Speaker 1: Welcome to the Cyber Risk Management podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle, and your virtual cybersecurity council is Jake Bernstein. Visit them at cyberriskopportunities.com and focallaw.com.

Jake Bernstein: So Kip, what are we going to talk about today?

Kip Boyle: Hey, Jake. We're going to talk about how business leaders can quickly and profitably close deals with their cyber security intensive customers.

Jake Bernstein: So I guess the first question is what does that mean? What's an example of this?

Kip Boyle: We see this all the time. So this comes up when a lightly regulated firm is trying to sell to a heavily regulated firm, and the heavily regulated firm is big and has a formal third party cyber risk management program and they are scrutinizing the heck out of all of these vendors that are taking possession of sensitive information or have access to sensitive information.

Jake Bernstein: So obviously we see this quite a bit in our work, but what is it like to kind of shift mindset from you and I are risk managers to that of our customers when we are talking about this?

Kip Boyle: It is really freaking hard. I mean, it is really, really hard. I got to say in my own professional journey five years ago, when I became an entrepreneur, when I launched Cyber Risk Opportunities, that was the first time that I was ever truly responsible for a profit and loss operation, where I really had to look and scrutinize what money was coming in, what money was going out, what things did I have to spend money on, what things could I spend money on and all that stuff.

So that was the first time that I really was immersed in a business responsibility like that. I had interacted with lines of business leaders in the past and I'd heard them talk about their struggles and seeing the financial reports and everything, but now I'm living it. But even that really wasn't enough. I have had to really stretch myself even more because when I'm sitting down with a customer, I put my CSO hat on. Right?

Jake Bernstein: Well, that's what they pay you for.

Kip Boyle: Yes, and so I go right back to being a professional paranoid, and I try to manage their cyber risk. I don't always have their perspective front of mind. It's a real challenge. What about for you?

Jake Bernstein: This is, in a word, the challenge that I think lawyers face on a constant basis with clients is that we are trying to advise them on the legal issues and you have to always balance that with the business issues. What this is is the same idea from a cybersecurity focus, and it is just as true in my area as it is as a CSO. Whether you're a cybersecurity lawyer or any kind of business advice lawyer, this is a major issue.

Kip Boyle: Yeah, and I find myself more and more and more trying to put on the thinking cap of my customers, because when they say to me, "What should we do about XYZ?" Well, I immediately want to put in the most beautiful solution available to help them. The big thing they're thinking about is, "Ye gods, can I afford that?" Because they're thinking about their margin, right? They're thinking about gross margins, they're thinking about profitability. They're thinking about all the promises they made to their investors and stakeholders and the people they borrowed money from. So their perspective is so broad and so wide, we're just talking about one little sliver of their risk.

Jake Bernstein: This is one of those things where we, as risk professionals, have to remember that the business of our clients isn't being the most secure company possible. It isn't getting every legal question 100% right. By the way, this applies to everybody listening because most of our audience is in cybersecurity and they're working for someone who has the same issue. So this is the classic kind of business empathy, and being able to put yourself in someone else's shoes. So there is one type of customer, I think, that struggles with this the most. I think we would put it a couple of different ways. One, you can just say, "We have a small client who is trying to do business with a big customer." There's always issues there, but there's also not necessarily a lot of choice. So I think a really interesting example, though, is when you have a smaller, lightly regulated firm selling to a heavily regulated one. So do you have a good example of that, Kip?

Kip Boyle: So, several in fact. When I look at my book of business, I see this a lot, whether it's a software as a service provider or somebody who's doing other types of systems management work for a very, very large company, but for the purposes of this episode, let's think about a SAS provider, right? So you've got a technology company that is being led by somebody who's probably expert at the technology and questions. So maybe it's a machine learning, maybe it's a SAS with a machine learning engine behind it. So they're trying to say to a bank or a insurance company, "Hey, we can greatly improve your efficiency at ..." If you're insurance, it might be processing claims or for banks, it might be collecting bad debt or something like that. So this technology company is saying, "We can make you way, way, way more efficient. You just have to use our little tech engine thingy that we built over here. And oh, by the way, it's going to sit in the Amazon cloud or in the inaudible cloud and we're going to manage that for you. So trust us."

Jake Bernstein: Yep. Very good example. So obviously the issue here is that the buying companies are trying to manage their third party cyber risk. As we've said over and over, this is a huge and very important part of cyber risk management. But when you are representing or when you're working for a company who is the target of third-party cyber risk management, it can be challenging?

