Every day, around 8:30 AM on my way to work, I drive by an Apple store.
Every day, around 8:30 AM, the Apple store is full.
Sometimes I ask myself: Are those the same people just hanging around, every day? Or are those different people?
The answer doesn’t really matter; what matters is that a good portion of them will leave the store with their new iPhone, iPad, iDontKnow.
Which brings a question to my mind: why are some things so easy to sell, while others are a struggle?
Yes, you know what I’m talking about: As an information security professional, selling security to those that should be actually as interested about it as they are about a new iDevice. But unfortunately few other people outside our field care about Information Security as we’d like them to do. This needs to change!
Hopefully this article will help us understand the reasons behind it, and also what can be done to improve our position when business thinks it’s a great idea (or business opportunity) to open the floodgates on the firewall, or to skip security during project planning, so that the new product can hit the shelves before our competitors.
Let me open with some facts:
- While every IT user knows that a firewall, antivirus or anti spam “must” be implemented (technology) to “make us secure”, the human factor is often the most neglected part of an organization’s computer security.
- Low awareness is like a snow ball: users commit “petty offenses”, such using a weak password or writing it down on a post-it note. If, for example, this user is a project manager, the perception that security is not taken seriously within the organization will reflect (guess what!), on the project they are managing/planning.
- While security professionals are responsible for educating the organization on security best practices, most often than not their position will not grant enough power to mandate it. Without sufficient support from senior managers, any initiatives by those holding information security positions will fail.
- Senior managers not only need to provide adequate funding for a security program, they must also serve as role models for the staff in order to underscore the importance of internal security efforts.
And that’s exactly where the question lies: How do you sell security to those that can influence? With a sound background on sales, things would be much simpler, but I know that most of you, like me, come from a technical, “0s and 1s” background. And that’s where the border line between good professionals and outstanding professionals will arise. Even though you are not a sales person, one of the most striking abilities of human beings is our adaptability to a situation. But what characteristics must you improve to become an accomplished InfoSec professional with sharp sales skills? Let’s highlight the most obvious ones:
1- To be credible
Specially in our field , credibility is almost everything. We need to be seen by the organization as a medical practitioner doctor. Our recommendations on what strategy to adopt, and decisions on what path to follow must provide all involved parts with comfort and assurance that it’s the best action to be taken at that moment.
2 – To demonstrate expertise
I bet that you usually bump into persons that seem to know about everything. No questions are left unanswered, and they don’t flinch even at the thorniest dilemma. Professionals possessing great expertise/experience don’t take more than a couple of minutes to provide hesitating stakeholders with a sense of security and increased confidence that things will be done properly, at the first try.
3 – To be an effective communicator
What’s the benefit of being a walking encyclopedia if you do not know how to process the information and deliver it according to the audience? The key to be an effective communicator lies on being multi-faceted, and tying up loose ends to build a network of people that trust you.
4 – To “be” the business
This characteristic is what will definitely set you apart. Knowing the business is definitely important, but being able to put yourself on their shoes (and letting them know that) is what will give you privileged influence when selling security to the business, board, stakeholders and users. At all times, they must know that you share the same goal, although usually sitting on opposite sides of the table. Security improves quality, facilitates win-win outcomes and is heavily based on a constructive dialogue. Such approach will certainly leverage your credibility.
There are obviously other important characteristics that further establishes you as a prime Information Security professional, such as punctuality, integrity, transparency and the list goes on, but the values above are most likely to create a good first impression.
Finally, conveying all these qualities is only part of the solution. To be effective when selling Information Security to the Business or whoever your stakeholders are, try to follow the checklist below:
- Information Security is complicated enough, don’t make it worse. Use a simple language, avoid technical terms and highlight the risks in a way that the audience can grasp the impact to the business as whole;
- Security is always easier to sell when coupled with a business requirement. For example, an application requires a new functionality that requires an add-in. That’s the best time for you to embbed that missing security that bothered you for months;
- Remind senior managers of their accountabilities. They can surely delegate the tasks to you, but at the end of the day, if something goes terrible wrong, they will be in the line of fire (with you ); and
- If everything else fails, a bit of fear mongering does not hurt. That’s usually how the government push security on you and I. If it works for them, it might work for you too!
I hope you all have a good week, and if you have any question or suggestions about this or any other article, do not hesitate contacting me!
Adriano Dias Leite.