Security issues are so prominent in most customers’ minds that CISOs are being pulled into the sales cycle more and more often. In the face of increasing cyber attacks, customers understandably question the resilience of products and services. Even businesses outside of the tech industry face scrutiny from customers and major suppliers since all organizations now collect, store, and process sensitive information such as industrial secrets, financial information, and personally identifiable information.
Some customers also question the resilience and availability of critical business services and rightly probe to discover privacy, regulatory, and reputational risk associated with IT offerings. CISOs need to be able to respond to concerns with confidence, clarity, and candor. This means not being defensive about tough questions, but rather remaining upbeat and positive. Remember, this is sales not an audit. Here are six ways the security team can support sales:
1. Prepare a Frequently Asked Questions (and Answers) list
Include things like the breakdown of your security team, a list of policies, overview of the security controls and architecture. If you've been asked a question by a customer more than twice, it should go on the FAQ. In my stints as a CISO, my FAQ was nearly a dozen pages long. A well-written FAQ can also help your sales team answer customer questions and complete requests for proposals (RFPs) without having to consult you. The bonus of having such a document is that you get to pose the right kinds of questions in the proper manner, reducing irrelevant and confusing lines of inquiry.
2. Make your audit reports available
If you've completed an audit then, by all means, show it off to your customers. The key is to provide the material before you’re asked, because you're that confident in your security program. Have copies of the report printed and bound so you can hand them out to customers. If it wasn't a perfect audit, then accompany the report with your written response to the findings. Some audit reports may require non-disclosure agreements (NDAs) for you to release them, so be sure to bring printed copies and have the customer sign them. If you don't have an audit report to share, then consider sharing other types of reports like vulnerability scan, pen test, audit, and code scans. Whatever information you feel comfortable sharing will be relevant and credible to your customers.
3. Write a summary of the regulatory requirements you comply with and why
If your organization is covered by security compliance requirements (and it probably is) then show each requirement and the corresponding controls. This may be covered in your audit report (See #2) but if it isn't, write it up.
4. Prepare a security sales presentation deck
Tailor your deck specifically for a customer audience and include a dozen or so sides describing your security program. This should include things like your security principles, major controls, and architecture with diagrams, audits history, and an organizational chart of the security team. If you can, add a slide or two about plans for any cool new controls that are in the works for the future. Customers love to see that. Create different version or variations of the deck, one for engineers, one for conferences, and one for executives, because each audience is interested in different things.
5. Be prepared to share scrubbed security response plans
Lots of customers wonder how their vendors will handle various crises. Be ready with a proactive answer. Share with them your response plans for incidents, security vulnerabilities in your software, outages, pandemic, and breach. If you can't share details, summarize scenarios that are covered and give an outline on your plans. Don’t forget to include a summary report on the last test of the response plan you completed.
6. Write a few security white papers
White papers are great tools for the sales team to start conversations with customers. You can dash off half a dozen pages on how you protect the company or its products. You could delve into how you've expressed some best practice around authentication, authorization, and accounting (AAA), change control, secure development, or business continuity. Make it informative and authoritative; a few easy-to-read diagrams and graphs are a nice addition, as well.
If these ideas aren't enough, look to the giant companies to see what they do. I'm sure there's an idea or two you could glean from them. Just pick a major tech vendor and search on their name plus security or compliance. Lastly, don't forget to stamp "restricted" on every one of these documents. You don't want to share them with the bad guys.
Get the latest application threat intelligence from F5 Labs.