Kip Boyle: Oh yes, and what's really fascinating to me is sitting on both sides, right? Because we've got customers where we're saying, "By golly, you better get a handle on your third party cyber risk," and we're helping them do that. Then we've got customers where we're saying, "Oh my gosh, you're going to get crushed if you're not careful. You can't do all that stuff that they're asking you to do. You can't afford it." So it's crazy. It's really crazy.

But I mean, the bottom line here is that large companies buying things from vendors, whether it's a product or a service, and the service could be a product that is now delivered as a service. Right? But they have to be sure that the vendors they're working with are great at preventing incidents or, when necessary, detecting them, responding to them and recovering from them. Because when I was an active CSO at my insurance company, I thought of all these vendors as a natural extension of our technological ecosystem. So I wanted them to adhere to our cybersecurity policy as if they were part of our company. That's what I was looking for.

Jake Bernstein: Yep, and the challenge there is that if you have 50 clients as a smaller company and they all want you to act as if they're part of your bigger customer, you can end up with competing interests and it can get very difficult very fast.

Kip Boyle: Oh, yeah. There's a lot of reconciliation that needs to go on. For one of my customers, they had several contracts with ... I would say they had a clutch of about five major customers that were driving the bulk of their revenue, and then they had a bunch of other customers that were just sort of taking up the rest. So we sat down with these five data security addendums and other contract vehicles that had been signed, and the question we were trying to answer was, "Are we satisfying all of these requirements?"

So we set out to harmonize them and try to figure out could we boil out a single set of security requirements from these five different customers? And man, it was tough. It was really tough. They use different language to say the same things. Other times the requirements were conflicting and oftentimes it was a matter of just saying, "Okay, well, who's going to set the most stringent password policy? Okay. We'll follow that because if we do that, then everybody else will be happy." Yeah, so it was really eye-opening.

Jake Bernstein: So let's talk about the sales process because I think that is something that a lot of our clients struggle with because there's a lot at stake and there's a lot of different components that need to be looked at. We always have to keep in mind that a sales contract is just the very beginning of the work for our clients, even if it is the bulk of the work for us. What that means is that we have to be mindful of the fact that if our clients spend too much time and money and effort, just trying to close a deal, that every day that goes by, they are losing margin basically. So let's go into this and figure out what are the various issues as a sales hurdle for cybersecurity and vendors.

Kip Boyle: Yeah. So there's a lot of things at stake. Again, in this episode, we're talking from the position of that mythical SAS provider trying to sell to the big insurance company or the big bank. So if you're the leader of that SAS company, let's say you're the CEO, you're talking to the CIO or whoever your vice president of technology is, and you're showing them this data security addendum that you've never seen before, well, if you're the CEO, you're thinking, "Oh my gosh, how long is this going to take? Am I going to lose momentum on this deal? Because it looked like they were ready to sign yesterday. They really need us. But then all of a sudden their security team dropped this data security addendum in here. How fast can we get through this?

Because I made promises, maybe I shouldn't have now that I'm thinking about it, but as the CEO, I made promises about how much revenue I was going to generate this quarter. This deal that I have right here in my hands is a big part of me making my numbers. If I don't make my numbers, if I miss my sales targets, then there's going to be a lot of disappointed people and that could mean I'm out of a job, or that might mean I need to change up my executive team and I don't really want to do that because I just got this team all figured out."

So loss of deal momentum, I think, is a huge thing that they think about. Then you already mentioned another one that's at stake, which is loss of deal margin. What we mean by that is if you're expecting to sell a widget for $2 and it costs you $1 to do everything you need to to put that widget into your customer's hand, well, now you've got a dollar of margin, a dollar of profit here, and I'm just keeping the math really simple. But if you have to spend that extra dollar on answering enormous questionnaires full of obscure questions about obscure things that you've never heard of before, you're going to rapidly chew through that. If you hire the wrong expert to help you, you're going to end up with this enormous bill. So you might win the deal, but you might start the work with zero profit or maybe even negative.

Jake Bernstein: It could cost you money, in fact.

Kip Boyle: Yep.

Jake Bernstein: Okay. So how should companies overcome these sales hurdles?

Kip Boyle: Well, there's one other thing stake that I want to mention too, which is they might not win the deal at all.

Jake Bernstein: That is definitely a risk.

