such as: “Global Retailer Halts $25 million In Stored Value Card Fraud.” With such a title, readers –even the ones who don’t spend another second on the case study- get the gist of the value that Shape Security provides.

Now, let’s look at the title’s ‘support crew’: the subheaders. If readers are intrigued by the title, then they’ll run their eyes down the page and take in the subheaders. This is an opportunity to expand the story ‘promised’ by the title with a bit more detail.

Again, this case study falls flat. Its subheaders (“Situation,” “Attack Target,” “Attack Methods, “Attack Impact,” “Attack Mitigations,” and “Conclusion”) don’t add detail to the case study’s story.

Readers who skim will only see that the global retailer lost millions in credit card fraud, that they were getting attacked a lot, and that Shape stopped the attacks (but only via the graph, which requires a moment to interpret).

The subheader “Failure of Existing Security Solutions” offers a glimpse into the story, but could be more descriptive. For example, “Existing Solutions Let Attacks Through” would summarize the section for skimmers and set up more thorough readers for the ensuing section.

Expanding on this idea, “Situation” could be “Credential Stuffing Attacks Threatened Millions Of Accounts.”

I’m a fan of more descriptive subheaders. Two- or three-word subheaders are too short to convey meaning. Since they fail to give skimmers the gist of the story, they fail to build interest in reading more.

Cyber Security Case Study Best Practice #2: Connect With Emotion

Brochures and sales sheets are inherently vague. They can tout benefits in general terms, but it’s beyond their abilities to get down to specifics.

That’s where cyber security case studies excel. Because they focus on one particular customer’s experience, they can dispel any uncertainty those other types of marketing collateral are unable to address.

Instead of comparatively cerebral business benefits, the details in a case study tap into pain: the pain endured by the subject of the case study, and the pain experienced currently by the target reader. The more vivid the details, the more that pain comes to life. This helps readers identify with the case study subject, and conclude that they can find similar resolution.

Shape Security’s case study gives excellent detail about the challenge:
• “This attack was costing the retailer over $25M per year in credit card chargebacks.”
• “Adversaries were taking over more than 1,000 customer accounts a day.”
• “Malicious automated traffic accounted for over 91% of the website’s login traffic.”

Ouch! The global retailer’s information security team(s) must’ve been very stressed by these events. Readers with similar responsibilities and struggles will empathize with this stress. Maybe they’re experiencing the same problems –and feelings- while reading the case study.

If readers can empathize, or if they are experiencing similar problems, then the case study’s resolution –the results Shape Security delivered- will seem all the more appealing.

Cyber Security Case Study Best Practice #3: Plan Your Promotion

Recently, Forrester research reported that “case studies are the most valuable kind of content when it comes to making a [B2B] purchase decision.”

Even though case studies may be perceived as a useful resource in making a big purchasing decision, it doesn’t hurt to promote them. Heck, industry media might even pick up the story if it has a few lessons for their readers.

That’s why I was surprised that I couldn’t find any promotion of Shape Security’s case study in their LinkedIn company profile, Twitter feed, nor executive-level blog.

Cyber security case studies should be promoted on the company’s Twitter page

Cyber security case studies make for great blog content.

Now, admittedly, case studies pull their weight as follow-ups to sales conversations. But their versatility lends them to many other uses, including social media, presentations, and PR.

Given the amount of effort it takes to produce case studies –or any quality content- for that matter- why not promote the heck out of them?

As a part of the case study’s production -when you’re considering which customer’s success to profile- ask yourself how and where the finished piece will be promoted. Returning to that trade-industry-publication example for a moment, I imagine that an editor would be delighted to integrate the success story into a broader piece – as long as the content had some useful lessons, and the problem-solution pair was timely.

In fact, that promotion would be a nice compliment to your customer. They’re only going to approve the final draft if it reflects well on them. Any buzz the story generates for you will reflect well on them, too. The appeal of free press can be a deciding factor for smaller customers, and at least a deal-sweetener for larger customers.

Cyber Security Case Study Best Practice #4: Attack The Status Quo

As I mentioned above, case studies are wonderful vehicles for contextualizing your solution. They’re superb at satisfying our ‘storytelling minds,’ and allow you to draw sharp contrast with ‘the way things were before’ with ‘the way things are now.’ For the better, of course.

Shape Security’s case study does a great job explaining why conventional defenses weren’t working:

Cyber security case studies should always contrast the sponsor’s solution with competitors’ inferior approaches.

There are three big benefits to doing this:
1. Explaining how attackers were getting around the existing defenses implies why the customer chose to work with Shape Security.
2. As an added bonus, you get to state why ‘the other guys’ weren’t up to the task.
3. It also helps readers understand what makes Shape’s service different, which is especially helpful in cases where the solutions are abstract and can be confusing.

This is where your case studies can give nice supporting context to other sales collateral.

Cyber Security Case Study Best Practice #5: Summarize Your Process

For all the detail about the attack target, methods and impact, I was surprised that this case study didn’t describe Shape Security’s implementation process.

Cyber security case studies should mention the implementation process to enhance credibility.

Missed opportunity

That’s an important detail for case study readers. Sure, they want to know how your solution works, but readers also want to know what it will be like to work with your team.

Where did ‘bumps’ occur? How did you handle them? What can prospects do ahead of time to lay the groundwork for a smooth implementation? What will you do differently next time?

These are just a few thoughts to get the ball rolling. You don’t have to address them all. A few details would give a glimpse into the process of working with you.

In fact, I’d argue that it’s essential to ‘reveal’ a few of the bumps you experience along the way. It builds credibility. By acknowledging that there was some difficulty, it helps the reader trust the rest of the case study, especially the end results and the customer’s happy testimonial.

More so, given that Shape’s solution ‘was deployed in weeks.’

Cyber Security Case Study Best Practice #6: Impress With Detail

I have mixed feelings about the case study’s conclusion. The chart is awesome. And these metrics are solid:

• Once in full blocking mode, the Botwall began deflecting over 90% of the traffic to the login page. At the same, normal business metrics did not change.
• Once the malicious traffic was deflected, overall website latency went from 450 milliseconds to 190 milliseconds.

These quantitative results are a great way to end the case study. They give a nice sense of resolution to the problems described in the beginning and highlight what I imagine are Shape Security’s key messages.

The concluding paragraph even starts strong:

The Shape Botwall blocked all automated adversaries. In the week following deployment, all adversary groups abandoned their attacks – a typical response when automation is no longer effective.

If the case study had ended there, it would have done so with a bang. Instead, it fizzles out with these vague final lines.

Credential stuffing is one of many types of automated attacks. New defense approaches, focused on deflecting automation, can reliably stop these website attacks.

Rather than leaving the reader with a single sharpened point, these sentences dull the impact of the conclusion. They contradict the power of case studies to illustrate an example by making a generic statement that’d be more appropriate on a sales sheet.

There you have it: six practices to make your cyber security case studies stronger.

1. Tell a Positive Story, especially in your title, subtitle, and subheaders.
2. Connect with emotion to elicit an empathetic response from your readers.
3. Plan your promotion on multiple channels.
4. Attack the status quo to make your offering stand out.
5. Summarize your process. Readers want to know what it’s like to work with you.
6. Impress with detail. Case studies are an opportunity to get specific on broad promises made elsewhere in your marketing collateral.

If you found this post helpful, please share it with friends and colleagues.

Need case studies that build trust and boost sales, but don’t have the time to do it in-house?Learn about my case study writing service.

No Comments