Ensure GDPR, NYDFS compliance
Improve data governance
Drive SOC 2 certification
Detect policy violations in real-time
Quantify risk levels for the Board
Everything is a negotiation, according to negotiations consultant, Christopher Voss. While that might be overselling the case, it certainly is true for new cybersecurity initiatives. Even when the case is clear for a new initiative, getting the green light is not.
That’s where good negotiation comes into play. To get funding, security professionals must take off their technology hat and wear a sales cap instead. Selling cybersecurity investment to the executive suite is key, and knowing how to overcome initial objections is a big part of that.
Let’s look at the process for overcoming cybersecurity investment concerns, then six of the most common objections you will need to overcome.
How to Overcome Objections: A Framework
Since overcoming objections is a foundational skill widely applicable in all areas of life, there are numerous frameworks for how to overcome objections successfully. One of the most widely used is the LAER Method, a framework for overcoming objections that goes by many names but basically revolves around five time-tested steps for getting to yes. Security professionals selling additional cybersecurity investments should internalize these steps before walking into a proposal meeting.
Executives will have initial questions and concerns after hearing your security proposal. Pay close attention to what these executives say using active listening skills, because these comments and concerns provide the basis for overcoming the objections that lead to the sale. Specifically, make sure you truly understand what is said and don’t interrupt or try to immediately answer the concerns until they have been fully voiced.
After an executive has voiced concerns and objections, verbally summarize what they just said so you get confirmation that you understand it correctly. This is a communications checksum, basically, and it makes your audience feel heard and understood. That’s important for trust, which improves your chance of overcoming the objections. It also helps ensure you understand what objections must be overcome.
Show executives that you not only understand the concern, but their perspective is legitimate. Validating an objection does not reinforce its conclusions, it simply acknowledges the problem and further helps your audience trust that you’re on the same team regarding the problem.
Once you acknowledge the concern, you then connect the dots between the problem and your solution. If you’re proposing automated data discovery technology, for instance, you might say something like, “I understand that implementing comprehensive data automation sounds complex and costly, but there actually are affordable turnkey vendor solutions for this task. So this isn’t nearly as big or expensive as you would think.”
It is important to make the process a dialogue and not about divergent sides talking over each other. So keep the conversation interactive after validation by asking open-ended follow-up questions that lead the executive toward your solution. This creates the space for uncovering micro-objections to your solution and slowly working toward “yes” together.
Depending on the objection and your level of preparation, a final step in the process is highlighting the validity of your answers by marshalling data or examples that show that the objection can in fact be overcome. This could be a case study from another organization that had the same challenge, or statistics that prove your point. Social proof in conjunction with an actual solution that overcomes the objections almost always seals a deal.
While the above framework can see you through virtually any objection you might encounter during your cybersecurity investment proposal, it helps to also come in prepared for some of the most common objections. By preparing for common objections, you can better formulate responses and gather the data needed for social proof.
Here are six of the most common objections you might encounter, and suggestions for how to overcome them.
How to respond:
> I understand that there are competing priorities for resources within the company. This should be at the top of the list, however, because…
> This proposal addresses key data compliance challenges that ultimately will save the company far more than the cost of investment. Here’s the risk probability and how this solution will significantly reduce that risk…
> Let’s do a thought experiment and budget for the cost of the likely cybersecurity breach that will occur if we do not find the budget for this initiative. This isn’t eating budget, it is saving budget.
How to respond:
> We did increase the cybersecurity budget last year, and let me show you how it benefited us. That said, cybersecurity is an ongoing expense, which is why I’m coming to you now with this proposal.
> Our organization took big steps last year toward cybersecurity preparedness, but it actually has been four years since we made a comprehensive investment. This proposal is part of the ongoing upgrade of our security position.
> Cybersecurity threats are constantly evolving, and our response must evolve with it. This is part of that needed evolution.
How to respond:
> We don’t actually know if we’re secure right now, so it might be more pressing than you realize. This proposal helps us uncover risk and deal with it.
> Just because we have been lucky in avoiding a data breach, that doesn’t mean it isn’t going to happen. Statistically, we’re actually more likely to encounter a breach now because we’ve been lucky thus far.
> The cost of responding to a cybersecurity breach far outweighs the resources we will invest now. This small use of resources prevents a much larger use of resources after a breach.
How to respond:
> The business disruption from a successful cyberattack will significantly harm the organization’s growth plans. This is not an ancillary project, it is a component of our growth plans.
> This proposal significantly reduces cybersecurity and compliance risk, so it is fuzzy but with clear ROI. If we look at the cost of failure, the ROI from this initiative is massive.
> We can get a clear picture of ROI by conducting a wargame to test our current state of cybersecurity preparedness and the cost of not implementing this proposal.
How to respond:
> We’ve already applied this methodology and ruled out more expensive solutions. This is the “good enough” solution, here are the other options we ruled out and why.
> I hear you. Let’s start with the objectives that must be achieved, and work backwards to see if there are less expensive options that still make sense.
> We cannot go with a lesser solution and still meet the needs, but we could implement it in bite-sized phases to spread out costs over time.
How to respond:
> This can be a technical topic, although the need is real. Let me try and explain this in a different way.
> Perhaps we need a special meeting so I can explain the need and the solution in more detail. When would be a good time for us to meet so I can show you why this is a pressing concern?
> Because there’s a clear need, can you help me understand why you feel this is an unnecessary project?
The good news is that cybersecurity is a pressing concern for most businesses today; roughly 91 percent of organizations plan to increase their cybersecurity budget in 2021, according to IDG research. The bad news is that gaining the necessary corporate resources is not a given, and to get there you will have to swap your technical chops for sales savvy. Just as you learn new technologies on an ongoing basis as part of your job, though, you also can learn how to sell your next cybersecurity proposal. It just takes a little time and study.
For a deeper look into how you can gain executive support for your next cybersecurity initiative, download our free ebook, How to Sell the C-Suite on Greater Cybersecurity.