“Every bit of security adds value to your customers,” a CTO once told me.
Some security is what he calls “table stakes”: the basics that everyone must do. Everything else—the things that separate those who do security right from those who don’t—are differentiators. As he explains, “Being clear about our security strategy helps the buying conversations with our customers. They see it as a differentiator.”
Here’s why I agree with him:
- Most companies don’t understand security, let alone how to do it right. Now you do.
- Most companies don’t understand their attackers and don’t have a threat model. Now you do.
- Most companies invest too little, too infrequently, with too little collaboration, using the wrong methods focused only on the issues of too little significance. You’ll be doing the opposite of each.
- Most companies are not secure. You will be.
Consider how powerful that contrast is. It’s incredibly differentiating.
Your customer is just as worried about security as you are. They’re excited to work with companies like yours, who address these concerns.
Earn Trust, Not Fear
To use security to drive sales, you need to get your customer to trust you first. If they do, they buy faster. If they don’t, they hit the brakes and proceed with caution.
The opposite of trust is fear. You introduce fear when you make hollow promises, misleading claims, and fail to back claims up.
Misleading claims are when someone inappropriately tries to imply a broader truth about a specific fact. For example, when people claim “bank-level security,” they’re trying to suggest that because they use the same encryption that banks use, they must be as secure as a bank. That’s not necessarily true. It also misrepresents how attackers operate: they typically don’t try to break encryption. They attack softer targets.
Failing to back up claims is when insufficient evidence is provided to support security claims. For example, companies commonly say that their app is “highly secure” but don’t explain what that means or how to verify it.
Don’t do those things. They imply that you don’t know what you’re doing. That builds fear.
You want to avoid that. You want to make sure that your customers know that you’re different…because you are different.
So instead of building fear, build trust. You do this by being transparent.
Trust leads to sales.
Tactic #1: Use Your Security Assessment Report
Any good security assessment delivers a report. It’s a powerful tool. Share it with your customers. It helps them understand what you’re doing. They want that insight.
You can use a summary of this report in many situations:
- Send when prospecting new accounts.
- Send before sales calls.
- Review during sales calls.
- Send on a regular cadence (such as quarterly) to demonstrate your ongoing commitment to security.
- Post to your website for download (which I’ll explain more in tactic #5).
From Fortune 5 enterprises to funded startups (and everyone in between), companies of all sizes do these things to successfully support their sales processes. You can, too.
Tactic #2: Use Your Security Consultants in Sales Meetings
When your customer brings up security concerns during the sales process, consider involving your security partner. Have them meet with your customer. You walk away with either the concerns resolved or clear direction on how to resolve them. You earn your customer’s confidence that you truly understand their concerns and can address them. Better yet, you also make your own life easier by deputizing your security partner to handle this critical element. Win-win.
When it comes to their security concerns, your customers are looking for the candid truth. They want objective facts. They want insight to help make a decision. However, they may think that you’re biased in this conversation. They know that you want the sale. They may assume that would influence what you tell (or don’t tell) them. Your security consultant resolves this scenario. Security consultants should be independent: that means they wouldn’t say anything untrue or mislead your customer; they’ll just stick to the facts. Your customer wants that. Having an objective voice in the security conversation assures that they’re getting the straight truth. It helps your customer make an informed decision. The faster they can make an informed decision, the faster both you and your customer can move forward in your business relationship. The faster you can close the sale.
Tactic #3: Make Security Questionnaires Pop
Security questionnaires are an attempt by your customer to document your security posture, policies, and controls. The purpose is to understand the risk they’d be accepting if they use your system. However, they’re also a great sales and marketing opportunity for you if you do them right.
Companies get in their own way when they try to cut corners, ignore elements, or minimize the importance of these documents. Don’t do that. I assure you, these questionnaires matter to your customer. If it matters to them, it matters to you. Instead, make these documents work for you. If you do, they support your sales effort.
Here’s how to make them pop:
- Answer every question.
- Be concise.
- Be clear.
- Understand your audience.
If you do these things, it smooths the path to acceptance. You make your customer’s life easier. You remove one more brick in the wall between you and the sale.
