Selling IT Security to CxO

https://siliconintelligence.wordpress.com/2014/01/04/selling-it-security-to-cxo/

One unanswerable question I get asked is how much money we will be making investing in enterprise security. The real answer is “Nothing”, technically spending on security is one of those streams which you can’t map to profit but definitely be mapped to preventing losses and a bad name. The money being spent is real but the results are abstract.

The best approach I have come across selling security to big guns is by the worst case scenario examples and real life incidents in similar and non-similar industries. For example if you are dealing with Telco executives, a perfect example would be say what happens if signalling infrastructure is compromised or a border router vulnerability is exposed. This would lead to all hell breaking lose.

Similarly if dealing with health executives, what if health records are stolen or data lost because DLP was never implemented or patient information was over written. If you look at it all these apply to every industry but with varying levels of importance.

They can be hypothetical but when combined with a strong business case, gap analysis, real-life scenarios and log analysis as well as historical evidence every stakeholder will eventually agree that spending on security is required.

If your stakeholders are savvy and quick to understand the benefits then your job is done, but as I have seen in many enterprises and SMBs, the chances of an early YES has happened only 10-15% of the instances.

To strengthen your argument, add values to every scenario. This could be time lost or money lost or device failure or incidents or compliance and audit issues. Because every angle counts and if you need more pillars to hold up your case, add the following in your report.

1. Losing goodwill because company/product name gets tarnished.
2. Losing productivity
3. Customer complaints
4. Loss of intellectual property
5. Losing partnerships
6. Loss of customer data
7. Defence and Lawsuit settlements
8. Compliance issues
9. Time to fix
10. And last but not the least “we are responsible, so need to be diligent”

In this era, selling security doesn’t have to be monetary based or a sales pitch. Commitment to security can be achieved using a tailored, consultative, growth spurring, win-win approach.

All you need is the right attitude.