Selling to CISOs
Selling cyber security products and services is challenging at the best of times. Security, even though it is understood to be essential, tends to be a grudge purchase for most businesses.
“Security is aimed at preventing a business from falling victim to a breach or another kind of cyber attack. It’s aimed at limiting a compnay’s risk, and stopping it from losing money, or having its reputation damaged in the event of an attack. This could happen in several ways. Fraud, theft of proprietary data, or even the leaking of customers’ private information, be it credit card numbers or passwords,” explains Louise Robinson, MD of CG Consulting.
The bottom line is, it isn’t a purchase that will help a business profit in any way, nor does it help to streamline operations, lower expenses, or make your company better, she adds. “While the majority of businesses today take security seriously and allocate a good portion of the IT budget for security investments, many companies have trouble justifying their investments in infosec tools and solutions.”
She says security investments usually happen for one of several reasons. “Firstly, there’s the company that invests in security because ‘everyone is doing it’. Without any real understanding of the issues, they will jump on the anti-virus or firewall bandwagon because everyone else is. This doesn’t equate to common sense, because they are doing it only to follow a trend. They have little to no understanding of what is really needed to adequately defend their organisations.”
Next, says Robinson, is the panic buyer, who will suddenly splurge on a plethora of security tools following a major security incident. “There’s nothing like a company losing money or being mentioned in the media following a breach to make similar businesses up their efforts. An embarrassing incident is a best seller. They think if it can happen to a competitor, it could well happen to them too. Unfortunately, again, they don’t really understand what they are buying and why.”
There are also companies who invest in security merely to tick the compliance box. “Regulation now demands that businesses have security in place, and face serious consequences should their measures be inadequate and a breach occur. Laws and standards had been developed to prevent customers’ details being exposed, and businesses are toeing the line. Again, information security is aimed at preventing disasters, and therefore has a negative connotation.”
Ultimately, security vendors need to make potential clients understand that the cost of their products is far, far less than the cost of a major security breach, and that they need to decide what their appetite for risk is, and spend accordingly. “The challenge is trying to sell security solutions, bearing in mind all the reasons above. Security vendors need to ‘best guess’ what a particular company’s weakness is. Are they afraid of falling foul of the law? Or does the risk of an embarrassing headline in the media scare them more. It’s really a little hit and miss.”
Now for the good news, Robinson says. “The most effective way to sell security products and solutions is to speak to the right people in the organisation to begin with. The CISO understands what security is about, and what tools and solutions are a good fit for his business. He’s not going to jump on the bandwagon because everyone else is doing it. He understands the potential damage a breach could do, and is willing to spend to prevent it.
So how to reach these guys? “A good database partner will be able to provide the details of all high level people in target organisations, or just lists of C-level targets across a range of businesses if that’s what the client requires. To successfully sell, there’s no better way than speaking to the right person in the first place. We have a complete database of CISOs as well as all other C-level executives in South Africa. Combined with our experienced lead-generation teams, we ensure that our clients can reach the right people,” Robinson concludes.