Application security

Security gives your company a competitive advantage

March 16, 2022 by Ted Harrington

In rowing, when your team is in sync, the boat is flying on the top of the water, and you’re winning — it’s pretty magical. But sometimes, you “catch a crab.” 

A stroke lands at a bad angle, causing the water to rip the oar out of your hands. The oar rams you in the chest, knocking you into teammates. No longer rowing, the oars become brakes. The boat screeches to a halt, and you lose the race every time. 

That’s how most software companies experience the dreaded part of the sales process: when your customer wants to talk about security. Everyone falls out of sync and stops moving forward. Competitors beat you to the finish. The team is totally demoralized.

But it doesn’t have to be that way.

Download Ted’s free ebook, “How to secure your software faster and better.”

Get Your Copy

What if instead, security was something that helped the sales process rather than hindered it?

That’s exactly how progressive tech companies approach it, and it’s how you should too. When you properly secure your software system and then can prove it, you obtain a competitive advantage that helps you earn trust and win sales.

Security is a differentiator 

Every bit of security adds value to your customers. Some security can be considered “table stakes”: the basics that everyone must do. Everything else — the things that separate those who do security right from those who don’t — are differentiators. 

As one chief technology officer put it, “Being clear about our security strategy helps the buying conversations with our customers. They see it as a differentiator.”

As someone working deep in the trenches of security, I agree with him. Here’s why: 

  • Most companies don’t understand security, let alone how to do it right. 
  • Most companies don’t understand their attackers and don’t have a threat model. 
  • Most companies invest in security too little, too infrequently, with too little collaboration, using the wrong methods focused only on the issues of too little significance. 
  • Most companies are not secure.

By contrast, companies who are thorough in their security process stand out. When you have a rigorous security assessment process, done at the right cadence and appropriate depth using the right methodology, you’re able to secure your application in ways that everyone else simply can’t.

Then, you can prove it, which is yet another thing everyone else can’t do — because if it wasn’t properly secured in the first place, attempts to prove it’s secure will fall flat.

Therein lies the magic of security done right: your customers want to use software that is secure, and when you can prove that yours is but others can’t, you’ll win.

Security earns your customers’ trust

To use security to drive sales, you need to get your customer to trust you first. If they do, they buy faster. If they don’t, they hit the brakes and proceed with caution. 

The opposite of trust is fear. You introduce fear when you make hollow promises, misleading claims and fail to back claims up. For example, every breach notification letter always seems to include the phrase “We take your security seriously.” But do they? After all, they were compromised. Is that because they cut corners and didn’t invest enough in security? Other nonsensical claims are when people state their system to be “highly secure” but don’t explain what that means. Or the granddaddy of hilarity: “bank-level security” and “military-grade encryption” try to imply this system is as strong as a bank or good enough for the military, but really it just refers to a specific detail (the encryption algorithm).

If you make claims like these, you lump yourself in with all of the other people who don’t know how to do security right. 

Instead, you want to build trust. That’s pretty straightforward so let’s not overcomplicate it:

  • Tell ‘em your security philosophy. What’s your approach to security and why do you believe in it?
  • Tell ‘em what you did, what you found, and how you’ll fix it. What kind of testing are you doing, how often, and what’s on the remediation roadmap?
  • Tell ‘em how to verify what you’re saying. Where can they read your security assessment report?

Implement these across your sales process and on your marketing website. Use your security assessment report and leverage your security consultant, too. These things help your customers know that security is a priority for you. They’ll like that. 

Customers want to buy from companies that get security right — all you need to do is show them that’s you. 

Be honest and open about your security

Serious note of caution, though: none of this works if you don’t actually go deep enough to secure your solution. That is a very important detail, given that many companies don’t go deep enough (and most of them actually don’t realize it). You simply can’t prove you’re secure if you’re not actually secure in the first place.

However, if you are going deep enough and you are secure, you gain a competitive advantage. To earn your customers’ trust, just be honest about your security efforts. 

Security is not a trick. There’s no need to mislead or make unsupported claims. Just be frank. Be straightforward about what testing you’re doing and why. When you ask questions of other people, you want them to give you the straight truth. That’s exactly what your customers want from you, too. 

Remember, many of your competitors likely fail to address security properly, so differentiate yourself. Seize the competitive advantage available to you. Start by properly securing your system, and then prove it. These things will put you on the fast track to earning trust — and trust leads to sales.

Posted: March 16, 2022
Author
Ted Harrington
View Profile

Ted Harrington is the #1 best-selling author of "HACKABLE: How to Do Application Security Right," and the Executive Partner at Independent Security Evaluators (ISE), the company of ethical hackers famous for hacking cars, medical devices, web applications, and password managers. He’s helped hundreds of companies fix tens of thousands of security vulnerabilities, including Google, Amazon, and Netflix. Ted has been featured in more than 100 media outlets, including The Wall Street Journal, Financial Times, and Forbes. His team founded and organizes IoT Village, an event whose hacking contest is a three-time DEF CON Black Badge winner. He hosts the Tech Done Different podcast. To get help with security consulting and security assessments, or to book Ted to keynote your next event, visit https://www.tedharrington.com.

Leave a Reply

Your email address will not be published.