Why Coupa?Watch Now
Coupa is a company of talkers, passionate about sharing tips, tricks and advice for improving finance and procurement and saving companies of all sizes time and money. But we’re not the only people with opinions and ideas. We’d love to hear from you so join the conversation!
- April 10, 2014
- Sanket Naik
- IT & Technology
Incidents like the recent Target credit card data breach heighten awareness of the need for better security, but they don’t really drive change. Awareness is usually short-lived (anyone remember the T. J. Maxx security breach of 2007?) and everyone goes back to business as usual unless there is some kind of legal requirement to change.
This creates an opportunity for vendors who can proactively address security to create a strategic advantage for themselves during the sales cycle and beyond.
I was recently involved in a sale where the prospect sent the vendor a 1,300-question security survey. The vendor actually answered every question and got it
back to them in a couple of days. The prospect had never seen such a detailed response. In fact, they’d never even seen a vendor answer all of the questions. It put the vendor head and shoulders above the competition and helped them win the deal. Here’s how you can do the same.
Go where the competition fears to tread
Most technology purchases are driven by revenue opportunities related to product features and functions. Security is non-revenue producing and not usually related to product function, so unless vendors are selling to an industry that must meet certain regulatory requirements, they have a tendency to avoid the security discussion and hope the customer won’t bring it up. If it does come up, they try to address it with smoke and mirrors.
In my experience as both a buyer and seller of technology and as an advisor to startups, this is usually for one of two reasons. First, they don’t know how to talk about security in a way that customers can understand. They might have a security person, but he or she is not the kind of person you’d bring into a sales cycle, and the salespeople don’t have any collateral to support the discussion. Second, they fear the product doesn’t adequately address security and therefore they have something to hide. They don’t talk about it because they are afraid of not meeting the requirements and losing the sale.
Sometimes these fears are unfounded. No service provider is going to meet 100 or even 90 percent of a customer's security requirements. It's simply not possible. Every customer has unique business needs, philosophies, and processes and so does the service provider. If you can show that you meet even 80 percent of the requirements, and then do a traditional risk assessment and management plan for the other 20 percent, you will most likely put yourself ahead of your competition. That’s the discussion you need to equip yourself to have.
Essentially what you need to do is work with the customer to identify the gaps between what you provide and what is needed, assess the remaining risks and come up with a plan. Are you going to just try to avoid them? Are you going to accept them? Are you going to mitigate them with workarounds or compensating controls? Or are you going to buy insurance? Those are the four classic ways to handle risk.
The key is to address this proactively. Then there’s a good chance you can work collaboratively through those issues with the customer and at the same time build trust in the relationship. If you try to avoid the issue and it turns into a one-sided, buyer-led interrogation, not so much.
Invest intelligently in security solutions
Of course, this pre-supposes that you actually have given some thought to security and invested in it intelligently.
You should absolutely do that, and this is one of the things I talk about in my initial discussions with startups. Given that no one, even your more established competitors, will be able to meet 100 percent of anyone’s requirements, what can you invest in that will show commitment and progress toward maturity in this area?
How much or how little you need to invest will depend on what industry you are selling to. For some industries maybe all you need is a whitepaper detailing what you’ve done and checking the boxes. That at least shows that you care about security and have made some basic investment in it.
If you’re selling to a regulated industry, there may be different kinds of compliance assessments that need to be done, such as HIPAA for a company that stores patient health data, or PCI DSS (Payment Card Industry Data Security Standard) if you accept credit cards.
Then there are different kinds of audits you can do which range from basic security scanners that run a few hundred dollars a month to sophisticated five-figure investments. Some startups and even early-stage companies get intimidated thinking security is a huge investment, and they might not be ready to do that. What you do will depend on the needs of your customers, your budget and stage of maturity of your company.
What's important is to do what you can do even if it’s limited in scope. It doesn’t have to be best in class when you’re just starting out, and if in addition you think through some of the ways customers might address security risks you can’t, you’ll likely be ahead of many competitors. Having some measures in place, having a plan and having the right collateral on hand to communicate that assures customers it's a priority and you're making an investment in it. As you have more revenues, you can invest more.
At this point maybe you’re thinking, that all sounds great, but my customers truly don’t care about security and my smoke and mirrors are closing deals just fine. Why should I bother?
Futureproof your product and sales process
Consider the way technology is being sold today. IT used to be the gatekeeper for most enterprise technology purchases, but that has changed. Especially with the cloud, software has gotten less expensive and easier to implement. The business, tired of hearing that IT didn’t have the budget or the time to help them, has grown accustomed to just going out and buying what they need so they can get to market faster.
What a lot of companies are finding out is that when these business-led deployments grow and usage increases beyond a certain point, IT and security need to be engaged.
One common scenario is the need to do some integration with other systems, maybe with the ERP system, or with some other service provider. If IT was not previously involved and aware of the project, they might have to rethink the whole strategy.
Or, maybe the business starts using a solution that brings them under the purview of some regulatory requirement, maybe around data storage, where they need to engage IT to help with security.
These are the kinds of scenarios that impact project timelines, reopen negotiations, stall implementation, and kill the prospect of renewals.
That's why it’s so important to be prepared to proactively engage, and in some cases even seek out customer resources on the IT and security side of the business to try and build bridges at the CIO level to make sure these concerns are addressed ahead of time. It’s a different approach, and one that will set you apart from the competition, help you win deals, prevent surprises in the sales cycle and keep customers on board even after the deal is signed.
This article previously appeared on InfoSecIsland.com