You may not know them as well as you think
The most successful companies in security – the ones that grow at double- and triple-digit rates with big margins, that hold huge parties for their employees at exotic locations because they crush their goals every year, that get acquired for huge premiums and make all of their employees rich – have one major characteristic in common.
If you provide security products and services to the commercial, enterprise, institutional or critical infrastructure sectors of the market, this is a very important concept. I have taught it to every single company that I have worked with and for, and it’s the one thing that has the biggest impact on their ability to win, grow and profit in the security industry.
Who is Your Customer?
Early in my career I moved from an independent services firm working directly with large, enterprise end users to a major manufacturer of security technology solutions. I had to learn a lot of new things, but there was one that surprised me the most: their definition of “customer”.
Most of that business targeted the residential market where, at that time, there was very little end user involvement in technology selection (that’s different now). Homeowners relied on their vendor to select the technology for them, hence they defined the reseller as their primary customer.
However, I worked in a business unit that targeted commercial, enterprise and critical infrastructure markets. In this case, the primary purchase decision was being made by the end user (or an independent representative, such as a consultant).
The issue was that we continued the behavior of defining the reseller as our customer. The reseller was still the main entity we transacted with and played in important role in our go-to-market activities, but they were not the one who ultimately consumed the value we created. As a result, our business lacked an explicit understanding of what really matters to our true customer: the Chief Security Officer.
This is a common problem (but not the Biggest Mistake) faced by many security companies. Most people who work in our industry – executives, sales, marketing, product managers, engineering, etc. – were not security professionals earlier in their career. That’s not a knock against them, it’s just a reality. They haven’t done their job, walked in their shoes, faced the pressures they face every day.
Because of that, they tend to develop solutions that they think are important to their customers. If I were to poll your employees on what value your offerings provide, I’ll likely get a recital of the most common security marketing catchphrases – some combination of features, buzzwords and altruisms.
Sexy words, some of them are even real benefits. But they aren’t value. “Value” is uniquely definable as a function of the economic benefits that your solution delivers and the price to deliver it, all relative to alternative ways of solving the same problem.
What Chief Security Officers Value
I have worked directly with thousands of people responsible for selecting, purchasing and using security products and services. There are different segments of buyers with different needs, but the most common in this space is the Chief Security Officer. CSOs go by different titles and report through different functions in every organization, but virtually all of them have similar characteristics:
- They are security practitioners – former government, military, law enforcement, etc.
- They hate being sold to
- They lament vendors masquerading as “security experts”
- They’re all trying to solve the same problem
- They struggle or are hesitant to articulate that problem, especially to vendors
What problem are they all trying to solve?
Specifically, the economic impact of risk.
Unfortunately, there are no certainties in security. You cannot be certain that something you do will prevent crime or make someone 100% safe. That doesn’t exist.
Instead, CSOs measure their actions and results by quantifying risk – financially.
There are many formal definitions of risk – look them up, you’ll find plenty. But in the context of security, it boils down simply to:
Risk is a function of the probability of something bad happening and the criticality (or impact) of that incident occurring.
The sole responsibility of Security for commercial and enterprise businesses is to manage risk. That means their job is to either 1) reduce the probability of something bad happening or 2) reduce the impact to their business should the bad thing occur.
Let’s use video surveillance as a simple example. Do cameras reduce the probability of a crime happening? Probably not (surprise! That’s a topic for a future discussion). They can, however, reduce the impact that incident has on the business through things like detection, response and recovery.
Those are benefits of video surveillance systems, but customer value is derived when your video surveillance system can help a business detect, respond and recover from an incident (reducing the impact) better than any other means of incident response – other surveillance systems, guards, locks, dogs, etc.
Risk can fall into a few different categories that concern businesses:
- Asset (physical or intellectual)
- Reputation / brand
The cold-hearted reality is that for businesses risk always ties back to money – even human risk. Because of that, risk is both economic and quantifiable, and therefore is an ideal mechanism for you to deliver customer value.
I have a close friend and colleague who is the Chief Security Officer of a major healthcare company. His department has dealt with over 2,600 cases of workplace violence over the past year (and those were just the ones that were documented). That’s a staggering figure, but truly shocking is the potential financial impact of each incident. I won’t repeat the number, but let’s just say you can buy a nice home in most parts of the country for the potential cost of just one of those incidents.
Is there an economic benefit of addressing the risk of workplace violence for this organization? Absolutely. Will a camera – or any security technology for that matter – reduce the likelihood of that incident occurring? Maybe, but probably not, and it is difficult to measure that. However, technology can absolutely play a role in mitigating the potential impact of that incident, hence reducing the financial risk exposure to the company in a measurable way.
The one characteristic that every successful security company has in common is that they understand their customers’ unique risks, they develop solutions that help those customers mitigate risk in ways that nothing else can, and they effectively communicate that value in language a CSO understands.
The next time you’re planning a new product, service, marketing campaign or just going into a sales call with a great new prospect, don’t get lost in the trap of cramming more features into your All-New Cloud AI IoT Platform or telling them how many megapixels your new camera generates.
They don’t care.
Focus on risk, and particularly how your platform helps them reduce and manage risk better than all the other Cloud AI IoT Platforms and 10K cameras out there. You will win more, avoid price battles and improve your business exponentially.