It was a typical Tuesday morning many years ago. I’d arrived at the office shortly after the person who’d turned on the lights on our floor, I turned them back off again so as my eyes need not adjust so much, but was promptly overruled by the next person in.
As I sipped on my tea and flicked through a summary of all the various events and alerts that had been caught by our network monitoring tools that night, my morning routine was disturbed by a Microsoft Lync (kids, ask your parents) message, from a more senior member of our security team.
“Can you come to <insert whatever unoriginal thing the conference room was named after> please?”
Since I was young, naive, and far too trusting at the time, I duly headed over to the conference room, expecting to find other folks on my team discussing an issue that needed my input. Although I was the youngest member of the security team in question, I was considered the most ‘technical’, so it wasn’t unusual to be asked for an opinion. Instead, I walked into what I’d shortly discover was a sales meeting. Not just any sales meeting, a sales meeting with a ginormous prospect. Our fanciest salespeople were there, and the prospect had brought an army of security and other people of their own to give us a good going over before signing any sort of contract. I’d just become customer-facing. On a Tuesday morning.
The reason I’d been brought into that conference room, it turned out, was to bail out said senior security person who was unable to answer a couple of more in-depth questions on some of our technical security controls. Totally fine, no one knows everything. What wasn’t fine, was the manner in which it came about. I would’ve really liked some time to prepare. As it happened, the first time I was finding out about the meeting was just as I became a part of it. I was not happy, but I had to think on my feet and not let emotions get the better of me.
30 agonizing minutes of in-depth questioning followed. I felt like I was being deposed about topics such as NAT, logging, firewalls, load balancers, and the type of fencing we used at our data center. I was eventually thanked and released, back to my desk, where I could finally take a breather. Everything worked out, but I distinctly remember thinking, “no one ever taught me how to deal with that situation”.
So, this guide is the guide I wished I’d had back then. Here are my tried and true techniques for handling the customer-facing aspects of information security. Because let’s face it, anyone who works in this field could become customer-facing at any time. Security is a big deal both pre and post-sale, and any of us can get called upon to answer questions and put prospective customers at ease.
1 — Do your research
Although I did not get the opportunity to research the prospect in the opening story, in many subsequent customer meetings, I’ve been able to do just that. By “research”, I don’t mean writing a 100 page paper about the company. Just take 10 minutes to learn about who will be in the meeting, what they do, and what they’ll be looking to get out of the discussion.
If the folks are technically minded folks, they’ll probably want a technically minded overview and ask technically minded questions. If they are more on the business or financial side, they might just want a higher-level overview of risks and mitigations.
Learn about the customer, what they are up to, and how they’ll use your product, and frame your answers with that in mind. It’ll make you seem like you have taken the time to consider them as an organization because you will have done just that.
2 — Flip it and reverse it
If there are going to be security folk in the room, think about what you’d be worried about if you were them. What questions would you want to ask you and your company? What risks would you be most worried about? This role play is a great way to anticipate any potential questions that might come from the other side.
One thing I do if I feel the other security team struggling with what to ask in a meeting is actually take on their role for them, I’ve said previously, “if I were you, I’d be worried about X, and that’s why we do Y.” It typically goes down well.
3 — Stick to the facts
In my early customer meetings, I leaned on my experience writing digital forensics and pen test reports, which have to be highly scientific documents that provide facts based on evidence collected during the investigation or test.
You should never feel pressured to make things up about your security program, because if you do, it will always bite you later. Answer questions truthfully. If you get asked about things you do really well, then great, talk about those things. If you get asked about things where you know you have gaps, talk about how you want to fill those gaps. Every organization and security program has areas they want to improve (even if they don’t say so). Acknowledging that is better in the long run than pretending everything is awesome and you have zero issues.
4 — If you don’t know, you don’t know
You really don’t have to know everything about a product, or control, or the organization. It’s totally fine if you don’t. If you can’t answer a question accurately, say so. This is a far better option than simply making something up on the fly. Make a note of the question and offer to follow up personally. There are always plenty of follow-ups at the end of every meeting, one more won’t make a difference.
I believe the people like to say, ‘let me circle back on that’.
5 — Use examples, but never mention other customers by name
If you can answer a question with an actual story that perfectly encapsulates what you are trying to convey, this can be a very powerful thing to use. Examples are great ways to explain a variety of topics to both technical and less technical audiences. However, the golden rule is never to mention names, because you have a duty to protect the interests of your other customers.
If you name drop about how you spotted an account take over impacting ‘Blah LLC’ on your platform, your prospect isn’t going to have much confidence you’ll keep their dirty laundry out of meetings with future prospects.
6 — Don’t joke about other peoples breaches
You should never do this anyway, because karma. But importantly, you don’t know about the business relationships and knock-on impacts between the breach your joking about and the prospect sat in the room. What if the people in the room had to spend weeks responding to contain the fallout from the breach you just joked about? Chances are they won’t find it funny.
7 — Work with, not against, the other security team
In the world of information security, there is this very real, and very frustrating game of ‘oneupmanship’ that occurs on an alarmingly regular basis. If the prospect’s security team is present in the meeting, and asking questions, is possible that this situation could occur.
It’s annoying because ultimately, we’re all working towards the same goal, and we should be working together, but there you go.
If you sense this situation developing, do not engage. Do not attempt to outsmart or outmaneuver the questions, because ultimately, no one will win. Disengage, offer to work with the team on any issues or questions they may have, but do not get into a war of words. Not worth it.
If a line of questioning seems to be an attempt to throw you off, ask about the specific risk or threat the prospect is worried about that is leading them down that path. Oftentimes there won’t be one, it’s just a power trip, and asking this question will cause them to back down.
Take this mindset into your own meetings as a prospect, and hopefully, we can erase this dumbness from proceedings forever.
8 — Show, if it helps you explain
Talking is great, but if you can show how you do things, and can do so in a way that doesn’t expose your own company, or your other customers, do it. Show off your tooling if it helps you explain how you choose which events and incidents to investigate. If you have a demo-tenant of your product, and you know it well, use it. If a picture paints a thousand words, a tools demo is like an 8k IMAX presentation.
9 — Not everything has to be in the pipeline
Frequently, if you don’t offer a thing the customer wants, the standard answer is that the particular feature or control ‘is in the pipeline’. Pipelines tend to grow extremely long during these meetings. If there really is no plan to do a thing, do not commit it to this imaginary international, trans-oceanic pipeline. Instead, politely suggest that the prospect submit a feature request after they become a customer.
10 — Enjoy it
The fact that you, as a technical security person at your organization, have been asked to emerge from behind the keyboard and meet the people that ultimately choose to use your product, is an amazing compliment. It just goes to show that the people around you have faith in your abilities to not only do your job but talk about it as well. And that’s pretty cool. Take that, imposter syndrome!
You should relax and enjoy the conversation. Make notes too. These meetings can be a good way to think of risks that customers are worried about that you might not have considered before. Thank them for raising things, and also, thank them for taking security seriously enough that they took the time to talk to you before signing up.