As has been reported many times previously (here and here), selling fear to CISOs is far from welcome. Prior to May’s looming EU deadline of GDPR, or General Data Protection Regulation, there were many companies that played the fear card across all C-level positions, not just CISOs.
Now that the deadline has passed, the fears have shifted as the specifics for GDPR compliance are still largely undefined. There still is plenty of skittishness around the very real-world penalties—at the high end it can be up to €20 million, or 4 percent of the worldwide annual revenue of the prior financial year, whichever is higher.
The potential for a lawsuit, an audit and penalties still loom. It’s an ongoing issue, just like PCI DSS compliance. This fear is not going to go away. Companies are still coping with GDPR and its mandates are sure to evolve.
For those companies that feel they have a solution for the GDPR pipeline, here are a few suggestions on how to position your organization as a strategic component to deliver compliance.
CISOs respond better to pitches of facts than fears
The very real costs of not complying with this new regulation are an obvious fear sell. Try to hold back from heading down that path.
“A vendor is better-suited to provide facts around the issues,” said Dennis Leber, CISO, Cabinet for Health and Family Services (CHFS) at Commonwealth of Kentucky.
Leber suggested a straightforward explanation of where certain companies stand now that the GDPR deadline has passed and spell out the specifics, stating that those affected companies can face fines up to a certain amount if they don’t meet these noted requirements.
“CISOs, like most C-suite leaders, still speak in monetary values,” said Leber. “Demonstrate how you reduce my spending.”
Just explain how your company can help provide repeatable ongoing solutions to these specific issues. They don’t want to keep revisiting this issue.
“The last thing a CISO wants to hear from a high-priced consultant is, ‘See you next year, same bat-time, same bat-channel,” said Elliot Lewis, president and chief architect, Lewis Security Consulting
As an outside observer, can you see where the prospect is falling short?
Following some of the advice in a previous article, you can actually discover a lot about a company’s concerns even when they won’t tell you. In fact, sometimes they won’t even realize that they have issues that need to be addressed. That’s where a little research can be revealing and warmly appreciated.
“On the GDPR side, a simple cursory look at someone’s site and you can determine if they do not have a basic privacy notice or a ‘right to forget’ form on their site,” said Vijay Bolina, CISO, Blackhawk Network.
Start digging deeper. You won’t find everything, but this lack of public information is probably systemic of much deeper problems. Pointing out the issues won’t be enough; you’ll need to come to the table with the solutions you can provide.
Where does your point solution fit in the GDPR pipeline?
“Branding yourself as an all-encompassing ‘GDPR solution’ is too broad and disingenuous,” said Robb Reck, CISO, Ping Identity. “No vendor can ‘solve’ GDPR for an enterprise. Instead of branding yourself as the GDPR solution, be clear about exactly how you can help. Do you provide consent capture? Data protection tools? Be specific about what you do, and how those capabilities tie into the GDPR.”
“A security vendor who provided an expert-led analysis of a particularly difficult part of GDPR, such as how to use biometrics in a lawful way, would gain instant credibility,” said Gabe Barrett, CISO, Abellio Group.
Ask relevant and revealing questions
“Are you GDPR compliant?”
It’s a common, non-revealing, and non-helpful question. It’s also a moving target.
If a security vendor really wants to understand how well a prospect adheres to GDPR, they should ask more investigative questions.
Lewis of Lewis Security Consulting recommends the following line of questioning:
- “Do you know where your data goes?”
- “Do you know what kind of data is being transmitted where and how?”
- “Are you able to effectively classify your data based on content, or is this an unsolvable task for the company based on your operations and tech available today?”
- “How do you handle new regulations when they come at you – ‘green field’ every time? Or is this process easy to accomplish without reinventing the wheel every time?”
“’How are you handling GDPR?’ is just a tactical overlay to the underlying strategic issues,” said Lewis. “If we solve the strategic issues, answering issues like GDPR will come as a natural effect.”
Be Where People are Already Talking About the Problem
As a marketer who works with security companies, I always advise just being where people are already engaging about the issue. In this case, that means being visible in search for the specific query around GDPR.
Start by conducting searches your audience would conduct to find the solution to the problem your company solves. Dig through the top results. Do any of those top results offer an article or video that allows you to leave a comment? If so, leave some instructive advice. Don’t just paste “We solve this problem! Check us out at ______.”
Next step is to write your own content so your article/video/podcast appears of the top of search results for that very question you just searched.