I hear often and was reminded today of a common barrier for security people. “They have trouble selling their security program.” I usually hear it when a security person has outstanding ideas and plans but they can’t get anyone else in their organization to believe or fund them.
That’s because they’re not thinking of themselves as a salesperson.
How We Are All Sales People
If you come from a consulting background, you already think about selling. When a consultant jumps to an internal organization, all of the sudden they forget about sales. In your part of a security organization, you are always selling.
You need to sell your boss, sell your budget holders, and sell your organizations on your ideas.
How CFOs Understand Security
I had the opportunity a few years ago to talk with the CFO of a major fast food chain. He was concerned about security — specifically about how they were managing users in the system. He had heard the security team talk about how they needed a lot of money to fix the problem. They showed him PowerPoint decks, analysis and proposals on how much it would cost to fix the problem. Ultimately he asked the question:
[Tweet “How hard can it be to remove a user from a system when they leave?”]
With all of the detail he was provided, the security team never answered that question. In very simple terms, I explained to the CFO the complexities managing users across multiple systems. He got it and he signed off on a project to fix the problem.
Sell Your Neighbor
We all have a neighbor that asks what we do and is completely lost when you describe your security job. Think about what you are trying to accomplish and think about how you would explain it to your neighbor. Jargon? Make sure it’s out or clearly explained. Did you establish the problem? What’s obvious to you is not always obvious to your neighbor.
And finally, think about how your favorite sales person would sell it.
Listen To Professional Sales People
Last time a sales person walked into your office, pulled out the deck, walked through all of the companies who are using their product… at that point you zoned out. Next time, consider it a teaching moment. Listen to how they take complex technology and distill it into something easy to comprehend. (Here’s hoping they are a good salesperson.) Take those skills with you as you internally try to sell your own projects and ideas.
The best security people — and the best Chief Information Security Officers — are those that can help those around them understand the problem and get them to believe in the solution.