Channel Consultants Can Land Long-Term Customer Engagements by Catering to CISOs
Channel security consulting firms, like business consultants in general, want ongoing customer engagements that generate recurring revenue as opposed to one-time deals to fix peripheral issues.
The benefits are obvious: higher revenue per customer, lower new-business acquisition costs, increased cross-selling opportunities and guaranteed future income (to mention just a few).
So how can security consultants get better at landing this type of profitable project? Cater to customers’ Chief Information Security Officers (CISOs).
What Keeps CISOs Up at Night and How You Can Help Them Sleep Better
CISOs are struggling with various issues which consultants are well positioned to help them with, including:
— an infosec skills gap and talent shortage;
— intensifying expectations from boards and CEOs;
— ever more complex regulatory compliance;
— increasingly sophisticated and vicious cyber-attacks;
— the need for security program assessments for vulnerabilities and protection gaps;
— and pressure from business units to adopt new yet often unsafe technology.
By understanding CISOs’ concerns and challenges, security consultants can pitch higher-level, strategic solutions based on their specialized expertise that complement and augment the in-house infosec team’s resources and know-how.
For example, consultants may have deeper knowledge of particular technologies, or be especially familiar with organizations in specific vertical industries.
In all cases, thanks to their real-world experience dealing with a variety of clients and issues, consultants in the channel can become a trusted partner that offers fresh, unbiased insights and shines a light on areas that the CISO and other insiders may miss.
Because they target bigger, deeper and more important problems, these CISO-targeted consulting engagements are bound to be intertwined with and supporting core business processes, security needs and critical goals. And in this new channel ecosystem, being able to understand and help c-suites achieve their business outcomes is one of the best ways to develop the loyal customer base that’s so critical to monthly recurring revenue.
Here we outline several opportunities for security consultants to secure prolonged, multi-faceted engagements by helping CISOs directly.
- Revising and refining long-term infosec plans and strategy
CISOs and their teams often get swamped by day-to-day tasks, leaving them little time and energy for big picture planning.
When this happens, problems arise because infosec strategies need to be revised periodically to ensure they're relevant, effective, up-to-date and aligned with business goals and priorities.
By doing a comprehensive assessment of an organization’s compliance and security postures, security consultants can help CISOs shift from a reactive to a proactive position that takes into account people, processes and technology across the entire organization.
CISOs will see the value of having an updated and optimal security and compliance strategy in place that guides all the other downstream decisions in a logical way, such as product purchasing and staffing and recruitment.
Because infosec technology and cyber threats change so much, as do business goals and regulatory requirements, security consultants can enter into recurring engagements where they’re regularly assessing and advising CISOs on planning and strategy.
- Communicating effectively with business leaders
The spotlight is shining brightly on CISOs these days, as CEOs and boards fret about potential hacks and data breaches. This means that, unlike in the not-too-distant past, it’s critical for CISOs to understand and be understood by business leaders.
If that communication bridge is broken or, even worse, non-existent, CISOs won’t be able to convey satisfactorily to C-level peers and board members how the infosec team is strategically and tactically keeping the organization safe, creating an environment of distrust and concern.
CISOs will also have a hard time making a case for what they need in terms of, for example, staffing levels and technology investment.
A security consultant in the channel can help CISOs craft their messages by creating customized reports, presentations and dashboards in ways business leaders can clearly understand.
This often means showing how infosec plans, policies and requirements directly align with business goals, by providing relevant, illuminating, carefully chosen facts and illustrative metrics—an often difficult task for CISOs.
This knowledge comes not only from inside the organization, but also from outside, showing how certain infosec programs are working on a larger scale at other companies.
Armed with these facts and customized reports and dashboards, CISOs can speak with authority to business leaders, whether they’re trying to put them at ease about security or making a case for a large technology investment.
Since this type of conversation between CISOs and the business side is constant and critical, security consultants can make a case for recurring engagements that help with this complex and critical effort.
- Advising CISOs on security investment decisions, priorities and levels
CISOs are under pressure to secure IT environments that are increasingly heterogeneous, complex and exposed, due to trends such as cloud computing, mobility, virtualization, shadow IT, BYOD and IoT.
Properly securing these fast-changing IT environments requires at a high level two things: first, understanding the increasingly sophisticated and aggressive cyber attacks; and second, having a solid grasp of which security technology and products are the right ones for your company.
A security consultant can provide value in this area by helping CISOs understand new technologies and their use cases, as well as by offering advice about the latest hacker techniques. If a consultant can show how it can help an organization transform a reactive, piecemeal approach to buying products into a coherent and informed plan, CISOs will see the value of entering into a multi-step, highly customized engagements that includes:
— making an in-depth assessment of what the customer has;
— outlining a move to a more cohesive, flexible, agile and scalable model;
— making sure operating costs will be lower and IT management requirements simpler;
— making product recommendations;
— overseeing their deployment;
— and assisting with end-user training.
- Helping with internal governance and regulatory compliance
Another way in which security consultants can help CISOs is by providing advice for drafting or improving internal governance policies and processes, as well as for complying with government regulations.
This is an opportunity for consultants with expertise on internal best practices for software design and development, employee IT usage policies and vendor risk management; and for those specializing on compliance with government regulations, which are increasing in number and complexity all over the world.
Security consultants can not only advise CISOs using their current, real-world know how, but can also help implement systems that automate internal and external compliance, security assessments, audits and polls.
Because these external regulations and internal policies, alongside security threats, change frequently, CISOs need help with this on an ongoing basis, making these engagements recurring ones for security consultants.
The Opportunities Are Endless
This list could be longer, and include opportunities like:
— Drafting breach incident response and remediation plans, including business process continuity and disaster recovery
— Establishing and strengthening a vulnerability management program
— Improving staff infosec training programs
With these examples, we hope to have shown how infosec consultants can secure recurring engagements by helping CISOs successfully address the many high-level, strategic challenges they face.
