CISO To Channel: Sell Cybersecurity By Pitching Business Benefits

When Ravi Thatavarthy took the role of chief information security officer at Haemonetics, a global manufacturer of blood-processing devices, security efforts at the company were primarily compliance-driven.

The Braintree, Mass.-based company's systems were supported by a variety of legacy networking devices and outdated systems that needed to be addressed, said Thatavarthy, who told attendees at the SecureWorld Expo in Boston Wednesday that getting started was a serious challenge. The company lacked a formalized globally consistent security program, mainly around internal systems, but ensured that it maintained HIPAA and SOX compliance to secure the data handled by its more than 3,000 employees, and to protect its global operations.

[Related: Selling Meaningful Security: 8 Ways To Engage Security Stakeholders ]

Thatavarthy sought to get systems and processes in place by associating the business value and context with certain security technologies. Using scare tactics about high- profile data breaches and serious threats to strong-arm the company into implementing security policies and technologies simply would be a failed approach, he said. Instead, the security veteran started by building relationships with key business managers, including the human resources staff, corporate compliance legal teams, and the infrastructure and IT engineering leads.

Sponsored post

"It was a situation where many people didn't even know what they were doing was wrong," Thatavarthy said. "Rather than go crazy buying tools, I took notes and tried to understand how they do business."

Establishing relationships was a critical place to start. Security professionals that advocate for security funding by warning about dire consequences will rarely get the investment they are seeking, Thatavarthy said. Funding requests are more robust when they are blended into valued business initiatives. In some cases, tighter budgets can result in aligning business and IT to advocate for funds to support priority projects, he said.

"In the short term, I was in an 'I'm here to help' mode," Thatavarthy said. "In the long term, I'm trying to find a managed security services provider, trying to get some buy-in and establish some standard relationships with good vendors."

Sales experts increasingly support the strategy of establishing relationships with business unit managers and other C-level executives when selling technology, rather than, or in addition to, engaging with the company's IT team. Cisco Systems sees the benefit. The networking giant announced changes to its partner program this week, requiring its Gold Level partners to obtain a new certification focused on selling to line-of-business customers rather than IT.

A business' IT security staff should make sure it has a seat at the table during the decision-making process, said Kenneth Leeser, president of Needham, Mass.-based risk management consultancy and reseller Kaliber Data Security.

"Some businesses build in cool, new infrastructure, but they just don't know how well it is protected or if it is even protected at all," Leeser said. "They often have to go back and bolt on the security, which isn't the most effective strategy."

NEXT: Thatavarthy Replaces Firewalls, Adds Encryption, Single Sign-On

For Thatavarthy, the goal at Haemonetics was to ensure that security was a key part of the company's infrastructure improvement plans. The company needed to replace legacy firewalls that were severely inadequate. Instead of focusing on firewall security benefits, Thatavarthy said he focused on the benefits of increasing the company's sluggish network traffic speeds and how faster access to cloud applications could boost employee productivity. The implementation greatly reduced latency between the company's headquarters and its global locations.

For a bid to get the company to embrace laptop encryption for better data protection, the company bricked four laptops during the testing process and could not recover the data. It had no backup and recovery strategy in place, Thatavarthy said, and saw the business value of always having an available cloud-based backup.

Employees also were constantly fumbling with multiple passwords to get into more than a dozen cloud applications and myriad databases. Different provisioning models had many staff engaged in role creation and removal of employee access when they left the company. Thatavarthy sought to solve the company's authentication issues by implementing single sign-on and identity management. He got buy-in for SSO by focusing on the business benefit of fast, automated access granting without the need for an ad-hoc approval process.

Modern VPN capabilities were established that also provided better performance and were easier to use. A partner catalog was established mainly to provide more secure remote access for partners and disable inactive accounts, but the business value was connectivity improvements for business partners and vendors.

Building relationships in all areas of the company was a key part of getting the funds to provide data protection and improve efficiencies, Thatavarthy said. Changes wouldn't have been as broad if security simply demanded an investment in security from security executives, he said. There is nothing more valuable than being able to explain to the board of directors the business value that security provides to the company, he said

"Being in security, you always need to be technically savvy, but at the same time being able to communicate in nontechnical and business value terms is very important," Thatavarthy said. "No one has enough budget for security except for the guy who sat next to me with a $100 million budget, and he’s still unhappy."