Whether you do them yourself or enlist your security partner, the point is the same: capitalize on the opportunity. Security questionnaires are a chance to make your customer’s life easier while building trust faster. Take it.
Tactic #4: Align Your Remediation Plan to Your Development Roadmap
Security vulnerabilities will pretty much always exist; it’s simply the nature of software development. There’s no such thing as a “clean bill of health,” the mistaken notion that an application has no vulnerabilities. The question is not whether vulnerabilities exist. Instead, the question is whether you’ve found them and whether you’ve fixed them. Show them your plan for what you’ll fix and when you’ll fix it. Help them understand that excellence is a journey. It doesn’t happen instantly. This smooths the path to acceptance, even despite the existence of security vulnerabilities.
The best way to do this is to align your remediation plan to your development roadmap. Literally, tell your customer when you’ll fix each vulnerability. Some security vulnerabilities you need to fix immediately; others you can get to overtime.
By aligning your remediation plan to your development roadmap, you shine in stark contrast to your competition. Your competitors will suggest that they have no vulnerabilities. They’ll try to claim that they have a “clean bill of health,” that they are “highly secure,” and that everything is just fantastic. By now, we all know that’s not true. Vulnerabilities exist. Use that to your advantage. Simply communicate to your customers what’s going on, and you’ll build trust through transparency. They’ll appreciate you for it.
Tactic #5: Build a Security Page on Your Website
Many companies talk about security on their website. You should, too.
I’ve reviewed two hundred marketing websites of prominent, enterprise-class applications. I was looking to see whether they talk about security, and if they do, what they say. More than 45 percent of them talk about security in some form or another, with more than two-thirds of those having an entire page dedicated to it. This shows that other software companies also recognize the demand for security. You need to address it, too.
However, almost all of them do it wrong. If you do it right, that creates an enormous opportunity for you.
- Describe things in simple, clear, honest, straightforward language.
- Don’t overcomplicate it.
- Don’t overload it with jargon.
- Don’t fluff it up with marketing-speak. Just be direct. This will strongly differentiate from the nonsense out in the marketplace.
The more thorough and transparent you are, the more powerfully differentiating it is. When your competitors make hollow, misleading claims without backing them up, your transparency shines in sharp contrast. It strongly resonates with your customers. It speaks to the deep-seated fears they have about their security and about your security.
- State your security mission.
- Describe your internal security team (if you have one).
- Back up any claims you make.
- Describe your approach to security testing.
- Provide reports so your customers can verify.
- Describe other security initiatives that demonstrate your security mission, and back them up, too.
- Call back to your mission, tie it to your ethos, and make it easy to contact you about security questions.
This might feel like a lot. But you know what? It’s what your customers are looking for. So give it to them!
You don’t need to follow this script verbatim, but you do need to make it clear what you’re doing, why it should matter to your customer, and how they can verify what you claim. You need to highlight that what you’re doing is more thorough than what most companies do, and you need to do so with authenticity and transparency.
The final recommendation here is about navigation. Don’t bury the link to your security page in the website footer. That’s where most people hide their security page. Instead, include the security page in the navigation at the top of your website. Almost no one does this. When you do, it will absolutely scream to your customers, “Security matters to us!” They’ll like that.
Showcase Your Business’s Commitment to Security
Secrecy is a good thing. You should add it to your security efforts where you can. But secrecy alone should not be what your security model depends on. In fact, you need to assume that all secrets are known.
Imagine that you have a duffel bag full of cash. You want to hide your small fortune, so you go deep into the woods and bury it. You are the only person who knows where. Pretty secure, right?
Now imagine that someone saw you digging this random hole deep in the woods. She got curious. The only thing between that person and your cash is some overturned dirt. Would you still feel as confident now that the secret is gone? Probably not.
Secrecy is an additional layer that you can (and should!) add to your defense plan, but it shouldn’t be the primary element. Instead, adhere to Kerckchoff’s principle, which says that a system should be secure even if everything about the system (except the key) is public knowledge. If you can do that successfully, then you’re clear to implement the kind of transparency needed. You can communicate your security approach in ways that help your customers without ceding the advantage to your attackers.
Content adapted from: