Skip to main content

6 Steps to Selling Security to the Business

I spent a little time this week on two Twitter virtual discussions (#secchat, #hpprotect) covering security innovation and the like, where invariably the topic ended up focussing on how to basically promote or sell security into a business. This could be either from a vendor perspective, trying to promote new products or features, ultimately to make license revenue, or for the likes of internal security staff, attempting to justify business cases or budget for infosec related projects.


The two main actors in promoting security can generally be broken down into two different categories.  One is external and one is internal to the organisation.  Externally, there's the vendor or consultancy practice looking to generate license revenue or billable days.  The driver for their involvement could be a mandatory compliance initiative or the result of a data breach or attack.  In that case the sale is often based on quite tangible aspects or more of a feature based sell.  The buying organisation already knows the use cases and benefit they will receive from implementing a particular product or piece of delivery work.

If the buyer doesn't necessarily have an initial driver or appetite for a product or service, there needs to be a concerted effort to introduce them to the benefits and value of implementation.  At a high level those goals tend be related to:

  • Convince an organisation that they are at risk from a particular vulnerability
  • Show that if that vulnerability is not managed, the organisation will be damaged
  • Ultimately Sell a security or security related product or service into an organisation or project

From an internal perspective, there are also several other complex interactions surrounding security selling and awareness.  These can broken down at a high level into something like the following:

  • CISO needs to convince CxO level board members that security budget is justified and required
  • CISO needs to show that security can benefit the organisation in general and drive efficiency
  • Infosec team members need to gain budget or personnel for security related projects
  • CISO to raise awareness that an organisation will be attacked regardless of protection level

The above are just a few examples of the goals internal and external security actors try to fulfil.


Information security is often not seen as a key requirement and isn't generally pro-actively sort by organisations.  If they work in the financial services sector or healthcare, there could be mandatory compliance initiatives that help to drive budget and project business cases, but often security is still seen as being a restrictive and costly aspect of IT.

  • Security is seen as a small component of IT (and IT is a seen as a cost to the business)
  • Patching, anti-virus and firewalls are all that is needed for an organisation to be secure
  • Organisations focus on security when a breach or attack has occurred
  • Security often seen as costly and restricts innovation or user convenience

How to Overcome

There are many facets to any sales cycle and I'm not attempting to outline them all here, but from a high level perspective, the following are some of the key areas I always try to focus on during the entire sales process:

  1. Try to show that security can benefit the entire organisation and not just IT
  2. Try to show that security can increase innovation and efficiency
  3. Use a Return on Security Investment to show the long term benefits
  4. Use the ROSI, but also show non-tangible benefits too such as brand damage from poor security
  5. Define security metrics that can show the benefit of security to the organisation in business terms
  6. Improve awareness, messaging of security across the board


Popular posts from this blog

2020: Machine Learning, Post Quantum Crypto & Zero Trust

Welcome to a digital identity project in 2020! You'll be expected to have a plan for post-quantum cryptography.  Your network will be littered with "zero trust" buzz words, that will make you suspect everyone, everything and every transaction.  Add to that, “machines” will be learning everything, from how you like your coffee, through to every network, authentication and authorisation decision. OK, are you ready?

Machine Learning I'm not going to do an entire blog on machine learning (ML) and artificial intelligence (AI).  Firstly I'm not qualified enough on the topic and secondly I want to focus on the security implications.  Needless to say, within 3 years, most organisations will have relatively experienced teams who are handling big data capture from an and identity, access management and network perspective.

That data will be being fed into ML platforms, either on-premise, or via cloud services.  Leveraging either structured or unstructured learning, data fr…

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:

Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?

Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…