Published: October 28th, 2014

LAS VEGAS – Historically security selling strategies were predominantly based on the FUD factor – fear, uncertainty and doubt.

Channel partners along with security vendors propagated this FUD strategy, which led to not the best overall customer experience. Making things more challenging is salespeople repeatedly using the tactic of always selling high.

Kevin Reardon
Kevin Reardon

Kevin Reardon, the vice president of sales for Intel Security at the Focus 14 conference, said selling to the C-suite has changed dramatically in the last few years. CEOs today enter the sales cycle at different points.

He stressed to the channel partners to add value at each point of the sales cycle.

“We tell our sales people to sell high, but organizations who are successful selling to the senior executive like the McKinsey Consulting and the Boston Consulting Group can talk to these people about results, outcomes and experiences and delivering safe results,” he said.

The notion that it’s hard to sell security on value is incorrect. “You have to rethink the definition of value,” Reardon said.

He crafted a value equation for the 700 channel partners attending Focus 14 in Las Vegas:

Value = Improved Security + Reduced operational costs.

The standard sales cycle usually has seven steps:

  • Discovery;
  • RFP;
  • Proof of Concept;
  • Proposal;
  • Purchase;
  • Deployment; and
  • Future Sales.

According to Reardon value can be placed on each step of typical sales cycle.

  • At the Discovery stage make the customer understand what the value is or can be;
  • You can enable that value within the RFP;
  • Proof of Concept can promise that value, while the solution provider can leverage the value inside Proposal;
  • At the Purchasing stage is where a solution provider should defend the value proposition; and
  • The Deployment step capture the value initially stated, while Future Sales just reaffirms the value that you presented at the beginning of the sales cycle.

“Writing the business case for security is hard. The downstream effect is what customers want to see with security. So get to the point of value with the end customer,” he said.

Reardon examined 110 customer cases in the last two and half years and developed an Activity-based costing study. What Reardon found from his research is that value was sought in two areas: components and hard-fixed architectures. Customers found it hard to define value in operational expenses.

He suggested to the channel audience to ask questions that are outside of security to get at the value proposition.

There are core questions to ask, such as:

  • Number of employees?
  • Number of IT people?
  • Number of security products?
  • Number of nodes?
  • Number of desktops?
  • Number of Servers?
  • Number of databases?

Then there are questions for learning what the downstream effect is, such as:

  • Number of security products by vendor?
  • Number of consoles and services to manage?
  • Number of patches per month or year?
  • Number of security-related help desks?
  • Number of security and compliance audits?
  • Number of SIEM reports and how long do they take to complete?
  • Number of outsourced reports and how much time does it take to analyse it?

For example, his research found that most of the cost reductions came from reducing bandwidth usage. “This changes the conversation. The story should not be about my button is better than their button.”

A couple of example solution providers should use are improve encryption and your legal and forensic costs goes down.

Or SIEM and network security gets you a better run rate for patch management.

“By focusing on operational cost reduction gives you a better perspective on value,” he said.

Security products should also be positioned as a financial asset. Reardon cited a Gartner study that found the average life of a security product being just 16 months. “I hope the decision on that product was not made as part of a three or four year strategy. Security is not an account or an amortization story,” Reardon said.

Today, approximately 90 per cent of the business case for security is not provided by the IT department.

The key takeaway for the channel, Reardon said, is that value is not a piece of financial spreadsheet engineering.