Selling IT security in the Age of Digital Transformation
In a world of evolving threats and new digital business models, cybersecurity is essential. In fact, the coronavirus crisis has exposed the organizations, products, and services that did not take cybersecurity seriously. COVID-19 has fast-tracked more digital transformation, cloud, cloud security and cybersecurity projects than any marketing or sales campaign could have dreamed of. But selling cybersecurity is not easy and it can be downright complex, frustrating, and confusing.
Everyone says they are a cybersecurity company these days. In fact, if you google “top cybersecurity companies“ you’ll get a list of companies so diverse that your mind spins. One of the major challenges is that the definition of cybersecurity changes depending on what a company is selling or who they are selling it to. TechTarget gives a great overview on what cybersecurity is which is important to understand because cybersecurity is not InfoSec (information security). In the end it’s all about securing interactions. In fact, folks often overlook physical security which is also part of cybersecurity. I once spoke with a CISO that told me he was looking at reports on unauthorized network traffic to internal servers and realized they were coming from the cafeteria where anyone, whether employee or guest, could plug their laptop directly into ethernet outlets. Yes, that should be part of your cybersecurity strategy also. At its core, cybersecurity is about securing the interaction between users and data against cyber-attacks and security lapses. That has become increasingly complex as this acceleration to a more digital enterprise does not make things any easier.
If you have worked in IT or even know anyone that has worked in IT, the first thing that becomes obvious about IT organizations is – chaos theory. Yes, you heard that right my non-techies. IT departments are a random collection of chaotic complex systems, with underlying patterns, interconnectedness, constant feedback loops, repetition, self-similarity, fractals, and self-organization where one small change in one state of a deterministic nonlinear system can result in large differences in a later state. Got that? It just means that stuff breaks all the time because of the sensitive dependence of initial conditions. No I’m not that great a wordsmith I got that all from Wikipedia. To simplify, when securing data while it’s in use, in transit, or at rest, implementing cybersecurity solutions that are meant to solve security challenges can also break everything. Cybersecurity and workforce productivity can be a delicate balance.
So, how can companies credibly deliver on promises for cybersecurity? No one company can deliver on that complete comprehensive cybersecurity vision. A few can deliver on most, but none can do it all. To deliver a comprehensive cybersecurity solution you need to have a huge footprint inside this new perimeter-less digital infrastructure. This means having a footprint with user access, any type of endpoint (IoT, mobile, PCs, servers), any type of network (cellular, satellite, Wi-Fi, LAN, WAN), any type of cloud (public and private) and wherever data resides (in use, in transit, at rest). A few companies such as Microsoft, Cisco, Dell Technologies (VMware, RSA, SecureWorks), IBM, etc. have such a footprint but even they need security technology partners to shore up the gaps they cannot cover. For example, let’s look at the NIST Cybersecurity Framework which gives you a great overview on the foundational elements on what is required for a product or service to deliver cybersecurity.
As you can see identifying, protecting, detecting, responding, and recovering from a cyberattack or security lapse is a tall task for just one company to deliver with their current products and services portfolio.
Most of you have seen some version of this image. It is a daunting list to look at it. The security landscape looks crazy, doesn’t it?
Lots of products and solutions to sift through. If you have ever seen a CISO’s priorities and budget, you will understand why this is the reality. They are a lot of areas and gaps to address when it comes to cybersecurity and in some cases, you just need a specific product or service to address an issue. However, to effectively execute on any cybersecurity strategy organizations need a solid digital infrastructure that is modern, can scale (out or in), allows integration with various security technology partners and can be automated. Automation is key as there is nothing worse than an alert or error message sitting in a log somewhere. Why is automation so important to cybersecurity? For example, user access and endpoints should allow integration points with networking or the data infrastructure to automate and mitigate response to cyberattacks or security lapses. No one should be able to login to an app from New York and then ten minutes later log into that app from Australia and not have their digital infrastructure automatically respond to that.
