At InformationWeek, we often write about the challenges faced by CIOs, IT Directors, and CTOs when attempting to get buy-in on a new technology initiative from their C-suite. We often advise CIOs to arm themselves with case studies and recent news articles to help them explain, in business terms, while investing in any given security technology is worthwhile.
For many years, information security was one of those areas in which IT was particularly challenged. Think about it this way: What if your job was to sell costly whole-house alarm systems to people living in an area in which none of their neighbors had ever been burglarized? It's a tough case to make when the perception of safety exists.
So too, for many years, IT professionals were challenged to convince their C-suite to invest in tightening their security. But then the big-name breaches started. Target. Heartland. The U.S. Office Of Personnel Management. The Internal Revenue Service.
Suddenly, the C-suite started to take notice, sit up a little straighter, and lean in a little closer when the tech folks started talking about security. At the same time, a major shift in technology was underway in the enterprise, driven by advances in cloud computing, virtualization, Software-as-a-Service, software defined networking, wireless networks, big data, mobile, and the Internet of Things.
Let's talk about two consequences of these technology changes. The first is that the explosion of devices in use in the enterprise gave way to a vast number of endpoints for the bad guys to pursue. The second is that the very technologies that were making things difficult for IT were also enabling security vendors to improve upon the products and services they could offer, giving rise to an entire ecosystem of startups offering everything from point-specific applications to enterprise-wide deployments.
The question for IT then becomes: How much does the C-suite need to know about security technology?
While the folks in IT and those working with the Chief Security Officer of the organization would be interested in every new product coming onto the market, with detailed specifications and competitive analysis, most folks in the C-suite would likely lapse into coma if offered such a level of technical detail. What the CIO needs to present to the C-suite is a security strategy – with concise explanations that include ROI about how this strategy will protect the company and its data, protect customers, adhere to industry governance and compliance standards.
That's where vendors can play a part: By helping the CIO develop the answers to the above C-suite questions. While it's essential, of course, for a vendor to discuss the deep technical details of its products, what the CIO and other IT leaders need from vendors is completely different from what the frontline security and IT professionals need.
CIOs need a vendor which can act as a partner in developing a security strategy and educating users. Not every product sold by every security company is a candidate for this approach. Understanding the product and its use case is essential in determining which audience a vendor should be approaching. If the product is a point solution buried deep in the stack it might not be something that's fit for a CIO. Alternately, if a vendor is selling a product or service serving a wide range of security needs and involves connecting multiple parts of the organization's infrastructure, that will get the CIO's attention. Explaining how such a system can answer all those business questions that the pesky C-suite will ask of the CIO could do more than get the CIO's attention, it could win the vendor a sale.