CISO To Channel: Sell Cybersecurity By Pitching Business Benefits


When Ravi Thatavarthy took the role of chief information security officer at Haemonetics, a global manufacturer of blood-processing devices, security efforts at the company were primarily compliance-driven.

The Braintree, Mass.-based company's systems were supported by a variety of legacy networking devices and outdated systems that needed to be addressed, said Thatavarthy, who told attendees at the SecureWorld Expo in Boston Wednesday that getting started was a serious challenge. The company lacked a formalized globally consistent security program, mainly around internal systems, but ensured that it maintained HIPAA and SOX compliance to secure the data handled by its more than 3,000 employees, and to protect its global operations.

[Related: Selling Meaningful Security: 8 Ways To Engage Security Stakeholders]

Thatavarthy sought to get systems and processes in place by associating the business value and context with certain security technologies. Using scare tactics about high- profile data breaches and serious threats to strong-arm the company into implementing security policies and technologies simply would be a failed approach, he said. Instead, the security veteran started by building relationships with key business managers, including the human resources staff, corporate compliance legal teams, and the infrastructure and IT engineering leads.

"It was a situation where many people didn't even know what they were doing was wrong," Thatavarthy said. "Rather than go crazy buying tools, I took notes and tried to understand how they do business."

Establishing relationships was a critical place to start. Security professionals that advocate for security funding by warning about dire consequences will rarely get the investment they are seeking, Thatavarthy said. Funding requests are more robust when they are blended into valued business initiatives. In some cases, tighter budgets can result in aligning business and IT to advocate for funds to support priority projects, he said.

"In the short term, I was in an 'I'm here to help' mode," Thatavarthy said. "In the long term, I'm trying to find a managed security services provider, trying to get some buy-in and establish some standard relationships with good vendors."

Sales experts increasingly support the strategy of establishing relationships with business unit managers and other C-level executives when selling technology, rather than, or in addition to, engaging with the company's IT team. Cisco Systems sees the benefit. The networking giant announced changes to its partner program this week, requiring its Gold Level partners to obtain a new certification focused on selling to line-of-business customers rather than IT.

A business' IT security staff should make sure it has a seat at the table during the decision-making process, said Kenneth Leeser, president of Needham, Mass.-based risk management consultancy and reseller Kaliber Data Security.

"Some businesses build in cool, new infrastructure, but they just don't know how well it is protected or if it is even protected at all," Leeser said. "They often have to go back and bolt on the security, which isn't the most effective strategy."

NEXT: Thatavarthy Replaces Firewalls, Adds Encryption, Single Sign-On