Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
8/10/2017
09:00 AM
Raymond Pompon
Raymond Pompon
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

6 Ways CISOs Can Play a Role in Selling Security

When customers ask tough questions about data security, business service resilience, privacy, regulatory, and reputational risk it's best to remain upbeat and positive. Here's how.

Security issues are so prominent in most customers’ minds that CISOs are being pulled into the sales cycle more and more often. In the face of increasing cyber attacks, customers understandably question the resilience of products and services. Even businesses outside of the tech industry face scrutiny from customers and major suppliers since all organizations now collect, store, and process sensitive information such as industrial secrets, financial information, and personally identifiable information.

Some customers also question the resilience and availability of critical business services and rightly probe to discover privacy, regulatory, and reputational risk associated with IT offerings. CISOs need to be able to respond to concerns with confidence, clarity, and candor. This means not being defensive about tough questions, but rather remaining upbeat and positive. Remember, this is sales not an audit. Here are six ways the security team can support sales:

1. Prepare a Frequently Asked Questions (and Answers) list
Include things like the breakdown of your security team, a list of policies, overview of the security controls and architecture. If you've been asked a question by a customer more than twice, it should go on the FAQ. In my stints as a CISO, my FAQ was nearly a dozen pages long. A well-written FAQ can also help your sales team answer customer questions and complete requests for proposals (RFPs) without having to consult you. The bonus of having such a document is that you get to pose the right kinds of questions in the proper manner, reducing irrelevant and confusing lines of inquiry.

2. Make your audit reports available
If you've completed an audit then, by all means, show it off to your customers. The key is to provide the material before you’re asked, because you're that confident in your security program. Have copies of the report printed and bound so you can hand them out to customers. If it wasn't a perfect audit, then accompany the report with your written response to the findings. Some audit reports may require non-disclosure agreements (NDAs) for you to release them, so be sure to bring printed copies and have the customer sign them. If you don't have an audit report to share, then consider sharing other types of reports like vulnerability scan, pen test, audit, and code scans. Whatever information you feel comfortable sharing will be relevant and credible to your customers.

3. Write a summary of the regulatory requirements you comply with and why
If your organization is covered by security compliance requirements (and it probably is) then show each requirement and the corresponding controls. This may be covered in your audit report (See #2) but if it isn't, write it up.

4. Prepare a security sales presentation deck
Tailor your deck specifically for a customer audience and include a dozen or so sides describing your security program. This should include things like your security principles, major controls, and architecture with diagrams, audits history, and an organizational chart of the security team. If you can, add a slide or two about plans for any cool new controls that are in the works for the future. Customers love to see that. Create different version or variations of the deck, one for engineers, one for conferences, and one for executives, because each audience is interested in different things

5. Be prepared to share scrubbed security response plans
Lots of customers wonder how their vendors will handle various crises. Be ready with a proactive answer. Share with them your response plans for incidents, security vulnerabilities in your software, outages, pandemic, and breach. If you can't share details, summarize scenarios that are covered and give an outline on your plans. Don’t forget to include a summary report on the last test of the response plan you completed.

6. Write a few security white papers
White papers are great tools for the sales team to start conversations with customers. You can dash off half a dozen pages on how you protect the company or its products. You could delve into how you've expressed some best practice around authentication, authorization, and accounting (AAA), change control, secure development, or business continuity. Make it informative and authoritative; a few easy-to-read diagrams and graphs are a nice addition, as well.

If these ideas aren't enough, look to the giant companies to see what they do. I'm sure there's an idea or two you could glean from them. Just pick a major tech vendor and search on their name plus security or compliance. Lastly, don't forget to stamp "restricted" on every one of these documents. You don't want to share them with the bad guys.
 
Get the latest application threat intelligence from F5 Labs.

 

Raymond Pompon is a Principal Threat Researcher Evangelist with F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber-crime investigations. He has recently written IT Security Risk Control Management: An ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Cracking 2FA: How It's Done and How to Stay Safe
Kelly Sheridan, Staff Editor, Dark Reading,  5/17/2018
What Israel's Elite Defense Force Unit 8200 Can Teach Security about Diversity
Lital Asher-Dotan, Senior Director, Security Research and Content, Cybereason,  5/21/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
F5 makes apps go-faster, smarter, and safer. With solutions for the cloud and the data center, F5 technology provides unparalleled visibility and control, allowing customers to secure their users, applications, and data. For more information, visit www.f5.com.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Shhh!  They're watching... And you have a laptop?  
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-17158
PUBLISHED: 2018-05-24
Some Huawei smart phones with the versions before Berlin-L21HNC185B381; the versions before Prague-AL00AC00B223; the versions before Prague-AL00BC00B223; the versions before Prague-AL00CC00B223; the versions before Prague-L31C432B208; the versions before Prague-TL00AC01B223; the versions before Prag...
CVE-2017-17315
PUBLISHED: 2018-05-24
Huawei DP300 V500R002C00; RP200 V600R006C00; TE30 V100R001C10; V500R002C00; V600R006C00; TE40 V500R002C00; V600R006C00; TE50 V500R002C00; V600R006C00; TE60 V100R001C10; V500R002C00; V600R006C00 have a numeric errors vulnerability. An unauthenticated, remote attacker may send specially crafted SCCP m...
CVE-2018-5485
PUBLISHED: 2018-05-24
NetApp OnCommand Unified Manager for Windows versions 7.2 through 7.3 are susceptible to a vulnerability which could lead to a privilege escalation attack.
CVE-2018-5487
PUBLISHED: 2018-05-24
NetApp OnCommand Unified Manager for Linux versions 7.2 through 7.3 ship with the Java Management Extension Remote Method Invocation (JMX RMI) service bound to the network, and are susceptible to unauthenticated remote code execution.
CVE-2018-7902
PUBLISHED: 2018-05-24
Huawei 1288H V5 and 288H V5 with software of V100R005C00 have a JSON injection vulnerability. An authenticated, remote attacker can launch a JSON injection to modify the password of administrator. Due to insufficient verification of the input, this could be exploited to obtain the management privile...