Behind the Scenes: The difficult art of selling Security

O artigo abaixo foi originalmente publicado em inglês no LinkedIn Pulse.

When I began to work as Information Security Consultant, I imagined that a consultant life was only “solve customer issues”. Like a consultant, I would arrive at client site, analyze the environment, make suggestions and solve the problems. In other words, be a hero. Of course, all my suggestions would be applied. Why? Because I’m a consultant, an expert about that subject.

More than ten years later, most of my recommendations was not applied. Sometimes I was wrong, at others the customer simply doesn’t care about or they already had your thoughts. But only this last thing, make me think why customer decided to spend money to hire me, if he “knows” what he want to do?

The exactly answer for this question, still not found. But the time and experience acquired at this segment has taught me something. The most probably is that:

Security is too hard to sell.

I’m not only talking about sell a product, a project or even a solution. But the idea of security, the concept of security is also hard to sell. Security is too abstract that your employees or coworkers don’t see value on that. And the first rule to sell is to show the value of what are you selling.

It is hard for a CSO/CISO to sell Security to your company board or to your CIO. Security is most of time seen as expense and not as investment. Security is about give money, to don’t lose more money, like an insurance. I love and I hate when somebody ask me about the ROI – (Return of Investment) of a Security solution. I love because they understand that’s not an expense, but I hate because sometimes you cannot show how much money the company is avoiding to lose.

The only time when selling Security can be easy, is when the company just became victim of a failure. That’s a hard moment also for us, we looks like a funeral company visiting family to offer services. But it’s part of the job and even that is a sad moment to company, it can be the good moment to change something and adopt a Security process to avoid that problem to happen again. Here is the ROI you were asking about.

As this doesn’t happen usually, at least the companies doesn’t allow leaking this kind of news, we appeal to the law. Compliance turns a leader of Security sales. Every time that someone decides to regulate some market, our “apocalypse riders” goes to the company to preach the end of world. Sometimes it works, because CFO and Risk & Compliance teams help CISO to raise funds in benefit of Security.

I was about to forget this. Big breaches also help us to sell Security. That’s special moment where I have to thanks the celebrities for take pictures from herself naked with mobile phones. Another special thanks for companies that doesn’t take care about his security and had customer data, like credit card numbers, stolen by cyber criminals. As the news is spreading, companies look inside to do not be the next.

I know you probably want to ask me if is it true, that security and antivirus companies build malwares or run attacks over companies to sell your products? Am I right? We stopped that, definitely. The Internet, Government, your Competitors and Kids are doing by itself and what we don’t like is a kind of unfair competition.

Image: The Wolf of Wall Street (2013) Warner Bros.

Fabio R. Sobiecki de Sales, CISSP, CCSP, CDPSE

Escrito em Setembro/2014.
Publicado originalmente em LinkedIn Pulse – https://www.linkedin.com/pulse/20140922105636-8638059-behind-the-scenes-the-difficult-art-of-selling-security/

Author: fabio

Fabio Sobiecki é analista de sistemas, formado pela Unopar e especialista em Segurança da Informação pelo Senac e possui MBA pela FGV. Desde 2004, trabalha com Segurança da Informação, entre 1998 e 2004, trabalhou com tecnologia da informação, na área de infraestrutura e redes de computadores. Fabio Sobiecki é certificado pelo (ISC) 2 como CISSP e CCSP, desde 2008 e 2017, respectivamente. Atualmente, ele é presidente do capítulo de São Paulo (ISC) 2 e é engenheiro de soluções na RSA.