Skip to main content

6 Steps to Selling Security to the Business

I spent a little time this week on two Twitter virtual discussions (#secchat, #hpprotect) covering security innovation and the like, where invariably the topic ended up focussing on how to basically promote or sell security into a business. This could be either from a vendor perspective, trying to promote new products or features, ultimately to make license revenue, or for the likes of internal security staff, attempting to justify business cases or budget for infosec related projects.


Goals

The two main actors in promoting security can generally be broken down into two different categories.  One is external and one is internal to the organisation.  Externally, there's the vendor or consultancy practice looking to generate license revenue or billable days.  The driver for their involvement could be a mandatory compliance initiative or the result of a data breach or attack.  In that case the sale is often based on quite tangible aspects or more of a feature based sell.  The buying organisation already knows the use cases and benefit they will receive from implementing a particular product or piece of delivery work.

If the buyer doesn't necessarily have an initial driver or appetite for a product or service, there needs to be a concerted effort to introduce them to the benefits and value of implementation.  At a high level those goals tend be related to:

  • Convince an organisation that they are at risk from a particular vulnerability
  • Show that if that vulnerability is not managed, the organisation will be damaged
  • Ultimately Sell a security or security related product or service into an organisation or project

From an internal perspective, there are also several other complex interactions surrounding security selling and awareness.  These can broken down at a high level into something like the following:

  • CISO needs to convince CxO level board members that security budget is justified and required
  • CISO needs to show that security can benefit the organisation in general and drive efficiency
  • Infosec team members need to gain budget or personnel for security related projects
  • CISO to raise awareness that an organisation will be attacked regardless of protection level

The above are just a few examples of the goals internal and external security actors try to fulfil.

Obstacles

Information security is often not seen as a key requirement and isn't generally pro-actively sort by organisations.  If they work in the financial services sector or healthcare, there could be mandatory compliance initiatives that help to drive budget and project business cases, but often security is still seen as being a restrictive and costly aspect of IT.



  • Security is seen as a small component of IT (and IT is a seen as a cost to the business)
  • Patching, anti-virus and firewalls are all that is needed for an organisation to be secure
  • Organisations focus on security when a breach or attack has occurred
  • Security often seen as costly and restricts innovation or user convenience

How to Overcome

There are many facets to any sales cycle and I'm not attempting to outline them all here, but from a high level perspective, the following are some of the key areas I always try to focus on during the entire sales process:

  1. Try to show that security can benefit the entire organisation and not just IT
  2. Try to show that security can increase innovation and efficiency
  3. Use a Return on Security Investment to show the long term benefits
  4. Use the ROSI, but also show non-tangible benefits too such as brand damage from poor security
  5. Define security metrics that can show the benefit of security to the organisation in business terms
  6. Improve awareness, messaging of security across the board



Popular posts from this blog

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:


Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?


Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…

Online-ification: The Role of Identity

The Wikipedia entry for Digital Transformation, "refers to the changes associated with the application of digital technology in all aspects of human society".  That is a pretty broad statement.

An increased digital presence however, is being felt across all lines of both public and private sector initiatives, reaching everything from being able to pay your car tax on line, through to being able to order a taxi based on your current location.  This increased focus on the 'online-ification' of services and content, drives a need for a loosely coupled and strong view of an individual or thing based digital identity.