Selling most of information security services and products is a challenge to the vast majority. The reason is that security is generally something to prevent the company from the possibility of losing money (whether by the leak of information, fraud or any other way), and it is neither just some money that you spend today to make profit tomorrow, nor something that you can use to cut costs and make your company more.
Except for some mature companies, which, in general, take security seriously and consciously invest a lot of money in information security, most of the other companies have trouble justifying their investments when it comes to security.
After some years of experience, I would say that most security investments are done for one out of five main reasons, which became a rule of thumb for me when my hope was almost dashed trying to help the sales force with the best way to sell security products and services. The reasons are described below.
Everyone knows (I hope) that some security measures are simply necessary—
period. Firewalls and Antivirus, for example, are by common sense necessary.
This is followed by what I call “a sheep in the crowd syndrome”, which occurs when you don’t know what you are buying, but you do it just because everyone else does. Don’t confuse it with common sense, because many might think they know the reason of buying security, but in fact they are following a trend.
Information security incidents, unfortunately, are also good sellers. The 9/11 incident and similar situations sell more security than any of the other four reasons. The motive is quite obvious, just looking how the airports became stricter after this cruel incident….
Compliance is also a good seller, but generally occurs after a big disaster, such as 9/11 or what occurred with the late Arthur Andersen. SOx and many other regulations, laws and standards had been developed with the intention of prevent such disasters reoccurring or to prevent them from being so calamitous.
Finally, sponsorship is not so common, but happens when someone in the company Is interested in security issues and has the authority and power to sponsor security investments.
A recent publication by Bruce Schneier (1) in CIO.com says that information security is inherently the prevention of damage to business and, as a consequence, the selling of related products and services is always negative.
He also tells us that human brain is equipped with deeply embedded cognitive bias that makes the sure loss – the cost of a security product or service – less attractive than a larger risky loss – as a disaster, for example. People are willing to accept risks….
Putting the pieces together, the challenge now is trying to sell security knowing all of the above.
I am not telling you to deceive anyone, but let’s say that selling information security products and services is a matter of trying to aim for the companies’ Achilles heels, be it one or more of the five reasons mentioned above, while avoiding the nature of the human brain to accept risks when talking about possibility of loss.
1 - http://www.cio.com/article/367913/How_to_Sell_Security