One of the most important yet often overlooked factors in high-end, private sector protective operations is the sale. By this, I’m not just talking about the acquisition of new clients, but the general idea of getting the right decision-makers to sign onto your program – and to be willing to pay for it.
One of the biggest challenges (which, in my mind, also makes things more interesting) is that in most cases, the decision-makers who are in position to sign onto your program aren’t security professionals. So the challenge is how to communicate – and sell – security to non-security personnel.
Having acquired over a decade of experience in this (making plenty of my own mistakes along the way), I’d like to humbly offer some tips on the matter. These cover executive presentations, security board meetings, budget committee meetings and even one-on-one conversations with executives.
There’s a celebrated quote attributed to Albert Einstein that goes “If you can’t explain something simply, you don’t understand it well enough”. Most executives and stakeholders are probably familiar with this idea, and you would be wise to familiarize yourself with it too. It’s OK, or even necessary, to elaborate on a subject, especially if you’re asked to do so. But don’t forget to start with a simple explanation before you plunge into the deep-end of things.
- Don’t dumb it down
To simplify something is not to dumb it down.
It’s very common among security professionals to make fun of naive clients and executives who are so ignorant about their own safety and security. But try not to let this mostly harmless tendency infect the way you explain security to them. Remember, the executives and decision makers you are talking to did not get where they are by being dumb, and they’re not going to appreciate you treating them as such. Security just isn’t their field of expertise, it’s yours.
The idea isn’t to dumb things down. On the contrary – it’s to synthesize and summarize things into understandable terms with actionable outcomes. It’s the opposite of dumbing things down.
- Know your audience
This one comes up a lot. You’ve put together a great security presentation; detailing threat matrixes, risk mitigation strategies, hostile planning disruptions, attack contingencies, and, oops… You’ve lost your non-security audience about thirty seconds into it.
Always be mindful of your audience’s level of understanding and/or caring in regards to security issues, and adapt the way you explain things to suit them. It’s like the old basketbal idea, where the responsibility for the pass falls on the player who throws the ball, not on the one who fails to catch it.
Your listeners are where they are. It’s your responsibility to pass the information to them at a level they can receive it.
- Put things in relatable terms
Once you know who your audience is, try to translate security into relatable terms your audience is not only familiar caring about, but familiar paying for.
It’s not that it’s particularly difficult for decision-makers to understand ideas like security risk mitigation, it’s just that it’s a stretch for many of them to give it the budget it requires. But put it in relatable terms for them, and explain that a risk mitigation strategy is actually a potent insurance policy (with preventive and reactive benefits), and presto, every single person in the room, from accountants to HR managers can relate to it. Speaking of insurance, suggest to your budget conscious audience (I’ve yet to meet one that isn’t) that they can inform their insurance provider about their new security measures, and see if they can negotiate lower insurance premiums to cover the now lower risk profile – thereby actually saving them money.
Finally, on the slightly negative end of things (which means you should never start off with this angle), if your audience is reluctant to take action, try to explain that a lack of preventive and/or reactive security capabilities opens them up to certain legal liabilities. It’s not the most cheerful subject to raise, but one that might sway the legal department to take a second look at your suggestions.
- Return on investment (ROI)
You might be able to wow every decision-maker on the planet with your tactical skills and experience, but if they don’t see what’s in it for them, they’re not likely to invest any capital in it.
As you explain things, always keep your audience’s interests in mind – not where you think their interests ought to be, but where they actually are right now. The bottom line for almost any decision-maker is ‘How much will it cost me, and what’s in it for me?’ It’s in the second part of this question – the return on their investment – where you should really put some explanatory effort.
(for reference, check out this great example by AS Solution)
- Don’t be a shock jock
Though this can, on occasion, lead to a sale, shock tactics aren’t usually effective. It’s a classic mistake that many security professionals make – trying to scare decision-makers with horrific case studies, and doom-and-gloom prophecies of what might to happen to them if they don’t employ some immediate protective measure.
It’s not a question of describing what you think is objectively true, but choosing an effective way to communicate things in order for your listeners to take action. As strange as it may seem, most people are not likely to take action if you try to shock and scare them. Doom-and-gloom just doesn’t sell very well. You don’t have to mindlessly sugar-coat everything, just find a more effective way of getting your audience to want to take action.
- Manage expectations
A few years ago I was asked to speak to the staff of a wealthy San Francisco Bay Area foundation. Before I was contacted, the foundation (which had received a number of threats) had initially asked their local police department for some security guidance. Their local PD then sent an officer who promptly started teaching the office staff (mostly consisting of women) hostile defensive tactics such as turning your side to an armed attacker (in order to decrease the size of your silhouette), before employing some nifty handgun disarming techniques to neutralize the threat.
Needless to say, this did not go over too well, and the now terrified staff wanted to get a slightly more realistic second opinion.
I’m sure the officer had the best intentions, but he just didn’t set realistic expectations for his non-law enforcement, non-security audience. It’s not a question of objective tactical effectiveness, but of relatable and realistic ideas to suit your specific audience. To ignore this point will not only be a disservice to your audience, but might get you booed or laughed out of the room.
- “I don’t know”
Last but not least, if a question gets asked that you don’t feel qualified to answer, don’t be afraid to say “I don’t know”.
I know many security professionals who are afraid this will make them look weak or ignorant in front of clients or prospective clients (and I can admit I also had this issue till I got over it). The fact of the matter is, however, that no one knows everything, and it’s actually important to admit what you don’t know.
Philosophers and stoics since ancient Greek times have referred to Socratic Ignorance (the frank acknowledgement of what you don’t know) as a true sign of wisdom. Not only is there no shame in admitting you don’t know something, it can be a way to demonstrate integrity and intelligence.
Don’t make a big deal out of it, just admit you don’t know, and offer to get back to the person with an answer later on.
There are obviously more than just eight tips to be given on this topic, but any article has to end somewhere…
What are other tips you can think of? Please feel free to put them in the comment section below.