Problem solve Get help with specific problems with your technologies, process and projects.

How to sell security by focusing on return on security investment

Here security solution providers will receive advice on selling information security, including how to focus on return on security investment (ROSI).

If you are new to the process of selling information security products and services, you may be in for a rude awakening....

Security veterans can tell you that the number and veracity of objections to what you are selling may be great. There are a host of reasons why a potential customer wouldn't be interested in buying security, but perhaps the most common one is the belief that the customer simply doesn't need what you're selling. Many business owners and IT professionals suffer from, "It won't happen to me," syndrome. They're convinced that because "It hasn't happened yet," or they "don't have any data people want" or "are too small to be a target," that they can be lax on security. Your most important job, as a security provider, is to overcome objections and protect the client.

Finding the return on security investments
In my experience selling information security, the most common objection is driven by a perceived lack of tangible return on security investment, as well as the belief that security is expensive and interferes with operations. Unlike a new server, upgraded productivity software, etc., showing return on security investment (ROSI) is less intuitive because people see it as a disabler. But in fact, a security investment can also yield productivity gains. If you take a closer look in search of return on investment (ROI), you may not only close the sale, but you may become a deeply trusted business consultant as well.

You must convince the client that doing nothing is worse than writing a check. One major source of return on security investment is productivity. Yes, productivity can be substantially increased by driving employees to be less distracted and to follow organized procedures for doing their daily tasks. For example, the implementation of Web filtering and user monitoring software can ensure users are spending their work hours doing productive work for the company. Another example is data-loss-prevention. By not allowing documents to enter and exit the netowork unchecked, there is far less time spent searching for the documents and validating their security status, a process that can be quite time-consuming and costly during IT or compliance audits. Other ROI from security can range from 25% gains in sales activity, to massive increases in collections and manufacturing production.

When selling information security, you must also find the risk or tangible losses that may come from not having your product or service, and seek to quantify those potential losses. Help the client calculate the costs due to loss of intellectual property or goodwill and the canceling of key partnerships. Identify any significant fines they may face and the expense of legal defense and lawsuit settlements. Don't forget to mention increased insurance costs.

Handling security fears and resistance
Help your client deal with the political upheaval, and employee complaints, often caused by security initiatives. One way to deal with the politics of employees is to make them part of the initiative to protect their jobs and raise their own productivity. Believe it or not, there is "sexiness" to participating in security. If you get employees invested and proudly talking about their involvement, you will see far fewer objections, and you may even see some employees coaching others to come along.

When selling information security, you must find the risk or tangible losses that may come from not having your product or service, and seek to quantify those potential losses.


Kevin McDonald,

Fear, uncertainty and doubt or FUD, can make or break any deal. Clients may be quick to accuse security solution providers of using FUD to sell them stuff. In my experience, this is the ultimate customer fallback, especially with IT staff. They may say to each other, "Oh the consultant is just trying to scare you."

However, FUD can be a powerful mechanism to find the risk manager in every business person. In my consulting and presentations, I confront this during my introduction. For example, I will say, "These are the laws of the land. I don't necessarily agree with them, but hating me will not change that." and, "I am an expert. I do this everyday and yet I am fearful, uncertain and doubtful too. If you are not, you should be." Now you are sharing in their fear and uncertainty.

Then be ready to give real examples of tragic information security events in other small or midsized businesses that are similar to them. Show your client the actual regulations and tangible penalties for failure to comply. Be prepared to counter the common mindset that everything is good and they need not worry. Patching systems are a great measure of the most basic security within a network. It is also one of the most despised and least effectively managed IT processes. Ask your client about patch currency. If you are willing to gamble a little, bet on their patching being out of date. This is a pretty safe bet in my experience. Do an inventory of the patches. Then use that as a benchmark assumption to get the decision maker to realize there are bigger hidden issues and maybe IT isn't as on top of it as they thought they were.

Communicating with the client
Be careful how you communicate with your client. Don't use fancy acronyms and try to blow them away with your knowledge. If they feel as though you are presenting yourself as superior, rather than aware and concerned, you will fail. You must inspire them into action or at least self preservation. A major unspoken objection (and this can be the hardest to overcome) is the intimidation factor. Security and compliance in particular both require a depth of understanding and expertise that cause many to be frightened into inaction. Clients often feel they don't have the time or capacity to understand. If you perpetuate this feeling rather than helping them overcome it, you will not close security deals or they will be short lived. If you can help them mange fear, you will be able to build a consulting relationship with them that will last a long time.

Above all, let your clients know you care about them and their business. If they question your motivation and don't believe you are sincere in your desire to help them achieve their goals, they will not listen to your advice. Take the time to ask them about their beliefs and understanding of security. Assure them that you understand it is complex and a little scary. Show them how you are there to help their IT environment become more secure and to make them the leader of their security initiatives.

About the author:
Kevin B. McDonald is Executive Vice President and Director of Compliance Practices at Alvaka Networks, a 27-year strong Network Services and Security leader in Irvine, California. He is a trusted technology and security consultant and public policy advisor to some of America's most influential people and organizations. He serves as a senior advisor to businesses, state and federal legislators, law enforcement leaders, charitable boards, abuse prevention professionals and municipalities. He is a sought after presenter, panelist and commentator. McDonald consults on the issues surrounding advanced technology, physical and logical security, regulatory compliance, organizational development and more.

McDonald is a HIPAA Privacy and Security Expert and a member of the CompTIA HIT, Advisory Council. He is Chairman of the Orange County Sheriff/Coroner's Community Technology Advisory Council (C.T.A.C) and member of the High Tech Crimes Consortium. He has written for, or been interviewed, in dozens of national and regional publications and he has authored the novel, Practically Invisible.

Dig Deeper on Running an MSP business