6 Steps to Selling Security to the Business

I spent a little time this week on two Twitter virtual discussions (#secchat, #hpprotect) covering security innovation and the like, where invariably the topic ended up focussing on how to basically promote or sell security into a business. This could be either from a vendor perspective, trying to promote new products or features, ultimately to make license revenue, or for the likes of internal security staff, attempting to justify business cases or budget for infosec related projects.


The two main actors in promoting security can generally be broken down into two different categories.  One is external and one is internal to the organisation.  Externally, there's the vendor or consultancy practice looking to generate license revenue or billable days.  The driver for their involvement could be a mandatory compliance initiative or the result of a data breach or attack.  In that case the sale is often based on quite tangible aspects or more of a feature based sell.  The buying organisation already knows the use cases and benefit they will receive from implementing a particular product or piece of delivery work.

If the buyer doesn't necessarily have an initial driver or appetite for a product or service, there needs to be a concerted effort to introduce them to the benefits and value of implementation.  At a high level those goals tend be related to:

  • Convince an organisation that they are at risk from a particular vulnerability
  • Show that if that vulnerability is not managed, the organisation will be damaged
  • Ultimately Sell a security or security related product or service into an organisation or project

From an internal perspective, there are also several other complex interactions surrounding security selling and awareness.  These can broken down at a high level into something like the following:

  • CISO needs to convince CxO level board members that security budget is justified and required
  • CISO needs to show that security can benefit the organisation in general and drive efficiency
  • Infosec team members need to gain budget or personnel for security related projects
  • CISO to raise awareness that an organisation will be attacked regardless of protection level

The above are just a few examples of the goals internal and external security actors try to fulfil.


Information security is often not seen as a key requirement and isn't generally pro-actively sort by organisations.  If they work in the financial services sector or healthcare, there could be mandatory compliance initiatives that help to drive budget and project business cases, but often security is still seen as being a restrictive and costly aspect of IT.

  • Security is seen as a small component of IT (and IT is a seen as a cost to the business)
  • Patching, anti-virus and firewalls are all that is needed for an organisation to be secure
  • Organisations focus on security when a breach or attack has occurred
  • Security often seen as costly and restricts innovation or user convenience

How to Overcome

There are many facets to any sales cycle and I'm not attempting to outline them all here, but from a high level perspective, the following are some of the key areas I always try to focus on during the entire sales process:

  1. Try to show that security can benefit the entire organisation and not just IT
  2. Try to show that security can increase innovation and efficiency
  3. Use a Return on Security Investment to show the long term benefits
  4. Use the ROSI, but also show non-tangible benefits too such as brand damage from poor security
  5. Define security metrics that can show the benefit of security to the organisation in business terms
  6. Improve awareness, messaging of security across the board