Leveraging Security in the Sales Process
Security is more than just a good business practice. It also serves as insurance for your customers that security is a top priority. With the right protections in place, you demonstrate that their data will be safe with you, and this can accelerate the sales cycle. But without good security, sales cycles can drag on or even grind to a halt. Of course, you need to start by having the right security technologies, processes, and personnel in place. Then, you need to be able to convey all of this to prospective and current customers.
In this post, we’ll explain what you need to do to guarantee robust security and how you can communicate this to customers and prospects, giving them visibility into your security measures.
Have Documentation Ready
Customers need to feel confident that you have your ducks in a row before they’ll do business with you. They’re going to want a thorough understanding of things such as:
- How you protect systems and applications
- Who has access to what types of data
- How you’re alerted on suspicious activity that may impact their data
- What ongoing precautions you’re taking to further secure data
- Whether you’ve had any incidents in the past and how you responded
- And much more
To avoid hashing this out on every sales call, it can be helpful to document these security measures, and any others your prospects typically ask about in the sales cycle. This way, all of this information can be ready to send should a prospect ask. It can also serve as good information for the sales team to have so they’re prepared should a question come up early on in the sales cycle.
Additionally, if you’ve gone through an audit before (e.g., HIPAA, PCI DSS, SOC 2), customers may want to see the results. These reports will detail a variety of technological and procedural protections you have in place to protect your business (and your customers) from common threats. Hopefully, any audits you have had in the past demonstrate that you are in full compliance, but if there are any shortcomings in the reports, prioritize improvement in areas that may concern customers (e.g., not having real-time alerting on potential issues or least privilege access policies, etc.), so you can communicate what corrective action has been taken since the audit. Keep in mind, however, that often what customers require of you and what compliance does are two different things, so having all of your security protocols documented as explained above should address most of what they’re looking for.
Add a Security Commitment Page or Section to Your Website
If you’re in a security-conscious industry, or work with security-conscious customers, it’s a good idea to publicize your security commitment and practices right on your website. This can go a long way toward demonstrating transparency.
We’re seeing more and more companies do this these days. Devoting a section or an entire page of your website to security helps answer customer concerns or questions up front so that sales conversations can move along smoothly, and, of course, it also demonstrates your company’s commitment to good security. That in itself can be a huge competitive advantage compared to other companies in your industry that may not offer the same level of transparency around security.
While it certainly doesn’t need to be elaborate, a good security webpage or section should include:
- A statement about your organization’s security commitment (1 paragraph)
- The main cloud and/or physical security protections you have in place (a paragraph or bulleted list)
- Compliance regulations the organization upholds (logos or a list)
- Company-wide access policies (a paragraph or bulleted list)
- An explanation of how data is protected in transit and at rest (a paragraph or bulleted list)
- An FAQ based on common security questions your team receives (Q&A format)
A good example of a security page comes from our friends at PagerDuty. On this page, they clearly outline what protections they have in place and why, explaining how they keep customer data safe from both internal and external actors.
You may also want to feature your security team on your About Us page or anywhere else you highlight your organization’s key players. This way, prospects understand who is at the helm of security initiatives and what their qualifications are. If you don’t have a dedicated security team, it’s still a good idea to be transparent about who on your team (e.g., a DevOps engineer or CTO) spearheads security initiatives and mention their experience and dedication to security on the team page.
Appoint a Security Spokesperson
Once a prospect has validated that your solution would solve their problems, they’re going to have some questions to ensure that their data will be safe with you. That’s why it’s important that someone who knows how to explain your company’s security protections is available to speak to prospects and recognizes the importance of doing so.
To do this, ensure that your sales and security teams have a close working relationship. It’s a good idea to discuss in advance with sales when security is likely to come into the conversation and how those calls and discussions should be structured. It can help to have a whiteboarding session with your sales team to map out when in the process security comes up so you can be prepared for calls.
You may even want to run through a few mock scenarios with the sales team so everyone is prepared and the process goes smoothly.
Have a Security Communications Plan in Place
These days, security incidents are fairly common at both small and large organizations. So preparing a security communications plan ahead of time is a good way to help mitigate the business impact of an incident.
We recommend that you create a customer and public relations plan to use in the event of a security incident. It’s a good idea to work with your marketing and/or public relations team on this. As necessary, you should also bring in other stakeholders, including legal, compliance, and, of course, security. Your plan should include:
- Internal stakeholders responsible for communicating to the public about an incident
- Who your messages need to targetted at
- Main messages to convey (e.g., your commitment to security, protections in place, people involved in the investigation, contractual obligations, etc.)
- Timing for customer-facing messages after an incident
- Where you will release the notifications (e.g., email, website, support desk, social media)
You should then draft a message that you would send to customers after a breach or attack. This should serve as a template that includes all the key messages and assurances you wish to convey to retain trust and continued business with your loyal customer base. This message should include:
- How you will explain the security issue
- What you will tell customers if their data is affected
- When you will tell customers if their data is unaffected
- How your team is responding to the threat
- What is being done to minimize similar events in the future
With a plan and message prepared up front, you can ensure that you’re giving customers the highest level of transparency they need — at the same time that you’re saving your team a lot of hassle and confusion in the event of a real incident.
To Walk the Security Walk, You Need to Talk the Security Talk
At this point, you’ve done a lot to ensure that your company is as protected as it needs to be from threats. Now it’s time to talk about it and use it to close sales! Having reports ready, a dedicated page on your website that answers common security questions, someone appointed to jump on sales calls, and a communications plan in the event of a breach will help you properly communicate the protections you have in place.
Final Words . . .
To get an indepth look at how a platform like Threat Stack can help your organization develop a strong security posture, request a demo today.