Open Mobile Menu

Blog

Selling Security

Views: 3213

Written By: Brian Bertacini September 06, 2012

A few months back, some of us were discussing the issues one of our clients was having in convincing their management to invest in a more thorough security program.

I had a couple of suggestions for the client, and one of my staff suggested that I write a blog entry about how to sell information security.  I have been directly involved in sales of security products and services for over 12 years, so this was a question that I was intimately familiar with.  I started doing a little research to see what has been previously written on the topic, and quickly found a great article published by Bruce Schneier in 2008 on the topic.

In Schneier’s article, he talks about the challenges of convincing people to invest in defending against negative consequences, Prospect Theory, and the strong cognitive bias people have that leads them to be risk averse for potential gains, and risk tolerant to potential losses. To illustrate the concept, he proposes an experiment where groups of people are presented with two similar, but opposite choices: The first group is asked to choose between a guaranteed $500 gain and a 50% chance of either a $0 or $1000 gain. The second group is given the choice between a loss of $500 and a 50% chance of losing $1000.

If you look at the two choices from a mathematical or economic perspective, they are almost identical. However, the studies Schneier cite show that people don’t make rational decisions about gain vs. loss at all; rather, people have a strong bias in favor of guaranteed gains and potential losses.

Schneier’s article definitely matches my experience in the information security field, and gave me a lot to think about. I started wondering how closely the results he cited would match up with our customers and my contacts in the security industry. Since then, I have been conducting an informal survey and presenting the above scenario to people.  What I have found is that most engineers and individual contributors are more willing to accept upside risk as opposed to their counterparts in management.  A far higher percentage of the technical staff opt to take a chance at $1000, whereas managers are more likely to accept the guarantee of $500.  I found the opposite to be true when the same groups were presented the downside risk options.  Most people chose to accept the risk of higher potential losses, but managers were far more likely to gamble than their technical counterparts.

While Schneier’s article discusses a great deal about the roots of the problem around encouraging investment in security, he stopped short of proposing strategies to help make a challenging job a little easier.

Certainty versus Uncertainty

Convincing management to invest in security is almost always an uphill battle, especially considering most managers are risk tolerant when presented with an alternative that requires investment versus one that does not.   Let’s face it: selling security is often difficult work, but it’s not impossible.  Accordingly, you need a solid game plan if you want to be successful.  Here are a few suggestions that will go a long way:

  1. Understand the business— this cannot be understated.  Success requires a firm understanding of the organization’s mission, key business plans and strategies, and critical business processes.   Knowing what makes the company tick will help to identify important liabilities along with internal and external commitments that require the application of information security and risk management. 
  2. Understand the decision making process— identify key decision makers and influencers.  To be a successful agent of change and/or influence decision making, you need to understand how things get done.  Understand that most executives are driven by both organizational and personal goals.  Look for win-win opportunities that help influence a positive decision   
  3. Deliver genuine business value – one of the reasons it is difficult to convince organizations to invest in security is because of the perception that it has limited value.  Look for opportunities to provide tangible benefits for the security investment.  Better integration of security processes into the product development cycle can result in improved time-to-market by requiring less rework; well-designed security programs can often reduce compliance costs; and for many organizations, especially technology service providers, robust information security can be used as a competitive advantage.
  4. Demonstrate leadership—most security projects involve the implementation of new systems (hardware, software, etc.) and/or business processes.  This typically requires management and oversight of the system development lifecycle to ensure success.  Demonstrate your understanding of system requirements and critical success factors.  Make sure proper resources and personnel are adequately planned for to be successful.  Accept responsibility and be accountable…that’s leadership.    
  5. Always be closing—consider yourself a salesman.   Good sales people are always working towards making their case and closing the deal.  Arm yourself with relevant information and look for opportunities to sway decision makers and influencers.  Know what your competitors and partners are doing; what’s working and what’s not.  Remember decision makers are looking for validation; they want to know their investments will return dividends to the company. 
  6. Establish Credibility—you must be credible if you’re going to succeed.  This means having a solid game plan that demonstrates you’ve done your homework and you have a firm command of the issues.  Be prepared to have your initiatives and assumptions questioned and picked apart; good responses that show you have considered alternatives will establish credibility.   Plans should include revenue and expense benefits to the company.  Include a summary of your track record including previous successes, failures, and observations.  Before you make your case to key decision makers, work with your peers and supporters to anticipate questions and prepare solid responses. If you cannot project credibility you’re dead in the water. 
  7. Build on successes—work hard to maintain a positive reputation.  Make sure to follow through on previous project commitments.  Remember that you will be judged on previous projects and the success or failure of those efforts.   If previous efforts have met with mixed results, be clear on why and be prepared to show how you plan to make sure plans meet with success. Getting buy-in for future projects will always be easier when you have a successful track record.  
  8. Don’t bite off more than you can chew—don’t try to boil the ocean.  You will find it’s easier to build success in incremental steps.  Applying this approach to security programs and projects help gain momentum and an environment where stakeholders build confidence over time.  Remember, mountains are moved one stone at a time. 
  9. Leverage allies – going it alone is tough, and single-handedly convincing decision makers to invest in projects they are already predisposed to reject is even harder.  Work hard to identify allies and supporters who have vested interests in your proposal’s success, who believe in what you are trying to do, or who have similar organizational responsibilities. Remember that it is far easier to disregard one person’s opinion than that of a large group of people. It’s rare that the lone wolf approach is successful in the long run.

In the end, selling security, whether from the outside or the inside, is seldom easy. In many ways, information security is probably the most difficult technical discipline to sell.  Understand that human nature is often against you, and that often times your plans and proposals may be rejected. Prepare for the long haul and don’t let rejection divert from long-term goals. Realize that as an information security practitioner, your goal is to help organizations manage risk, not eliminate it.  Ultimately, the challenges of presenting your case and helping define a strong information security program can be rewarding for both you and your organization.

Brian Bertacini

Brian Bertacini founded AppSec Consulting in 2005, since then the company has become a leading provider of IT security testing services, PCI assessment and validation, training and security technology integration for businesses of all sizes including starts-up and large global enterprise clients. Mr. Bertacini is a member of ISSA, ISACA, and OWASP. He has more than 20 years experience in software development, systems engineering and information security, fulfilling various roles at IBM, Varian and Fujitsu. Brian is the founding member of the Silicon Valley OWASP chapter and he oversees the management of AppSec Consulting to ensure the company's valued clients receive the highest quality of service.

read more articles by Brian Bertacini