Follow me

Saturday, August 3, 2013

Information Security-Positioning to Clients!!

Dear Readers,

Being in the Field of Computer Network & Security, we face the hurdles in selling/proposing the Information Security solutions to our clients.
In this article we will read the aspects of Information security selling in detail..
Information assets are critical to any business and paramount to the survival of any organization in today's globalized digital economy. When information is not adequately protected, it may be compromised and this is known as an information or security breach. The consequences of an information breach are severe. For businesses, a breach usually entails huge financial penalties, expensive law suits, loss of reputation and business.
why is Information Security viewed as a niche?
First and foremost it is a business challenge, so why place those accountable in a technology role? When you place Information Security under the control of the technologists, their accountability is greater than their influence which equates to expensive, inefficient and often ill-conceived ad-hoc solutions. Rarely are we stronger as a result.

IT managers need to embrace Information Security and work closely with Security Specialists to develop ROI. Not just a return from a security perspective but from a business perspective.

Learn to ask the right questions of the Security Experts:

For instance if a business is having difficulty billing all internal customers for systems used the solution can be provided from a whole host of open source security tools that generate a concise listing of IP enabled devices and categories them for you against business lines. After all you can't secure what you don't know about!
We need to find more and more of these Win -Win situations. An effective security specialist can cost you millions or save you millions and for greatest effect you must allow them to work across your business and not only the technology segment. By careful cooperation Security can deliver directly against the bottom line.
 Only then should Security Specialists mention the additional benefits of upholding mandated standards and finally right at the end, as a by-product, almost in passing it can be mentioned we may have even prevented a hack from occurring! All in order of importance to the CEO.
Information Security is bigger than many CEOs and IT managers realize and Security Specialists should invite them in otherwise they will never understand just how big the Tardif is.
 Parting note to Senior Management, connecting with your IT Security department doesn't mean you have to travel through a worm-hole!
There are a host of reasons why a potential customer wouldn't be interested in buying security, but perhaps the most common one is the belief that the customer simply doesn't need what you're selling. Many business owners and IT professionals suffer from, "It won't happen to me," syndrome. They're convinced that because "It hasn't happened yet," or they "don't have any data people want" or "are too small to be a target," that they can be lax on security. Your most important job, as a security provider, is to overcome objections and protect the client.

Finding the return on security investments:

In my experience selling information security, the most common objection is driven by a perceived lack of tangible return on security investment, as well as the belief that security is expensive and interferes with operations. Unlike a new server, upgraded productivity software, etc., showing return on security investment (ROSI) is less intuitive because people see it as a disabler. But in fact, a security investment can also yield productivity gains. If you take a closer look in search of return on investment (ROI), you may not only close the sale, but you may become a deeply trusted business consultant as well.
 You must convince the client that doing nothing is worse than writing a check. One major source of return on security investment is productivity. Yes, productivity can be substantially increased by driving employees to be less distracted and to follow organized procedures for doing their daily tasks. For example, the implementation of Web filtering and user monitoring software can ensure users are spending their work hours doing productive work for the company. Another example is data-loss-prevention. By not allowing documents to enter and exit the network unchecked, there is far less time spent searching for the documents and validating their security status, a process that can be quite time-consuming and costly during IT or compliance audits. Other ROI from security can range from 25% gains in sales activity, to massive increases in collections and manufacturing production.
 When selling information security, you must also find the risk or tangible losses that may come from not having your product or service, and seek to quantify those potential losses. Help the client calculate the costs due to loss of intellectual property or goodwill and the canceling of key partnerships. Identify any significant fines they may face and the expense of legal defense and lawsuit settlements. Don't forget to mention increased insurance costs. 

