Forums: Discussions for entrepreneurs and small business.

One challenge I have found in my industry (information security) is that people and businesses tend to wait until an incident happens [insert long list of bad things that could happen] instead of proactively improving. The justification I have heard is that nobody can see their money doing anything. It is a cost for something that may or may not happen. Usually the individuals that I speak with that have this view point  are not educated and while they may feel they are security conscious and in the know, they are not. Ignorance is hard to overcome sometimes.

My idea in my community for helping out with this problem is to try and educate my audience through a monthly discussison group that meets for 1 hour to discuss relavent issues with security. The format will be as follows when it gets off the ground.

Open to the public, no cost (advertising in the paper is free and meeting facility is free)
* 30 minutes prepared presentation on some aspect of business security
* 10-15 minutes of recent events presentation / discussion
* 15-20 minutes of open discussion.

While I have yet to hold one of these discussion groups it is almost established for a kickoff. Does anybody have any other ideas or comments regarding this format? Would anybody bother to attend something like this?

There`s a fascinating concept in philosophy: You can`t prove a negative.

What`s interesting in your post, to me, as a philosopher, is that you`re faced with a problem that`s endemic to all of modern developed society. It`s not that people can`t see their money doing anything, or that they`re uninterested in preventing what "may or may not happen."

Instead, this is all about the concept of how well the human mind can analyze trends, run probability and risk assessments, and how much people nowadays "believe" in magic.

On top of that is the crisis-management mentality of so many companies, what with the competent people leaving in droves to start their own businesses. What`s left is a growing "Peter Principle," where corporations have nobody who can think.

Education isn`t the anwer, in my opinion. Plenty of people can read all about case studies of total catastrophes. But they`ll shrug and say, "Damn...that`s sad for them. Good thing it didn`t happen to me."

I think the key here is to build a value on what Is NOT happening. And that leads right back to the problem of arguing or proving a negative.

Ergo, you have to reverse the entire concept. When you have security in place, what IS happening? What can you point to directly as a benefit...a calculable benefit of tangible evidence?

Hi nGenuity,

Most business managers see anything to do with security, including IT security, as a non-revenue generating expense.  Money going down the drain if you will.  They also don’t understand security concepts. 

 

Therefore you need to avoid approaching them from a security standpoint and approach from a liability or revenue generating standpoint.  What liability issues would they face if their IT system were breached for example?  An example might be the liability some businesses are now facing because their IT system was breached and customer records were stolen.  There are also ways the IT security can reduce operating cost of a business.  These are the thing you want to present. 

 

 

-------------------------

The older we get, the more excuses we make for not chasing after our dreams. But truth is, goals are attainable at any age.

I think that Nevadascul made some excellent points. Many companies now have a legal obligation to keep their information secure whether they want to or not. Compliance with Sarbanes-Oxley, HIPAA, and a host of other regulations makes security mandatory, not optional.

Unfortunately, the companies that have the poorest security are often the most difficult ones to sell security consulting services to. You can make the greatest business case in the world, explain the great liability that the company faces, etc., but at the end of the day, most of these people won`t take action until after a crisis occurs.

I have been in physical security for 35 years (the last 22 years as a consultant) and have never found an easy solution to this problem. Selling security for the most part is a crisis driven business. I would say that about 80% of my clients come to me just after a major theft or compromise of information. There are a few super concientious people who consider security on a proactive basis, but you will probably starve if you depend on this type of client for business.

I hate to be negative about your "discussion group" idea, but I doubt if this will be effective from a business development standpoint. The people who would come to this event are not the people who would buy your services. I think you may attract a following of "techies", but doubt that a busy business owner or manager would attend this type of event.

I have sometimes said that selling security consulting services is like selling brain surgery services - if the client has a need, they will be eager to talk with you, but if they don`t have a need, no amount of selling in the world will get them to go under the knife.

So, the key to success is getting the client to be able to locate you when they have a need. I have found that the best way to do this is to develop a network with other trusted advisors who will refer the client to you just after an event has occurred. Examples of advisors that have referred work to me include attorneys, private investigators, insurance brokers, property managers, and other consultants. Just ask yourself, if a company has just had an information security breech, who are they likely to call first?

I have identified close to a hundred different individuals who fall into this category and I attempt to keep in relatively close contact with them. I try and take a least one person a week to lunch. The relationship works both ways; if someone I know has a need for their services, I pass along their name.  

Another thing that has been successful has been "lunch and learn" sessions. About four times a year, I do lunch time presentations at the offices of law firms, architectural firms, and property management companies. (your choice of groups will probably differ). I pay to have lunch catered in, and provide an educational lecture on a current security topic. I usually get at least one project as a direct result of each session, and many attendees call me months after the session with questions or referrals.

Good luck with you efforts. Feel free to contact me offline. I see that we are in the same state, so there may be some opportunities to work together.

-------------------------

Michael A. Silva
Silva Consultants

www.silvaconsultants.com