Security issues are so prominent in most customers’ minds that CISOs are being pulled into the sales cycle more and more often. In the face of increasing cyber attacks, customers are understandably questioning the resilience of products and services. Even businesses outside of the tech industry are facing scrutiny from customers and major suppliers since all organizations now collect, store, and process sensitive information such as industrial secrets, financial information, and personally identifiable information. Some customers are also questioning the resilience and availability of critical business services. They are also rightly probing to discover privacy, regulatory, and reputational risk associated with IT offerings. CISOs need to be able to answer customers’ questions with confidence, clarity, and candor. This means not being defensive about tough questions, but rather remaining upbeat and positive. Remember, this is sales not an audit. Here are six ways the security team can support sales:
Customers have questions. Show them you've thought ahead and are experienced by providing a Frequently Asked Questions (and Answers) list. Include things like the breakdown of your security team, a list of policies, overview of the security controls and architecture. If you've been asked a question by a customer more than twice, it should go on the FAQ. In my stints as a CISO, my FAQ was nearly a dozen pages long. A well-written FAQ can also help your sales team answer customer questions and complete requests for proposals (RFPs) without having to consult you. The bonus of having such a document is that you get to pose the right kinds of questions in the proper manner, reducing irrelevant and confusing lines of inquiry.
If you've completed an audit then, by all means, show it off to your customers. The key is to provide the material before you’re asked, because you're that confident in your security program. Have copies of the report printed and bound so you can hand them out to customers. If it wasn't a perfect audit, then accompany the report with your written response to the findings. Some audit reports may require non-disclosure agreements (NDAs) for you to release them, so be sure to bring printed copies and have the customer sign them. If you don't have an audit report to share, then consider sharing other types of reports like vulnerability scan, pen test, audit, and code scans. Whatever information you feel comfortable sharing that will be relevant and credible to your customers.
If your organization is covered by security compliance requirements (and it probably is) then show each requirement and the corresponding controls. This may be covered in your audit report (see #2) but if it isn't, write it up.
Tailor your deck specifically for a customer audience and include a dozen or so sides describing your security program. This should include things like your security principles, major controls, architecture with diagrams, audits history, and an organizational chart of the security team. If you can, add a slide or two about plans for any cool new controls that are in the works for the future. Customers love to see that.
Create different version or variations of the deck, one for engineers, one for conferences, and one for executives, because each audience is interested in different things.
Lots of customers wonder how their vendors will handle various crises. Be ready with a proactive answer. Share with them your response plans for incidents, security vulnerabilities in your software, outages, pandemic, and breach. If you can't share details, summarize scenarios that are covered and give an outline on your plans. Don’t forget to include a summary report on the last test of the response plan you completed.
White papers are great tools for the sales team to start conversations with customers. You can dash off half a dozen pages on how you protect the company or its products. You could delve into how you've expressed some best practice around AAA, change control, secure development, or business continuity. Make it informative and authoritative; a few easy-to-read diagrams and graphs are a nice addition, as well.
If these ideas aren't enough, look to the giant companies to see what they do. I'm sure there's an idea or two you could glean from them. Just pick a major tech vendor and search on their name plus security or compliance. Lastly, don't forget to stamp "restricted" on every one of these documents. You don't want them to be shared with bad guys.
MODIFIED: Jul 06, 2017