May 08, 2013

How to Pitch Security Solutions to Your CIO

In today's Whiteboard Wednesday, Jay Leader, Rapid7's VP of IT and CIO will talk about the five questions you need to know the answer to before pitching security solutions to CIO's. If you struggle with finding the best way to communicate with your CIO/CISO about why a security solution is worth the money and implementation effort, this video is for you!

You will hear directly from Rapid7's CIO, the answers you need to explain your security solution recommendation effectively.

Read Video Transcript

Hi, everybody. My name is Jay Leader; I'm the Vice President of Information Technology and the Chief Information Officer at Rapid7. Today, I'd like to help see if I can answer a question that's commonly asked among IT and security professionals, which is: How do I get my proposals sold through my own CIO?

It's an interesting topic. A lot of times we focus on the fight for 'which product should I buy, and how do I make that selection?' only to be disappointed at the end when we find that it's almost harder to sell it to my management than it is to sell it to my partners. I'd like to share with you, from a CIO's perspective, some of the things that I look for in proposals. Hopefully, this will be helpful to you as you bring your ideas forward.

One of the things that I always think about is when you're bringing me this proposal what problem are you trying to solve, and why is it important? In IT, there are lots of problems every day, and in security, there are a lot of problems. There's lots of ways that we can solve them and a lot of things that we can work on, but with our limited resources, be they people or money, why is this the one that I want to work on now? I always want to hear that story almost as a first step, because if we can't answer that question, then the rest of it really doesn't matter. Be prepared to tell me why of all the sea of problems that we could be solving, why is this one, one that we want to take on? I think that's really important.

Then tell me how your process was, in terms of what you thought about, in terms of the solutions; things that you were looking for and the factors that you considered when you arrived at the conclusion that this particular proposal was the one. Part of what I always like to understand is what else did you look at, and why did you look at them? Then what were the factors that you used to rule out the things that you chose not to select, and there therefore, led you to select this.

The reason that I want to know that is because I want to make sure we're in alignment, in terms of what we think is important and what we think we're trying to achieve. If we center around the problem, that's good; we agree that it's a problem and it's an important one. Then the next thing I want to make sure that we're in alignment on is are you thinking about solving that problem the same way that I am; and more importantly, the same way that the business is?

Once we have that alignment, then I want to understand 'what's the complexity is and cost to actually implementing this?' Especially in IT products, lots of times it fails at this juncture. It is solving a real problem that I think is important, and it's a solution that will actually solve the problem, but when we get into the softer details, in terms of how many people do I need to be able to do this? How much time? How much cooperation do I need, and input and support to I need from people outside the organization, because that's often where the projects fail? The IT resources are aligned and teed up to work on it, but the business resources aren't. They either don't understand their responsibility, they don't have the time, or they don't put the seriousness into it. I want to understand if I've bought software that never gets implemented, then that's going to be a problem. I want to understand how we're thinking about implementation and what we think the challenges are.

Then the last thing that I think about is what are the risks? Because every technology project involves some level of risk. What are those risks in this particular case, be it in our company and/or this particular tool? Then what are you going to do to mitigate them? Do you have a plan, and have you thought through who you need and the things that could derail us? All of this leading up to, do I have the confidence that we could execute this plan with this tool to solve this problem at this time?

Then at the end, the uber question that I'm always concerned about is, how am I going to know that we got what we wanted? What's the measurable outcome? How do I know that it was a real problem, it was a good tool, we implemented it well; how do I know that at the end? At the end of the day, this is the ultimate return on investment question that I'll be asked by my management, and that the business will want to know, which is, "I gave you this much money to solve this problem. Did it work, and should I feel good about that?"

I think these are the things that most CIOs will be interested in understanding. I think if you can think through these things and bring me a case and a story that addresses these components to my satisfaction, then I think you up your chances of getting approval for your proposal. I think you'll find that in most of your environments, because most CIOs are thinking about these same things.

I hope this has been helpful for all of you. Thank you for your time. We look forward to speaking with you again

On-Demand Webinar

How to Pitch Security Solutions to Your CIO

Register Now