If you work for a company that sells cybersecurity products or if you work in cybersecurity and need to pitch for the acquisition of a cybersecurity solution it's important to understand how to sell the value of cybersecurity products to a stakeholder. Unlike profit centers like a sales or marketing team, cybersecurity teams are seen as cost centers and cybersecurity technologies do do not make it easy for you to calculate a clear ROI which makes it difficult to prove the financial benefit of paying for a new cybersecurity solution.
Being unable to convince clients or upper management of the benefits can be very frustrating for Cybersecurity professionals. This articles highlights how you can sell stakeholders on the value of investing in a Cybersecurity products:
Highlight Pain Points
Whenever you're trying to sell something, you either trying to sell someone on a pleasure (entertainment) or you're trying to reduce one of their pain points. Cybersecurity is the latter, a security solution is all about protecting a company against a bad situation. So if you're going to sell someone on a Cybersecurity solution you should focus on explain how bad the potential situation would be for the company and how this solution prevents this issue but than the other solutions you currently have or are considering.
For example, if you're trying to pitch to someone the importance of getting DDOS protection. It would strengthen your case if you could highlight how much money the company would lose if you were down for 1 minute, 1 hour, 1 day or 1 week. It would also be a good idea to give examples of how other similar companies have suffered from DDOS attacks and the negative effect it has had on them. The idea here is to stress the pain point that the company is at risk of and how this solution would protect them from going through the negative situation.
Calculate Return on Investment
Just because Cybersecurity doesn't generate revenue doesn't mean that you can't calculate it's ROI. There's a formula that you can use that takes into account the the reduction of risk for the business and the cost of the control to produce a quantified ROI that you can use to make a good business case for investing in a Cybersecurity solution. Your answer doesn't need to be 100% accurate but you need to able to quantify your reasonsing. If you're asking someone to make a financial investment (which will be a set amount of money), then you need to be able to show them how that amount of money they are investment will save them from paying an even greater amount of money in the long run.
Overlap Security with Compliance and Privacy Regulations
Whenever you're trying to sell a cybersecurity solution, you can show additional value by highlighting how this solution will add value to other areas that are adjacent to security, such as Compliance and Privacy. For example some SIEMs stress the fact that they can assist companies in being compliance to popular regulations such as GDPR or HIPAA.
Within a big company if you can get two different departments with two individual budgets interested in the same product you are much more likely to get a favorable response than if you simply target the security team. So I would suggest trying to find as many common benefits across multiple areas as you possibly can so that you can the price will be less of a deterrent. It's much easier to pay for something with two budgets than it is with just one.
It's important to understand how to demonstrate the value of cybersecurity initiatives, especially as you progress in your career. When you become a team lead or manager an important part of your job will be negotiating budgets and advocating for the acquisition of tools that you will need for your team to do their job effectively. Even on a lower level, if your an analyst you may still want to pitch for getting certain types of training to do your job more effectively. Learning how to pitch the importance of investing in Cybersecurity is a very valuable skill.