Sell Security Like A Pro
Ever felt frustrated that in a project, your security advice not being listened to, all deviation to the security standards risk accepted? Or after rounds of meeting and pestering, clients just wouldn’t be interested in your brilliant security tool that “breaks hackers’ heart”?
Say no more fam.
Dr Robert Cialdini got you.
Dr Cialdini’s 6 principles of persuasion will come handy in situations where we need to evangelise/sell/persuade security to less-security literate stakeholders.
Here is how I unpack them.
As suggested by Dr Cialdini, people are likely to say yes if they owe you something. Spot opportunities to show some goodwill before pitching to your stakeholders/clients. Important things here are,
Don’t go overboard, or the effort will be taken as granted
Ensure your effort is obvious, better if it is public
It is easier to understand this point in context of selling - communicating the uniqueness or scarcity of the product, e.g., it is the only product that is powered by the complete learning feedback loop on the machine learning module, which is tested by MIT, all predictions boast statistical significant on 95% interval! (I made this one up, but please let me know which product does this...)
Or flip it another way - “do you know what you are losing from not buying our product (that made up one above)”. Similarly, when talking security risks to the business stakeholders, it is always easier to tell them the consequences of not doing security properly than walking through the complete threat analysis.
Basically, don’t be shy letting them know that you know your sh#t, make all your certs/credentials visible. For example, if you have all 7 certs from AWS, there is no reason not to tell your client that you are one of a few 7-cert-ninjas in the country.
Getting the clients to agree to small and seemingly insignificant things, again in public. For instance, getting the client to run a free, no obligation Proof-of-Concept increases the likelihood of closing a deal - SaaS vendors’ sales force uses this method a lot.
In a project setting though, you can push the project to agree to smallest changes, e.g., a non-functional security requirements.
Looking and acting according to given context and environment will boost the likelihood of a successful persuasion. Subconsciously, we like people who look and act like us. Conforming to norms in the environment will just automatically give you credit, which you can spend in persuasions.
In social engineering settings, to tailgate someone in a bank or a digital/tech company, strategies are very different - wearing a navy blue suit and carrying a Dell or Lenovo vs. wearing a GitHub logo t-shirt and carrying a Mac.
Put the social pressure on. Think statements such as, “Do you know all your competitors are using this security monitoring tool and doing real time security response with it?”, “almost all companies in your sector have input validation on all their APIs”, “your competitors just pulled out from the public cloud for their IaaS stuff”.