I'm into software security for more than 2 decades. And I spent a lot of time not only thinking about products in that space but also selling them. And selling security is one of the toughest tasks because we don't talk about something that people want badly. Like an iPhone. Or a PlayStation. Or a new car. It's selling something people think they don't need it. Because nothing bad has happened so far, right? Over the years I have observed some tactics to turn this point of view around and entering a dialogue. Here are my thoughts ordered from "not a good idea" to "usually works out".
- Selling the ugly baby
Being not secure is nothing you can see. It does not necessarily hurt. Thus, security companies tend to scan the customers IT environment and show them the results. If nothing or only little has been done to protect the assets, there's typically only one answer: you are doomed. There are hundreds and thousands of issues, the management reporting shows a red flag. From a technical point of view this seems to be brilliant because the scan has revealed the status so effectively. From the customer's ego point of view it like visiting young parents and telling them that their baby is ugly (I can't remember when I have heard this metaphor the1st time, but it works well). And that is something parents don't like. They love their baby. They have cared for their baby. And it's ultimately the most beautiful human being on earth. Facing a customer with such a story leads to nothing but rejection. It's no surprise that the turnover rate from such an initial analysis to offering a solution is a very stony road.
- You are all idiots
It's getting even worse if the consultant executing an initial analysis starts to abuse the customer. They dissect each and every issue and tell the customer how smart they are and how stupid the customer and his team is. They mock them asking how could it be that this and that has not been addressed, even young kids would do this (sure, young kids usually own IT landscapes with dozens / hundreds of apps). It can even happen that such consultants turn customers into ridicule by publishing some findings from an assessment in open forums ("believe it or not, these idiots have implemented Identify & Access Management and think they are secure."). Nobody likes a know-it-all, nobody likes a smart-ass. Besides that - it doesn't help the customer at all knowing that everything is shiny red - most of them sort of knew that already.
- The path to happiness
If you have data of an initial assessment, use it wisely. In my past life as owner of a security company we have collected 400+ customer assessments and derived a benchmark from that. What we did wrong was to compare bad outcome (from the 400+ scans) with bad outcome: "Hey, we did that in the past many times and your baby is as ugly as any other baby." It's much better to take samples from customers that have used the solution for several years and that have made some progress in adding more and more protection for their assets. Make this your reference and benchmark any new assessment against this. If doing so, you are in a position to show the path to happiness: "You are here and others using our solution are there. We are here to help you to improve over time. And by the way - here are 10 quick wins that you can implement in no time. And then we take it from there working on a road map." In short: you start to sell confidence that bad things will be good, there's evidence that it works, and there's a plan how to get there. Better?
Let me know whether you have fallen into traps as mentioned above or whether you have learned how to move on and started to sell happiness. It's another story to position a first touch meeting making it most successful for both the customer and the solution provider. Another article for another day.