Positioning security as a value-add to the business rather than a necessary evil is a challenge for many organizations. Since the dawn of enterprise computing, information security has generally been seen as a purely technical function. Did the new two-factor authentication setting lock the sales team out of the system in the middle of a demo? Too bad.
The “S” in “IS” is for security, not sales. Security teams often believe that their job is security, not process efficiency, and definitely not business profitability. And subsequently they are viewed as technical risk managers tasked with prevention instead of growth, compliance in place of strategy, and implementing technical solutions instead of encouraging culture change. Information security is perceived as a cost center, and this leaves most security teams underutilized and misaligned with stakeholder vision.
If you think the job of a security leader is to be the guardian of your organization’s data or infrastructure, think again. The best security leader is the curator and custodian of the organization’s security story. That is, the sum of all the ways your company defends assets, meets compliance and market criteria, and implements technologies that keep valued assets safe. It is your company’s representation of just how much others can trust you with their assets.
With a good security story, companies can sell into markets that have prescribed compliance requirements and outmaneuver competitors who don’t truly understand the market value of information assurance. Stakeholders all want to hear a security story that makes them feel good about their department’s data asset safety, value preservation and top line growth, so nobody gets by today without discussing their security posture.
Cybercriminals are running roughshod over Corporate America so businesses have tough questions for their technology partners. Sales teams often need to be able to answer the following questions:
- How will the client’s data be stored and protected?
- Do you use on-premises or cloud infrastructure?
- How do you prevent data from being stolen by malicious insiders?
- Are you Soc 2 compliant? HIPAA? GDPR?
- Does your company have a formal corporate security policy?
- Is there a formal procedure for reporting a suspected security violation?
- Does your organization scan and/or test for vulnerabilities in your service / application?
- How do you monitor for suspicious behavior in your cloud infrastructure environment?
An organization will know it has a strong security story when it can adequately address the above, and provide answers to the following questions:
- How much revenue has our security team helped to close — and can you attribute that value to the right team? How has the security story increased upfront sales or market access, or helped to defend ARR?
- How have other teams in your ecosystem worked more efficiently and more effectively with fewer security defects at source?
- Which of our stakeholders know how our security story satisfies their specific requirements and criteria?
- Can you show how each and every tooling decision aligns to either market requirement, client specification, contract commitment, or insurability criteria (or all four)?
When your sales team not only knows your security story, but knows it so well that they can communicate it themselves, the sales cycle is dramatically accelerated. This only creates trust in the supply chain, opens up new market opportunities, and increases upstream and downstream assurance.
When executed correctly, a strong security story can have internal benefits as well. When it comes time to ask for more budget — does your leader really understand what you will be using it for? If security leaders can demonstrate, with data from the same ledger your CEO looks at, how security contributions have impacted total revenue earned, then there are no more “IT Resourcing” conversations, only “Market Requirement” or “Strategic Market Access” conversations.
Security is strategy. Security is a market access. Security is branding. Security is reputation. Security is revenue.
Don’t believe me? Try selling without it.