Fear, Uncertainty and Doubt. I still see security professionals – especially vendors – trying to use that tired old technique. Even with lay audiences it’s lost effectiveness, and it has absolutely no place in the CISO’s office, inbox, or voice mail. Fear based selling is a cop-out, and a sure way to not get a second meeting with a CISO. So what do we talk about instead?
My day job is leading the pre-sales security architect program for one of the largest security vendors*. We begin not by talking, but by listening. We listen to their strategy and goals for the security program, and how they are leveraging it to support and align with the business strategy. We interact and talk about pragmatic challenges facing security programs – drowning in data, difficulty in converting data to actionable information, staffing challenges, budget limitations, regulatory compliance with unclear requirements and irrational implementation deadlines and so on, yet always in the context of their goals. We share information from peers (without attribution), and across industries about best practices, emerging trends and challenges. We’re all in the war together, and sometimes the immediate value we bring as a vendor is brainstorming about a particular challenge, or validating that the customer is on a common track with their peers.
That almost invariably leads to great conversations about strategy and vision. Yet, we are chartered to sell, which CISO’s well know. So while engaging in that value-focused conversation, as a vendor we need to honestly ask ourselves how we can help. In my team’s case, given the breadth of solutions we represent, we almost always can help with some part of the strategy, though it may different than our original impression. That’s where the art of the architect comes in – we dynamically build a candidate architecture based on their strategy and our solutions, and work together to create a shared vision for the future.
As an aside, even when I speak on secure thinking to non-security professionals, FUD doesn’t get very far – we’re becoming numb to the breach reports – 50 million, 100 million, 175 million are all just statistics. Instead, I tell real stories about breaches and victims – not about the retailer who lost 25 million credit cards, but about my wife getting a call from our credit card company wondering if she’d ordered Internet Viagra. Not about ransomware shutting down a worldwide shipping company, but about my friend losing thousands of dollars in their small business, and another one who lost all their family photos. It works well with those audiences, and captures their attention for the rest of my talk. But there’s no way I’d use those with a CISO – they live them every day.
*just a reminder, these thoughts and opinions are my own.