Dear Readers,
Being in the Field of Computer Network & Security, we face the hurdles in selling/proposing the Information Security solutions to our clients.
Being in the Field of Computer Network & Security, we face the hurdles in selling/proposing the Information Security solutions to our clients.
In this article we will read the aspects of Information security selling in detail..
Information
assets are critical to any business and paramount to the survival of any organization
in today's globalized digital economy. When information is not adequately
protected, it may be compromised and this is known as an information or
security breach. The consequences of an information breach are severe. For
businesses, a breach usually entails huge financial penalties, expensive law
suits, loss of reputation and business.
why
is Information Security viewed as a niche?
First
and foremost it is a business challenge, so why place those accountable in a
technology role? When you place Information Security under the control of the
technologists, their accountability is greater than their influence which
equates to expensive, inefficient and often ill-conceived ad-hoc solutions.
Rarely are we stronger as a result.
IT managers need to embrace Information Security and work
closely with Security Specialists to develop ROI. Not just a return from a
security perspective but from a business perspective.
Learn to ask the right questions of the Security Experts:
For instance if a business is having difficulty billing all
internal customers for systems used the solution can be provided from a whole
host of open source security tools that generate a concise listing of IP
enabled devices and categories them for you against business lines. After all
you can't secure what you don't know about!
We need to find more and more of these Win -Win situations.
An effective security specialist can cost you millions or save you millions and
for greatest effect you must allow them to work across your business and not
only the technology segment. By careful cooperation Security can deliver
directly against the bottom line.
Information Security is bigger than many CEOs and IT
managers realize and Security Specialists should invite them in otherwise they
will never understand just how big the Tardif is.
There are a host of reasons why a potential customer
wouldn't be interested in buying security, but perhaps the most common one is
the belief that the customer simply doesn't need what you're selling. Many
business owners and IT professionals suffer from, "It won't happen to me,"
syndrome. They're convinced that because "It hasn't happened yet," or
they "don't have any data people want" or "are too small to be a
target," that they can be lax on security. Your most important job, as a
security provider, is to overcome objections and protect the client.
Finding the return on security investments:
In my experience selling information security, the most
common objection is driven by a perceived lack of tangible return on security
investment, as well as the belief that security is expensive and interferes
with operations. Unlike a new server, upgraded productivity software, etc.,
showing return on security investment (ROSI) is less intuitive because people
see it as a disabler. But in fact, a security investment can also yield
productivity gains. If you take a closer look in search of return on investment
(ROI), you may not only close the sale, but you may become a deeply trusted
business consultant as well.
You must convince the client that doing nothing is worse
than writing a check. One major source of return on security investment is
productivity. Yes, productivity can be substantially increased by driving
employees to be less distracted and to follow organized procedures for doing
their daily tasks. For example, the implementation of Web filtering and user
monitoring software can ensure users are spending their work hours doing
productive work for the company. Another example is data-loss-prevention. By
not allowing documents to enter and exit the network unchecked, there is far
less time spent searching for the documents and validating their security
status, a process that can be quite time-consuming and costly during IT or
compliance audits. Other ROI from security can range from 25% gains in sales
activity, to massive increases in collections and manufacturing production.
Handling security fears and resistance:
Help your client deal with the political upheaval, and
employee complaints, often caused by security initiatives. One way to deal with
the politics of employees is to make them part of the initiative to protect
their jobs and raise their own productivity. Believe it or not, there is "sexiness"
to participating in security. If you get employees invested and proudly talking
about their involvement, you will see far fewer objections, and you may even
see some employees coaching others to come along.
When selling information security, you must find the risk or
tangible losses that may come from not having your product or service, and seek
to quantify those potential losses.
Fear, uncertainty and doubt or FUD, can make or break any
deal. Clients may be quick to accuse security solution providers of using FUD
to sell them stuff. In my experience, this is the ultimate customer fallback,
especially with IT staff. They may say to each other, "Oh the consultant
is just trying to scare you.
However, FUD can be a powerful mechanism to find the risk
manager in every business person. In my consulting and presentations, I
confront this during my introduction. For example, I will say, "These are
the laws of the land. I don't necessarily agree with them, but hating me will
not change that." and, "I am an expert. I do this everyday and yet I
am fearful, uncertain and doubtful too. If you are not, you should be."
Now you are sharing in their fear and uncertainty.
Then be ready to give real examples of tragic
information security events in other small or midsized businesses that are
similar to them. Show your client the actual regulations and tangible penalties
for failure to comply. Be prepared to counter the common mindset that
everything is good and they need not worry. Patching systems are a great
measure of the most basic security within a network. It is also one of the most
despised and least effectively managed IT processes. Ask your client about
patch currency. If you are willing to gamble a little, bet on their patching being
out of date. This is a pretty safe bet in my experience. Do an inventory of the
patches. Then use that as a benchmark assumption to get the decision maker to
realize there are bigger hidden issues and maybe IT isn't as on top of it as
they thought they were.
Communicating with the client:
Be careful how you communicate with your client. Don't use
fancy acronyms and try to blow them away with your knowledge. If they feel as
though you are presenting yourself as superior, rather than aware and
concerned, you will fail. You must inspire them into action or at least self
preservation. A major unspoken objection (and this can be the hardest to
overcome) is the intimidation factor. Security and compliance in particular
both require a depth of understanding and expertise that cause many to be frightened
into inaction. Clients often feel they don't have the time or capacity to
understand. If you perpetuate this feeling rather than helping them overcome
it, you will not close security deals or they will be short lived. If you can
help them mange fear, you will be able to build a consulting relationship with
them that will last a long time.
Above all, let your clients know you care about them and
their business. If they question your motivation and don't believe you are
sincere in your desire to help them achieve their goals, they will not listen
to your advice. Take the time to ask them about their beliefs and understanding
of security. Assure them that you understand it is complex and a little scary.
Show them how you are there to help their IT environment become more secure and
to make them the leader of their security initiatives.
Selling most of information security services and products
is a challenge to the vast majority. The reason is that security is generally
something to prevent the company from the possibility of losing money (whether
by the leak of information, fraud or any other way), and it is neither just
some money that you spend today to make profit tomorrow, nor something that you
can use to cut costs and make your company more.
Except for some mature companies, which, in general, take
security seriously and consciously invest a lot of money in information
security, most of the other companies have trouble justifying their investments
when it comes to security.
After some years of experience, I would say that most
security investments are done for one out of five main reasons, which became a
rule of thumb for me when my hope was almost dashed trying to help the sales
force with the best way to sell security products and services. The reasons are
described below.
Information security incidents, unfortunately, are also good
sellers. The 9/11 incident and similar situations sell more security than any
of the other four reasons. The motive is quite obvious, just looking how the
airports became stricter after this cruel incident….
Compliance is also a good seller, but generally occurs after
a big disaster, such as 9/11 or what occurred with the late Arthur Andersen.
SOx and many other regulations, laws and standards had been developed with the
intention of prevent such disasters reoccurring or to prevent them from being
so calamitous.
Finally, sponsorship is not so common, but happens when
someone in the company Is interested in security issues and has the authority
and power to sponsor security investments.
Putting the pieces together, the challenge now is trying to
sell security knowing all of the above.
Happy Value Selling!!
