Selling security to the boss

Managers often argue that security spending can be ignored because return on investment is elusive. In the first of a four-part series, Patrick Gray explains how to turn that attitude around.

Selling security solutions to management is a challenge.

Proving security pays is difficult. In fact, with many security technologies, there's no demonstrable return on investment (ROI) justification for their deployment.

Investing in a newer intrusion protection system might make your job easier, but how do you convince management to sign off on the purchase order when managers react like a request to spend money on security is similar to convincing them to buy insurance against a flying saucer attack.

This challenge is not limited to security software and hardware. Managed services can be another tricky area. Monitoring your organisation's devices, for example, is supposed to be your job. How do you convince management that spending extra on outsourcing some components of your responsibility helps them, as well as you?

TechTarget understands the conundrum. So, we got in touch with sales representatives from five vendors to map out their sales strategies. They were more than willing to participate -- their advice to you will help you to buy their products, after all.

We asked each vendor what their basic pitch is for their core service, if there's a compelling ROI case for that service, what some other logical reasons for their purchase are. We also asked what the least effective strategies for selling their products and services are. The plan is to turn TechTarget readers into gun salespeople, capable of pitching their own management on a raft of technologies from authentication solutions through to IPS and endpoint security agents, compliance services and managed services.

Now, we're not saying that everything that comes out of the mouth of these salespeople is gospel -- they're salespeople, after all. What we're telling you is what salespeople say works when selling security solutions.

TechTarget does not endorsing any of the products or services discussed here. Instead, we're trying to coach readers on selling the concepts to their management. The decision of what to sell up the chain is up to you.

Managed services

Let's start with selling managed security services (MSS) to your boss.

Outsourcing the management and monitoring of security devices has been around since the early days of the security industry. Perhaps a legacy of the bad old days when all things security were considered a black art, outsourcing the then mysterious practice of monitoring security devices and conducting vulnerability scans was an effective way of throwing the responsibility for all things security to a third party. In other words, it was a great way to cover your arse.

Even though monitoring and management has got easier over the years, managed services remain popular. And according to Internet Security Systems, which answered questions by e-mail, arse covering has become a legislated requirement for doing business. Or, as ISS's Australasia's Director of Managed Security Services, Hillary Noye, puts it: "Regulatory compliance continues to drive investment in security in order to meet compliance guidelines."

It's more polite they way she says it.

But even when regulatory issues don't present a clear case for adoption, there are other cases that can be made for managed security services. Reducing operating costs and minimising downtime through a rapid response capability are cited by ISS as a driver for a successful sale.

Noye claims 24x7x365 monitoring requires six to nine staffers per seat. That's an expensive operation, especially when you throw in the special skills required by those staffers to manage a 24x7 security operations centre.

Cybertrust, which competes with ISS for managed security business, also says the skill requirements are a good selling point. "Managing security is not just a question of managing a set of security devices," says Cybertrust's Geoff Hunter, the company's Business Development Manager, Critical Infrastructure. "The real effort lies in evaluating threats, responding swiftly and in an informed way to incidents, setting up remediation activities and enforcing security policies."

It seems the two companies also agree on the costs of in-house 24x7 monitoring being prohibitively expensive. "In practice, a team of a minimum of six people is required to cover security management and round-the-clock monitoring, taking into account nights, weekends and holiday... time," Hunter says. "The headcount cost-to-company in combination with training costs - take a minimum of 10 training days per year (two working weeks) - give you the total People cost."

Add to that the technology costs of purchasing security event and information management technology, management stations, a ticketing system and so on, and the cost starts ballooning. "You typically have a one-off license cost and a recurring maintenance and support fee attached to them," Hunter adds.

However, Cybertrust insists a small security team is still required in-house to respond to requests and recommendations from the MSS provider. So there you have it, you can outsource your monitoring capability and still keep your job!

But you may encounter some stumbling blocks. Some arguments your manager may come up with to kibosh your MSS proposal, and some arguments you can use to counter them, are:

"I have a firewall in place, I don't need management support."

Phooey, says ISS's Noye. The firewall rule sets need to be updated frequently as your environment changes, it needs to be hardened and patched and will require trouble shooting to support software and hardware issues.

"I have security staff -- I don't need outsourced management support."

MSS security professionals augment your current staff, freeing your resources for more strategic and tactical efforts. An MSS provider can typically provide security monitoring services for less than 50 percent of the cost of internal resources, Noye says.

"It is too expensive."

Security engineers are expensive to hire and retain, Noye argues. It is extremely difficult for one person to analyse all the logs and data that are generated by the security devices on your network (in addition to responding to real attacks).

"How do I maintain control of my infrastructure if a third party is doing the monitoring and management?"

A good MSS provider will have a transparent method of allowing end-user customers to maintain high-levels of security awareness and control while the MSS experts perform day-to-day security management tasks, Noye says.

The final word on MSS belongs to Hunter, which tells us not all companies are suited to outsourced security services like device monitoring and regular scanning. "If the organisation is small (under 50 persons) it's maybe difficult for that organisation to get a return on an MSS investment," Hunter says. "Another reason that we see in organisations with little or no desire for MSS is due to their propensity to risk. Other words, there may not be a compelling event for them to outsource security, or pressing compliance requirements... or the organisation is simply risk tolerant, as opposed to being risk-averse."

Generally speaking every organisation requires security to some point and it is typically the small organisation that does not fit the mould for MSS, Hunter says.

Read more on IT technical skills