Security-focused solution providers said they aren't talking about technology nearly as much as they are about defining and lowering business risk.
"Cybersecurity is really just a buzzword," Ted Clouser, executive vice president of Little Rock, Ark.-based PC Assistance. "It's really about the mitigation of risk."
Clouser, who has been with PC Assistance as it successfully transformed over the past year and a half into a managed security service provider, said risk is the most important piece of the conversation when it comes to cybersecurity. He said his business starts clients with a vulnerability assessment to pinpoint areas of security risk.
Jeremy Wittkop, CTO of Greenwood Village, Co.-based InteliSecure, said a move away from selling technology to a conversation of business risk is essential because the buyers of technology aren't necessarily the IT teams anymore.
"I don't think a technocentric message works because truthfully the people making the decisions are different than they were five to six years ago," Wittkop said. "Business folks are making business decisions, they just happen to be facilitated by technology."
Wittkop said InteliSecure moved to this new selling approach about five years ago. He said the solution provider is now looking to take that model to the next level with what he called the "holy grail," which he said is a return on investment model. He said InteliSecure is looking to provide realistic objectives and quantify how much different technology purchasing decisions reduce risk and ultimately reduce an executive's budget over time.
Michael Echols, CEO and board member of the International Association of Certified ISAOs (IACI), said in a presentation at XChange 2017 Security University in Orlando, Fla. this month that the language of risk management is one that all business executives understand, from the IT department up to the board of directors. He said it is key for partners to be the translator between technology language and what it means for risk management.
"Board of directors may not understand technology, but if they spent a certain amount of money they understand when you say it reduces risk by a certain percentage," Echols said in an interview with CRN. "If you're trying to sell these types of organization and you're talking to them in a way that you're educating them, you have now endeared yourself in a totally different way to the customer."
Echols said boards of directors know they need to increase cybersecurity investment, but struggle with getting into the weeds around the technology. He said a focus on risk management would help partners mature the industry and allow for greater investment across the business in improving cybersecurity posture.