Selling Security

Selling Cybersecurity: What We Can Learn From The Ice Bucket Challenge

In July/August 2014 the ALS Ice Bucket Challenge changed forever how charities should have organised their fundraising efforts. Replacing the usual guilt-trip approach with something fun/’socially mandatory’ resulted in hundreds of millions being donated to a cause few people had even heard of, let alone cared about.

People gave to ALS not because it was more deserving than other charities, they gave because to NOT do so attracted negative social repercussions most of us could not ignore. This was more than a little hypocritical as I expounded upon here, but this is now the social media-driven world in which we live.

But it WAS also fun! To do and to watch.

That said, I seriously doubt 99 people out of 100 who did the challenge either gave to ALS charities subsequently, or remember now what ‘ALS‘ is even the acronym for. They may have known at the time, but the details are no longer important unless ALS has a direct impact on their lives or the lives of a loved one.

These are not bad people, they are you and me.

The fact is that the number of diseases affecting humans is in the tens of thousands, the number of charities ‘serving’ them in the millions. 99.9% of these charities do the exact same thing, and have done this since time immemorial; show you the effects of the disease on someone else and ask you to care.

Almost all charities are still ‘advertising’ in the same way, when it’s only the ones that truly stand out that get the lion’s share of our money, let alone our volunteer time.

The problem is that we are so inundated with requests to give that we don’t even see/hear them any more. We are immune to the very feelings of guilt/societal obligation/altruism the charities are relying on to get you reaching for your wallet.

But in the end; “The definition of insanity is doing the same thing over and over and expecting different results.

Though far less dramatic and controversial, people trying to sell cybersecurity are doing almost the exact same thing. The original title of this blog was actually “Selling Cybersecurity: Fear is WHY the Board Don’t Care!” as those who should be worrying about security are simply numb to the whole thing. They just don’t care any more, if they ever did in the first place.

Headlines abound with data breaches, fines levied, and CEO’s disgraced. The more of this we see, the less we give a damn. We have already become ‘snow-blind’ to the possible, even likely consequences.

This is our fault. As security professionals it is OUR job to talk to our prospective clients in THEIR language. WE have to understand that our clients probably don’t care about security, and probably never will. WE have to give them an ROI.

As an analogy, do you care about your car insurance? What would a car insurance salesman have to do for you to be anything other than dismissive, or even downright rude?

It’s actually OK that they don’t care. If you said that you cared about all human diseases I’d say you were full of %^$£. But if you want them to actually buy something from you you’d better be able to change the conversation to something of interest. Interest to THEM that is, because of course they care as little about your business as you care about theirs.

Not caring does NOT mean doing business without ethics or integrity, in fact it’s more honest if, and only if BOTH sides benefit.

From PCI, to PSD2, to GDPR, to every regulation that will ever come down the pike, vendors will scramble to find ANY motivator to get organisations to spend money. The only motivator that will ever gain traction is one that’s good for their business. Fear of breach/fines/reputation loss are nothing in the face of how spending money on security affects the bottom line.

So how do we change this conversation?

Frankly I have no idea, and anyone who can get even close the effectiveness of the Ice Bucket Challenge in cybersecurity sales will rule this little slice of the world. But what I’m NOT going to do is waste my time telling clients things they could not care less about and expect them to throw money at me. In fact, I’m going to question why they think they want my services in the first place. Because if it’s not for a reason that make sense to their business the project will fail and it WILL be my fault regardless of any evidence to the contrary.

There will of course never be an Ice Bucket Challenge for cybersecurity as a whole, but there CAN be an equivalent paradigm shift in each organisation you talk to. You’re there because they have to do security, not because they want to, nothing you say about security outside of a business-benefit context will matter to them.

You just have to find what that benefit is.

[If you liked this article, please share! Want more like it, subscribe!]

Social Media Is Killing Customer Service

In a truly stunning service provider fail, I was without Internet access at home for 14 straight days. FOURTEEN DAYS!! But at least my service provider responded promptly on social media.

I won’t tell you who my provider is [virgin media cough], but as someone who works from home, not having Internet is a severe liability. I also happen to work in Internet security, so the vast majority of my day is spent faffing around online. At least my data was safe I guess.

It’s not so much that I was without access for so long, bad things happen, it’s that I STILL don’t know why! To be told every day that it’s a “known fault” and that it will be ‘resolved by 2PM tomorrow” makes an utter mockery of customer service. Not once did they update their site with an outage statement, not once did they call us with updates, and not once did they tell us what the issue was.

For God’s sake, my next door neighbour had Internet access from the same provider! Literally, next door, I’m at 45, they’re at 47.

Enough background, now to my real issue; While their actual customer service left a lot to be desired, their social media department was totally on the ball. And no, that’s not a good thing. About 30 seconds after we Tweeted about the disgraceful service their rep was back to us apologetic and full of concern.

What’s wrong with that you might ask? Well…

  1. They had no access to our account, so they could not even speak to the issue;
  2. They had no access to tech support to find out what was actually wrong;
  3. Once they realised they were making things worse they referred me to their utterly pointless Code of Practice;
  4. They kept no record of their previous contact so every subsequent bad Tweet was followed by the exact same conversation, and;
  5. Zero follow-up, zero accountability.

Bottom line; customer service over social media is nothing more than an attempt to protect their online image. At no point was this ever an attempt to actually help.

Customer Service is both an art and a science, and is one of the few competitive advantages left in the digital world. It should be pro-active, an extension of an organisation’s values, and absolutely cannot be faked. Most people I know would stick with a lesser product / service if they believed their provider actually cared.

I have never understood the visceral resistance to admitting that you’ve messed up. It’s akin to one of my favourite lines in The Dark Knight when the Joker says “You know what I’ve noticed? Nobody panics when things go “according to plan.” Even if the plan is horrifying! If, tomorrow, I tell the press that, like, a gang banger will get shot, or a truckload of soldiers will be blown up, nobody panics, because it’s all “part of the plan.

In this case, all my service provider had to do was tell me the minute they knew there was a problem, which was 4 days before the line went down. Then, if they had just keep me pro-actively informed on progress, I would have only been disappointed, not angry. Of course, it would have been great if they had offered to provide a temporary alternative, like a MiFi for example, but this was not necessary. They would have made a loss on the month, but they would have earned years of my loyalty.

As things are today, I will not only leave my current provider as soon as there is a viable alternative, but I will actively dissuade anyone from using them.

Social media is a critical aspect of customer service, but only if these two things are seen as intrinsic components of the right corporate values. If not, you’re just pandering, and I for one will not be pandered to.

[If you liked this article, please share! Want more like it, subscribe!]