Guest Column | May 21, 2021

How To Sell Security As An Outcome, Not A Product

By Dr. Richard L. Chambers, America’s Return Inc.

Security Lock

Economist Theodore Levitt would say hardware store customers do not really buy quarter-inch drill bits (product), they buy quarter-inch holes (outcome).

Apply this logic to a far more complicated sale -- network security: businesses do not buy firewalls, password management software, or penetration testing services; those executives buy the confident ability to do business digitally and to dust-off quickly after any unexpected security scrapes. But they have become increasingly attentive to ransomware attacks, privacy compliance, and environmental disasters. VARs and MSPs have a proliferation of products and services to throw at the threats. Yet in attempting to promote an outcome rather than a transaction, you face a sales paradox about your value: the better you protect customers, the less you can claim ROI for the smooth outcome. It is hard to pitch triumphant case studies of a breach that never happened, a data loss that was recovered instantly from the backup, a downed server that failed-over automatically, a clerk that did not open the phishing email. So, reps rely on generic scenarios of treachery and ruination to stimulate action, often leaving a decision maker frozen with fear. What are your best options to build your security practice and keep it when – if you are successful – the customers may rarely feel the payoff?

After working with hundreds of security-focused VARs and MSPs in the IT distribution channel, I see three keys to your success. You must come to understand the following.

  • The customers’ current business situation with its unique inherent risks, your discovery aimed at going beyond prevention to identify competitive advantages as outcomes.
  • Where in their buying journey your contacts believe themselves to be – along with their contentedness or sense of urgency to change – so you can prioritize your efforts.
  • The risk tolerance of the decision makers and how to educate – not frighten – them to act.

The Current Situation

Your assessment of a business’ situation starts with their current infrastructure – the number, location, and nature of their current devices – and their means to protect them. The temptation might be to promote product/service upgrades. But such a company profile is not complete without understanding the customer’s industry threats and opportunities. For example, a food distribution company no longer able to make wholesale deliveries to pandemic-shuttered restaurants may wish to turn to retail home deliveries. Are you able to help them safely navigate from an invoice-based accounting system to one based on consumer credit cards, entailing privacy-compliance standards of the Payment Card Industry (PCI)? Or consider a law firm storing sensitive personal information which when leaked would bring heavy regulatory fines from the state. How can you protect the attorneys from penalties while also proactively burnishing their reputation as a fortress of confidentiality? Your inquiry at the minimum will position you as a strategic partner in digital transformation rather than as a simple vendor.  Further, your review of any initiatives underway brings us to the next key.

The Buying Journey

Perhaps you track opportunities according to your CRM sales stages. But your customers have their buying process that outstrips yours. You must discover where those contacts see themselves located on that path. Use the BANT mnemonic as a guide for your inquiry (Budget, Authority, Need, Timing). Highlights here:

  • Need. I refer to the buying journey as a trip from “Point A” (their present situation) to “Point B” (the desired outcome of their journey). For most small business security prospects, a state of denial about a disaster is endemic to Point A. Your eliciting a picture of Point B certainly needs to include disaster avoidance, but you also need to include an upside to help overcome inertia. Will a safer online customer experience encourage a deeper use of their website for more sales?  Will a less cumbersome use access/authentication method make their employees happier? The most compelling stories you can tell about reaching Point B include outcomes that expand their riches, not just shield their current store. More can be found here: Selling From A To B: The Shortest Distance Between ‘Problem’ And ‘Solved’.
  • Authority. While not every contact can authorize your sale, many can speed you along or halt you depending on how they see their interests being served. A network administrator may cheer an automated software-patch offering if the outcome is a gain of time for other duties. Remote laptop users may complain that accessing enterprise data is too restrictive when using consumer devices at home. The buying journey includes many passengers. Make sure their itineraries are accounted for in your recommendations.
  • Timing. The further along the customers are on their journey, the shorter the time to a buying decision. But do not try to accelerate a sale by skipping steps they must take. If they are still scratching their heads about requirements, do not expect an excited consensus about a proposed bargain. Anticipate your proposal to start with small steps that can be committed to right away, including a hard schedule of monthly or quarterly business review points as you evaluate together the scope of a larger plan. If you will be monitoring their infrastructure, have reports of intrusion attempts and other alerts presented as a scorecard of where they stand compared to best practices…like a travel brochure to a new Point B.
  • Budget. Security sales inherently involve a cost-benefit decision: how little can the customer pay to gain the maximum mitigation of risk. Hence, the following section.

Their Risk Tolerance

Your careful analysis may get confounded facing emotions and probabilities. SMB founders in their fifth year have seen a 50 percent business failure rate among their cohorts for reasons having nothing to do with network security. Do not be surprised by self-perceptions of invincibility. It is easier to manage an owners’ survivor intuition if you have framed your approach within a rational and credible methodology.

The NIST Cybersecurity Framework is an excellent third-party outline for your discussions. Worth restating is your depicting the outcome as a move forward beyond mere protection of the status quo. For more on stressing the upside payoff that expands revenue, shrinks costs, and improves employee morale, see The Good, The Bad And The Money: How To Sell Business Outcomes. Above all, rely on empathy, not fear tactics. As a salesperson, you may be scarier than a hacker; as an engineer, you may be tone-deaf to the financial pressure owners face.

Security is not just an aggregation of products and services. It is an emotional state achieved through assessing the specific threats your customers face, gauging the risk tolerance that governs commitment, and educating your customers on prudent action. This is different from transactional selling of security products and services which may give the feel of a “security blanket.” Some threats require a locked door -- installed not with a ¼” drill bit but a 2” deadbolt drill.

About The Author

Dr. Richard L. Chambers is president of America’s Return Inc., provider of The S.A.L.E.S. System, an SMB channel sales development program helping OEMs, ISVs, distributors, VARs, and MSPs sell solutions with higher profit in less time. rchambers@americasreturn.com.