In today’s digital landscape, IT security continues to be a growing concern. New threats are always evolving, and more and more organizations are at risk every day. As both technology and threats continue to evolve, it is becoming increasingly difficult to sell security solutions.

In order to effectively grow our security practice, we must first understand our buyer.

Who is the CISO?

A CISO (Chief Information Security Officer)’s job is to develop and manage the information security program for their organization. It’s their responsibility to evaluate and minimize information risks and threats. Therefore, they are driven by risk management, perimeter control, compliance, and privacy.

The CISO is primarily focused on:

• Obtaining the right resources to meet current and future threats
• Having enough visibility into the organization to prioritize security initiatives
• Driving down the cost of information security while reducing risk
• Measuring the effectiveness of security programs
• Demonstrating ROI and risk-benefit of existing and planned budgets
• Communicating this value to stakeholders

So, what keeps them up at night?

Let’s briefly talk about the individuals who take on the role of a CISO. Their job security is directly related to their performance. Anyone responsible for a major breach is going to find themselves unemployed. Even worse, who is going to be willing to hire that person to keep their own organization secure? For them, it’s personal.

It’s imperative for a CISO to ensure data confidentiality. They must confirm that effective identity and management controls are in place. CISOs want to secure production systems, endpoints and everything in between.

Keep in mind that CIOs and CISOs have conflicting goals. The CIO is responsible for the availability of electronic assets, while the CISO is responsible for ensuring their confidentiality and integrity.

Equally, effective communication must be maintained with business management, operation, audit, regulators, examiners, and the board.

Communication is key – but it must be done so securely!

The buyer’s decision-making process

It’s important to understand that not all CISOs are the same. Security organizations can be dramatically different from company to company.

What happens if your buyer is not very tech-savvy? Maybe the CISO doesn’t meet with potential vendors, leaving the buying process in the hands of other organizational leaders. What if they have the need for your solutions, but the budget is not available to support their initiatives?

Enterprises have varied approaches to risk management. Some companies look to combine their information security with their physical security programs – which will roll up under the CISO, having a dramatic effect on the decision-making process.

Many CISOs struggle to articulate the value of their security programs and justify the security budget to business and executive management.

There are many organizational variations that have a dramatic effect on your buyer and the decision-making process. That’s why it’s critical to have intimate knowledge of your prospect’s org chart and their motivations for purchasing security solutions.

Selling security to the CISO

State your differentiators and value clearly. Know your product features and match them to identified business needs. Gathering information about your buyer is not enough. Features must be paired with business benefits that are relevant to the CISO’s needs. But remember, it’s not a benefit unless it increases, decreases or maintains something that your buyer has stated they need.

Also, be sure to reference at least one ultimate benefit – one which directly affects the buyer as an individual, not just the organization.

Be sure to tailor your questions to highlight their pain points. How do they see the future threat landscape changing? What legal or regulatory mandates do they expect to have an impact on their business? What are their top security concerns over the next 12-24 months? How does their company identify risks associated with the use of technology?

Finally, be sure your solution can solve their challenges:

1. Can I identify who has access (identification/authentication)?
2. Can I control what they do (authorization)?
3. Can I ensure the privacy of information (confidentiality)?
4. Can I prevent unauthorized changes to information (integrity)?
5. Can I provide for non-repudiation of a transaction (integrity)?
6. Can I ensure availability of service?
7. Can I detect problems when they occur (audit/alarms)?

Want more help identifying the right buyers and asking the questions that lead to more sales? Check out our sales training courses and contact us for a free consultation.