Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
8/10/2017
09:00 AM
Raymond Pompon
Raymond Pompon
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

6 Ways CISOs Can Play a Role in Selling Security

When customers ask tough questions about data security, business service resilience, privacy, regulatory, and reputational risk it's best to remain upbeat and positive. Here's how.

Security issues are so prominent in most customers’ minds that CISOs are being pulled into the sales cycle more and more often. In the face of increasing cyber attacks, customers understandably question the resilience of products and services. Even businesses outside of the tech industry face scrutiny from customers and major suppliers since all organizations now collect, store, and process sensitive information such as industrial secrets, financial information, and personally identifiable information.

Some customers also question the resilience and availability of critical business services and rightly probe to discover privacy, regulatory, and reputational risk associated with IT offerings. CISOs need to be able to respond to concerns with confidence, clarity, and candor. This means not being defensive about tough questions, but rather remaining upbeat and positive. Remember, this is sales not an audit. Here are six ways the security team can support sales:

1. Prepare a Frequently Asked Questions (and Answers) list
Include things like the breakdown of your security team, a list of policies, overview of the security controls and architecture. If you've been asked a question by a customer more than twice, it should go on the FAQ. In my stints as a CISO, my FAQ was nearly a dozen pages long. A well-written FAQ can also help your sales team answer customer questions and complete requests for proposals (RFPs) without having to consult you. The bonus of having such a document is that you get to pose the right kinds of questions in the proper manner, reducing irrelevant and confusing lines of inquiry.

2. Make your audit reports available
If you've completed an audit then, by all means, show it off to your customers. The key is to provide the material before you’re asked, because you're that confident in your security program. Have copies of the report printed and bound so you can hand them out to customers. If it wasn't a perfect audit, then accompany the report with your written response to the findings. Some audit reports may require non-disclosure agreements (NDAs) for you to release them, so be sure to bring printed copies and have the customer sign them. If you don't have an audit report to share, then consider sharing other types of reports like vulnerability scan, pen test, audit, and code scans. Whatever information you feel comfortable sharing will be relevant and credible to your customers.

3. Write a summary of the regulatory requirements you comply with and why
If your organization is covered by security compliance requirements (and it probably is) then show each requirement and the corresponding controls. This may be covered in your audit report (See #2) but if it isn't, write it up.

4. Prepare a security sales presentation deck
Tailor your deck specifically for a customer audience and include a dozen or so sides describing your security program. This should include things like your security principles, major controls, and architecture with diagrams, audits history, and an organizational chart of the security team. If you can, add a slide or two about plans for any cool new controls that are in the works for the future. Customers love to see that. Create different version or variations of the deck, one for engineers, one for conferences, and one for executives, because each audience is interested in different things

5. Be prepared to share scrubbed security response plans
Lots of customers wonder how their vendors will handle various crises. Be ready with a proactive answer. Share with them your response plans for incidents, security vulnerabilities in your software, outages, pandemic, and breach. If you can't share details, summarize scenarios that are covered and give an outline on your plans. Don’t forget to include a summary report on the last test of the response plan you completed.

6. Write a few security white papers
White papers are great tools for the sales team to start conversations with customers. You can dash off half a dozen pages on how you protect the company or its products. You could delve into how you've expressed some best practice around authentication, authorization, and accounting (AAA), change control, secure development, or business continuity. Make it informative and authoritative; a few easy-to-read diagrams and graphs are a nice addition, as well.

If these ideas aren't enough, look to the giant companies to see what they do. I'm sure there's an idea or two you could glean from them. Just pick a major tech vendor and search on their name plus security or compliance. Lastly, don't forget to stamp "restricted" on every one of these documents. You don't want to share them with the bad guys.
 
Get the latest application threat intelligence from F5 Labs.

 

Raymond Pompon is a Principal Threat Researcher Evangelist with F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber-crime investigations. He has recently written IT Security Risk Control Management: An ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...