Skip to main content


How 2020 Presidential Candidates Can Guard Against Cyberattacks

The 2016 presidential election witnessed unprecedented Russian cyberattacks and disinformation campaigns designed to disrupt the U.S. electoral system by influencing public opinion. The Russian goal is intended to destabilize the U.S.  through ideological activism, advancing their interest and further their political agenda. Their methods compromised computer systems of candidates and political parties using the exfiltrated data to spread disinformation and influence presidential elections.

On January 6, 2017, the U.S. Director of National Intelligence released a declassified report “Assessing Russian Activities and Intentions in Recent U.S. Elections.” According to the report, Vladimir Putin ordered a massive campaign orchestrating attacks from multiple fronts that involved spreading pro-Trump propaganda on social media to hacking the Democratic National Committee (DNC). Their methods resulted in massive data breaches within the DNC that included access to John Podesta's email f…

Selling Security Sensibly

One of the classic problems security professionals face is how to sell the security within and outside their respective organizations. Sure, I have that same problem all the time running up against people in denial with their thinking, or they just do not want security. They look at you in the same fashion they take an insurance agent trying to sell them an insurance policy then the joke of the day is heard:
“What’s the difference between security and insurance? They are both expensive, difficult to understand and what you get is not guaranteed.”
Already into your sales pitch, your audience erects three barriers that it’s expensive, complicated and has no guarantees. So now what? Can’t I sell a thirsty person ice cold lemonade on a hot summer day?
Do they really want security? After all, it is necessary when we feel threatened or under attack, but it can be inconvenient, costly, and adversely affect productivity. It is the lesser of two evils one may logically think to try to dodge the bullet. The common in denial human reaction we all know about, that breaches can’t happen to me.

Overcoming Denial by Looking Inward

There probably isn’t a human being on this planet that hasn’t practiced denial in some capacity of their everyday life. Denial is human nature, and we see it on a daily basis with our loved ones, those we work with, from people of all walks of life. Unfortunately, we cannot eliminate denial, and there is no cure for it.
Denial can manifest itself in many ways for the security professional. The most dangerous form of denial is security “sales denial” which is not recognizing the changes one needs to make to be better at it. Denial always hampers a person’s “desire” to think they can influence the decision makers.
There has to be a passion for success, and that is my definition of desire. Having an attitude, commitment, work ethic, bravery, industry knowledge, product and service knowledge, a good Rolodex and skills can be essential elements in a successful security sales outcome. From my consulting background, there are two types of traits people have in consulting, those that can sell and those that can deliver and I happen to fall on the delivery side. We need both to be successful in asking establishing lasting relationships with clients is of paramount importance. But what happens when you’re keen on one skill and weak in the other? You can be weak or lack in either of these skills and still be successful if you have a high level of desire in your work. For example, individuals who possess the savvy of either delivery or sales have one thing in common, and that is having incredible “people skills” to establish lasting relationships with clients. It is relationships that will overcome denial as one become a trusted adviser in their client’s organization chipping away those barriers of denial.

Security Sales Techniques

Know the Audience

When you meet the prospective buyer they have to be convinced of the product or service value and especially important is to tailor your pitch addressing a specific audience such as to the board, C-levels, directors or managers. Board and C-levels want to see the big picture as for how it would impact the organization as a whole, how it affects them from an operational standpoint and the bottom line. How do they compare with what the rest are doing within their industry? For example, we know that cybersecurity events garner more attention in the boardroom than they once did, one needs to make compelling and persuasive presentations to get the buy-in for the resources necessary to protect the company from current and emerging security threats. Know that members of the board tend to come from business backgrounds, not security backgrounds. So while technical explanations might convey the needed information to the lower echelon such as directors and the managers, you will not “sell” the presentation to the board or C-levels.
For more on this read my publication “CISO’s Dilemma – Winning a Seat on the Board of Directors.”

Value Proposition Knowing the Return on Security Investment (ROSI)

This is one of the most difficult and eluding aspects I found while formulating metrics for a presentation is the lack of tangibles. One needs to make the client understand that doing nothing is worse than writing a check. Many audiences see security as a disabler when compared to that of IT infrastructures such as hardware or software. The devil is in the details when approached from an ROI perspective such as productivity. For instance, common security applications are web filtering and DLP where users are monitored to make them do company work and where documents are routinely checked entering and leaving the network. Add to that is Identity Access Management allowing documents or system resources to be accessed by only those authorized to do so by their job responsibilities.
When selling, it’s essential to find the risk or actual losses that may come from not having your product or service, and seek to quantify those potential losses. This is often associated with fear mongering that instinctively hits upon the consequences of doing nothing or very little where there are ample examples of significant breaches that have occurred. It can work effectively with a positive spin by helping the client calculate the costs due to loss of intellectual property or goodwill. Clients may be unaware of compliance with government regulations and the severity of non-compliance. Identify any significant fines they may face, the expense of legal defense, lawsuit settlements, and let’s not forget mentioning the increased insurance costs. Install the fact that security is a vital and fundamental part of the business and you want to partner with them to solve many challenges that are facing. With that, the discovery of other opportunities for improvement will surface along the way.

Fear Mongering Avoidance

For the seller, security is fundamentally a negative sell and understand that fear is an instinctive emotion in humans as it is with any living creature. However, as we have seen time and time again, securing information does not carry the same gravity as our physical well being. We have become numb and apathetic when breaches occur, hearing other companies get victimized, so what? We understand and learn of the significant violations through the security-related media venues, few if any are published on the major news outlets that broadcast to the overall general population. People think breaches routinely happen it is just information that was compromised and it does not affect them from a physical sense, the media attention is just not there as well. Yet beaches do in fact lead to bodily harm and examples of those instances can work to the seller’s advantage with metrics demonstrating financial hardship leading up to life or death scenarios that have actually happened to victims.

I don’t think fear mongering is a proper way to sell the security, fear sells merely itself, and the security professional should understand they are there to help them address it. In particular, a typical reaction is when they become victimized, and they begin to feel the pain of those consequences sometimes acting irrationally. Continually inspire the client and never be the one telling the client – ”I told you so!” It is like throwing salt in a wound, but instead addresses their concerns from solutions and interjects compassion in specific instances to deal with the human emotions. Fear can be your best ally that eliminates the denial syndrome, make sure you approach it correctly.

Communication is Key

Know that a client can be frightened into inaction since security and compliance both require in-depth knowledge and expertise. In many of my dealings, I found excuses where the client does not have the time nor capacity to understand. Do not perpetuate this observation and always offer assistance to overcome it. As you help them manage their fear, you will be well on your way to establishing a lasting relationship with the client. Remember if your not the greatest salesperson use you’re “people skills” to influence and close the deal.
Always let the client know you genuinely care about them and their business working hard on earning their trust. Know that once they start to question your motivation and cease to believe in your sincerity, then the game is up, they will stop to listen to your advice. Sit down and discuss their views, beliefs, and understanding of security by assuring them you’re there to help them navigate solutions to their challenges.
Security selling is an art, not science and involves understanding the client’s challenges and offering assurance on solving them every step of the way. Many people I know insecurity are not the best salespeople around and neither am I. Recognize having outstanding people skills, and an ability to carefully listen will overcome those challenges. It will close deals and establish lasting relationships.