Keep it Simple Stupid
So how do you sell cybersecurity? I think you must focus on four key areas. Understanding the audience, be laser focused on what you can deliver, develop good business intel, and create the right content for your target audience.
UNDERSTAND YOUR AUDIENCE
Understanding your audience is key. You must tailor your message to all the different types of cybersecurity personas you will encounter. And let us face it, this may be the most diverse audience in the history of selling to IT. In my opinion you must have a multi-prong security selling strategy.
- Executives – Selling from the top down. It’s important the Board, CxOs and primarily the CIO and CISO understand that too many different solutions make you less secure. They are also in the perfect position to force the gatekeepers too not to be all over the place. I can’t tell you how many times I’ve seen the networking guy derail an end-to-end security solution deal.
- Business decision makers – These guys are looking for solutions that not only deliver on the promise of cybersecurity but makes their business unit agile, efficient, and effective. Your sales leader will not adopt a cybersecurity strategy that slows down the sales process whereas your HR leader is looking for something that allows quick but secure onboarding and offboarding. I can’t tell you how many people I know have access to applications from companies they left years ago because someone needed to make it easier for someone to access some specific app.
- IT decisions makers – These guys want to know the nuts and bolts. They don’t care about all the fluffy stuff that typically gets thrown around. Save your “next-gen”, “mission critical”, “end-to-end” jargon for someone else. They want to know what security capabilities your product or solution has. What does integration, capacity planning, scaling, support, etc. looks like. How does this deliver on the security, compliance, certification, attestation, security models that I am trying to implement or achieve. And you can talk smoke to these guys. They will expose you in an instant.
In my opinion when selling security, they are three key elements software companies need to focus on:
- Security products and security features in their products
- Cloud security and cloud services security capabilities
- Compliance around certifications, standards, and regulations
It’s really that simple. Not much more to say on that. Stay focused on what you actually do.
I find it astonishing that most organizations do not keep an accurate track of what compliance requirements customers are looking for. I often see this as one of the most overlooked part of business intelligence. Can you look at your sales opportunities right now and filter all deals closed and/or opportunities that required FIPS, STIG, ISO27001, NIST, HIPAA, SOC2, FedRAMP, etc.? And is it accurate? If you can’t identify most of the compliance related opportunities for your sales and services work force, you’re missing out on a huge opportunity to truly target those prospects with the security differentiators you can deliver on.
CONTENT IS STILL KING
Most organization have not taken the time to centralize security content and resources. Browse the website of most technology companies and you will be shocked at the lack of security and compliance data they provide. A few do it well such as AWS, Microsoft, Cisco, and Salesforce but for most part it is frankly a travesty. If I can’t get to all your security and compliance related content from your main security landing page, then you’re doing your cybersecurity story an injustice. Why should I have to go to ten different landing pages to learn about all your different security and compliance alerts, documentation, customer stories, design guides, tools, products, solutions, features, capabilities, certifications, etc.? That should all flow from one page. If you address Derived Credentials you should have that info somewhere on your website. I don’t care if it’s a bullet item but if a sales person has to check with an SE, that has to check with a product marketing manager, that has to check with a product manager, that has to check with “the security guy”, that has to check his email archive, to deliver that information, that is truly a waste of time. I want you to think of how many resources that were utilize that answer that one simple question.
In a nutshell these are the basic pieces of content companies selling cybersecurity should provide:
- Solutions content: How your products/solutions can transform an organization and the problems it can solve.
- Product content: Yes, listing actual security features is a good thing. The “bell and whistles” are required content for the tech heads.
- Customer references. No better way to sell that highlight those wins and the customers that have implemented these solutions
- Cloud security/cloud services security: Your shared responsibility model for security and what kind of security features, auditing, forensics, etc. you can deliver from the cloud.
- Compliance: Proof on how you address compliance and regulatory requirements.
Selling cybersecurity is tough going but you can simplify how you execute on it. And frankly most of it revolves around creating the right processes, content, and then executing on how you can help organizations to achieve the core elements of being cybersecure.
Stay secure my friends.