Handling security fears and resistance:

Help your client deal with the political upheaval, and employee complaints, often caused by security initiatives. One way to deal with the politics of employees is to make them part of the initiative to protect their jobs and raise their own productivity. Believe it or not, there is "sexiness" to participating in security. If you get employees invested and proudly talking about their involvement, you will see far fewer objections, and you may even see some employees coaching others to come along.
When selling information security, you must find the risk or tangible losses that may come from not having your product or service, and seek to quantify those potential losses.
Fear, uncertainty and doubt or FUD, can make or break any deal. Clients may be quick to accuse security solution providers of using FUD to sell them stuff. In my experience, this is the ultimate customer fallback, especially with IT staff. They may say to each other, "Oh the consultant is just trying to scare you.
However, FUD can be a powerful mechanism to find the risk manager in every business person. In my consulting and presentations, I confront this during my introduction. For example, I will say, "These are the laws of the land. I don't necessarily agree with them, but hating me will not change that." and, "I am an expert. I do this everyday and yet I am fearful, uncertain and doubtful too. If you are not, you should be." Now you are sharing in their fear and uncertainty.
Then be ready to give real examples of tragic information security events in other small or midsized businesses that are similar to them. Show your client the actual regulations and tangible penalties for failure to comply. Be prepared to counter the common mindset that everything is good and they need not worry. Patching systems are a great measure of the most basic security within a network. It is also one of the most despised and least effectively managed IT processes. Ask your client about patch currency. If you are willing to gamble a little, bet on their patching being out of date. This is a pretty safe bet in my experience. Do an inventory of the patches. Then use that as a benchmark assumption to get the decision maker to realize there are bigger hidden issues and maybe IT isn't as on top of it as they thought they were.

Communicating with the client:

 Be careful how you communicate with your client. Don't use fancy acronyms and try to blow them away with your knowledge. If they feel as though you are presenting yourself as superior, rather than aware and concerned, you will fail. You must inspire them into action or at least self preservation. A major unspoken objection (and this can be the hardest to overcome) is the intimidation factor. Security and compliance in particular both require a depth of understanding and expertise that cause many to be frightened into inaction. Clients often feel they don't have the time or capacity to understand. If you perpetuate this feeling rather than helping them overcome it, you will not close security deals or they will be short lived. If you can help them mange fear, you will be able to build a consulting relationship with them that will last a long time.
Above all, let your clients know you care about them and their business. If they question your motivation and don't believe you are sincere in your desire to help them achieve their goals, they will not listen to your advice. Take the time to ask them about their beliefs and understanding of security. Assure them that you understand it is complex and a little scary. Show them how you are there to help their IT environment become more secure and to make them the leader of their security initiatives.
Selling most of information security services and products is a challenge to the vast majority. The reason is that security is generally something to prevent the company from the possibility of losing money (whether by the leak of information, fraud or any other way), and it is neither just some money that you spend today to make profit tomorrow, nor something that you can use to cut costs and make your company more.
Except for some mature companies, which, in general, take security seriously and consciously invest a lot of money in information security, most of the other companies have trouble justifying their investments when it comes to security.
After some years of experience, I would say that most security investments are done for one out of five main reasons, which became a rule of thumb for me when my hope was almost dashed trying to help the sales force with the best way to sell security products and services. The reasons are described below.
 Everyone knows (I hope) that some security measures are simply necessary—period. Firewalls and Antivirus, for example, are by common sense necessary.
 This is followed by what I call “a sheep in the crowd syndrome”, which occurs when you don’t know what you are buying, but you do it just because everyone else does. Don’t confuse it with common sense, because many might think they know the reason of buying security, but in fact they are following a trend.
Information security incidents, unfortunately, are also good sellers. The 9/11 incident and similar situations sell more security than any of the other four reasons. The motive is quite obvious, just looking how the airports became stricter after this cruel incident….
Compliance is also a good seller, but generally occurs after a big disaster, such as 9/11 or what occurred with the late Arthur Andersen. SOx and many other regulations, laws and standards had been developed with the intention of prevent such disasters reoccurring or to prevent them from being so calamitous.
Finally, sponsorship is not so common, but happens when someone in the company Is interested in security issues and has the authority and power to sponsor security investments.
Putting the pieces together, the challenge now is trying to sell security knowing all of the above.
                                                                   Happy Value Selling!!