Fear, Uncertainty, and Doubt: FUD. We have all dealt with the sales person who uses FUD when selling. “Without this software hackers can break into your computer and actually see you sitting at your desk!” It is amazing to see how much FUD is spread across the IT security industry, mostly because of how easy it is to use. If you are an IT solution provider of security products and services, how do you sell without using FUD?
The biggest problem is that the industry has been crying wolf for years. Every year, a new IT security report comes out showing the number of malware infections is up, more identity theft is occurring, and we are all going to die. The average SMB organization gets hit with malware and spam, but how many have actually had a real security breach in which money or identities were actually taken?
Not many. Now, IT security breaches are very real, but providing more information about security rather than scare tactics will help you sell more security products and services. Your customers are starting to realize that these sales pitches are is mostly FUD too. Because the actual horror scenario is relatively rare, countless directors of IT have heard the dreaded “It didn’t happen last year it won’t happen this year” argument from management.
If information is your tool kit, how do you wield it effectively to ensure that you don’t look like you are trying to sell them snake oil yourself? Here are four tips:
1. Focus on Reality. Disclosure laws and regulations are still the best information you can share with a customer. They are irrefutable, everyone has to deal with them (including your client’s competitors), and most carry very real fines. You can provide real value to your clients by helping them navigate the laws instead of just helping them with “compliance”. Do this by helping your clients determine more than why then need to meet the law’s requirements by working with them on how. If the devil is in the details, then help them get rid of the devil.
2. It is all about Risk Management. Help your customers understand risk management. FUD at its core is risk management where risk are unknown but seem large and information is unavailable. Help your customers truly analyze the risks they are trying to ameliorate, and compare them with other risks. For example, have the client’s core team (IT, “the business”, management, and legal) and ask questions around what would happen is scenario X occurred. Look at the outcomes in terms of the legal risk, reputational risk, operational risk, and cost to fix. Put this in MS Excel and apply a Low, Medium, High to each category for each scenario. After about an hour you will easily see if this is a true high risk or a perceived high risk. Help your client with the really high risks.
3. Use Their Data in Your Metrics. Today’s IT environments have tons of data available for analysis, yet it seems most security sales processes do not involve actually diving into the real data at a client before recommending a solution. Not only is this opportunity for assessment revenue, but it also ensures you don’t underbid or overbid the solution. I recommend that you sit with the client and determine what the intended outcome of the potential purchase is. Using that outcome, work back to see what metrics you can identify that qualifies as success. For example, if they want to reduce the number of infections on their workstations by implementing web filtering software, start to determine how many infections they have now and what percentage decrease would indicate success. During this analysis phase, you may find out that they don’t have many infections at all and that web filtering isn’t the best use of the company’s funds! If you do, you will build a deeper relationship with the client.
4. Give Away Information. You work with many different types of clients in many different types of businesses. Share what you see working and not working and introduce your client to their peers at other firms where you have implemented security projects. Although their business models or segments may be different, many have the exact same threats and vulnerabilities but one firm may be further along the security life cycle than another. Helping your client to see light at the end of the tunnel will help solidify you as the only train that can get them to their desired destination.
FUD is difficult to dispel, especially if they customer won’t listen to metrics or put time into researching risk. If you start off with the proper data and solid methodology to fight the FUD, you will have a much more likely chance of succeeding.