Selling Cyber

Photo by Artem Beliaikin on


Businesses that are not cyber vendors have an opportunity to sell cyber as part of their offering, taking advantage of money and effort already spent, and an opportunity to show greater understanding of their clients’ businesses in the digital space.


The picture above is a bit misleading, as cyber security – whilst being special – is only a limited time offer but if and only if we are collectively effective in doing it. How I would love to be out of a job in this case! A bit into 2022 and already it’s time to start talking about what needs put in place for 2023. In this case it’s selling cyber security for those not in the business of cyber security.

Everyone may not have products, everyone needs to sell perception. Why would we put cyber on the map if we aren’t a vendor dealing in such? The simplest answer – Trust. We are working on ways ZeroTrust‘s guidelines can be followed by organisations internally, we need to find ways to keep up engagement within the supply chain – both current and future, cyber and business. Part of how we do that is establishing our organisations as being trustworthy from a cyber perspective.

Stories are lost, disasters are tidal. And profits made by others is another matter entirely. How does one build the perception of trust in cyber? From a cyber security perspective, we don’t. Not our place to go tell things from mountaintops. Generally speaking, we’re rather busy making certain those pebbles stay in place. In many cases, the disasters CISO organisations are confronted with are significantly mitigated and the user experience diluted. A good result of a great deal of work, but it also means the story is lost – less appreciable to those not in the trenches. Log4j is a perfect example, with few people outside the incident responders and associated parties having a holiday interruption around Christmas 2021. As stated previously, crises are tidal in these spaces, and BAU.

Who sells to whom? So if the cyber security practitioners (or leadership) isn’t who tells the story, who does? The business, once they have a different relationship to cyber security. It was once relayed to me the business (and product development) was like a Ferrari with monster truck tires – they rolled over every impediment with great speed. Cyber security as a cost centre or overhead function is considered an impediment – until it’s not. By changing business’s interpretation of cyber, perhaps we can realign how the two function together. Perhaps interpreting cyber in a continuity of business/ resilience sense, we create a gyro in the vehicle to keep it upright as it rolls over other impediments. Better yet, if we make it an additive to the speed or power, then the business not only tolerates cyber security, but starts counting on it.

Making cyber a part of offering can be challenging. For those who are not cyber vendors.

  • Large organisations already have lots of money wrapped up in cyber security. Whilst there are contracts and NDAs with vendors, in many cases there are still conversations with near-peer sector stakeholders. Trouble is, near-peer or highest tier clients have little use for the findings of a large organisation’s cyber teams, as they are spending a great deal of money towards their own cyber defences. Rather the supply chain – upstream and downstream – would be a better fit. Share findings with clients to improve their cyber ecosystems, as, for example, those IoCs belong to the criminals who use them with no contracts in play.
  • Smaller organisations often lack the resources for robust cyber security divisions, as a result feeling they have little to offer. So very not true. There are two vital offerings smaller organisations can contribute, making them more valuable to all those in contact. First is observation, as in many cases they are closer to bad actors with less attack surface to watch. Easier to see where the actors come from when you’ve only a few potential avenues. The second is greater transparency in building trust. If you are clear and timely in communicating service interruptions or observed nefarious activities to those in your supply chain, it creates a rapport with your supply chain who may well help keep you secure in reciprocation.

The idea that business should sell cyber as part of their normal offering is a hard sell. Don’t think for a moment we as a global culture accept that idea. If it were so easy to get the business buy-in, I would not be writing this post. Demand signals are insufficient for the business to realise there is potential gain in cyber security. So, we incite the hunger required for the business to want cyber as part of their offerings. Need after all is a state of deprivation. This requires organisations to ask more of others in the supply chain: be it attestations, business continuity, or inputs to sector/ regional exercises or initiatives. The question then becomes ‘what is your organisation offering?’

Tied to existing branding, marketing efforts for cyber can get creative. What the organisation offers is an extension of the brand and its values cultivated through countless hours and loads of money. Something the organisation believes in, resonating within the fibres of your hierarchy, products, and services. How do your cyber efforts tie into what you tell others about your offerings? If they don’t, why not?

Creating cyber security as part and parcel to your traditional offerings and story-telling takes advantage of money and effort already spent, raising the discussion to help us retake the digital pitch. More to come.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s