Selling Security final part: Compliance services

The final part of our series on selling security explores compliance services and how you can explain their relevance to your bosses.

We left compliance services to last for a reason. Most readers are more likely to have compliance issues forced on them then trying to actually sell them to the boss in the first place. But you never know -- SearchSecurity readers are a savvy bunch, and given you're on the fast track to somewhere, not the meandering path to nowhere, chances are you'll be the boss pretty soon anyway. So here's a primer on selling compliance issues.

We approached Nick Ellsmore from Sydney-based consultancy SIFT, which specialises almost exclusively in consulting to highly regulated businesses. According to Ellsmore, there are some clear cut reasons for engaging external parties to make sure your organisation measures up to expecatations on the regulatory side of things.

"There are a few compliance requirements which are quite clear," says Ellsmore. "[But] the vast majority of compliance requirements... require significant interpretation."

In strict financial terms, an ROI can generally only be calculated if a lot of figures are known, he adds. Those costs might be the cost of a breach, for example a fine or negative PR affects. If you've bee on the wrong end of a compliance breach, the ROI case will be quite clear.

It's at this point that Ellsmore introduces us to a nice new buzz word. Other salespeople take note. It's called CINI, or Cost If No Investment, and Ellsmore says calculating a precise fugure is handy when you're trying to justify compliance costs. "To do that will always require informed estimates of

likelihoods and consequences associated with security incidents," he says. "The more 'real' an organisation can make this, by using either their direct past experience, or known figures from the security industry, the more likely they are to get the project to be accepted."

Here are some arguments for handling compliance internally, and some counter arguments you can use to justify outsourcing some compliance work, thanks to Nick Ellsmore.

"We know our business better than outsiders would."

If the external consultants are well versed not only in your company, but also your industry and competitors, they can see things you won't.

"We can do it more time/cost effectively internally."

If this is genuinely the case then that is great, however it is often the case that it becomes a distraction to staff who should be adding value elsewhere in the business, and it is easy for it to drag on and never be effectively closed out.

"We do everything internally."

Using external specialist resources can support the ability to do things internally and doesn't have to be threatening.

"We don't want to lose the knowledge."

A good consulting firm will support the knowledge transfer process so that if an organisation was so inclined, they could handle the compliance component of the process themselves in future.

Read more on IT technical skills