Kip Boyle: Yeah. I mean, could you imagine doing all this pre sales due diligence and then come to find out that the customer's confidence in you drops so low because you didn't handle that well that they pass, right? So now you're even worse off because you had all this deal momentum, you thought you were going to close it and then they pass, but you spent a lot of money trying to convince them that they shouldn't pass, but they did, and so now you're even worse off than you were before. So I see company leaders really struggling with this.

Jake Bernstein: Well, and what's interesting is that we obviously ... we have some clients where we are advising them on the third-party risk guidance, and so we know that even if the teams inside the potential customer are excited about a given vendor, we have built programs where if a vendor doesn't pass the cybersecurity evaluation process, then they can't necessarily hire them. So, again, it's a situation where we see it from both sides and it's very, very important to kind of understand the whole process.

Kip Boyle: Right, and so we spend a lot of time coaching the clients that are trying to sell into the regulated spaces, we spend a lot of time coaching them on how to navigate these treacherous waters, how to overcome these sales hurdles. Because that's what they say to me, our customers. They're saying, "Look, this is a hurdle that I've got to get over in order to close this deal. Help me get over this hurdle." There's other types of sales hurdles too. I mean, cybersecurity is just one. There's typically many that they've got to get over. It could be the actual cost of the service is another sales hurdle, just getting that tweaked and other terms of the agreements. So this is just one sales hurdle that they're trying to leap over.

Jake Bernstein: Exactly. So what can be done? What are some steps that we have?

Kip Boyle: Okay. So I'm going to tell you, in my experience, how I work with business leaders to leap over these cyber security hurdles, and I see it as a three-step process. So the first step is you've got to quickly evaluate the request that you got from the prospective customer, whether it's a data security addendum, or it could be a questionnaire that they want you to fill out. So you've got to quickly get this thing in your hands and you have to evaluate it. Now, if you don't know how to evaluate it, you need an expert, right? That's like getting an obscure letter from the IRS and you're trying to figure out what this means. Just hand it to your CPA, let them tell you what it means, right? I mean, you've got better things to do. So same thing here.

But let's say you want to try to evaluate it. Well, okay. So do you know what they're asking you for, and are you already doing it or are there significant gaps? I try to help business leaders remember that this isn't just what your customers want because your cyber risks are considerable too. So you don't want to treat those as two separate problems. That's very, very costly. You want to push those together and you want to spend ... every dollar you spend on cybersecurity should do two things. It should make your cyber risk more manageable, and it should make customers feel better about doing business with you, right? You don't want to spend a dollar to make customers feel better and then turn around and spend a different dollar to manage your own cyber risk. That's not the way to go.

Jake Bernstein: That will cut into your margin like nothing else.

Kip Boyle: Big time, and I've seen people grow their cybersecurity program incrementally as sales opportunities arise and oh my God, what a mess that is, just out of control.

Jake Bernstein: Well, there's a big risk with that too, which is it's a classic chicken and the egg problem. I've seen this happen particularly to younger companies where they can't get business without a certain level of cyber risk management, but they can't necessarily do the cyber risk management until they have the business. So you really have to get it all together before you go out there and try to make too many sales, or you could be stuck.

Kip Boyle: And you've got to do it smartly, iteratively, ethically. I mean, I can see the tension with these business leaders, right? On the one hand, they just want a warrant that they have it and then they want to take the risk that they'll never have to use it because they never really did have it, right? This ability to do this stuff. So they just want it to be like a contract warranty that they hope that they never have to deal with. But on the other hand, they also know that something could materialize and they could lose their whole business over it. So most of the business leaders that I've interacted with want to do the right thing, but there's so many competing forces acting on them. It's really, really hard. Now back to evaluating the request, just a couple of more things you've got to look at.

So will the time that you need to respond to the request actually decrease your deal momentum? Often it does, and then the cost, right? We talked about this. How much will it cost you to respond to the request? Is that going to consume all your deal margin? So these are the major factors that you need to be clear about in step one, which is quickly evaluating this request. The next thing you need to do is you need to figure out how are you actually going to respond based on what you learned from evaluating the request? Now this is going to depend on your maturity level, right? So if you've gone through this a lot, then you're probably in a better situation, or you could be in a better situation than if you haven't had a lot of experience with this. But if you've gone through it a lot and you've been making it up, as you go along all the way, then it's still a scramble every time, and I don't think that's ideal.

But, okay, step two is how you're going to respond. Now, maybe you've got a position paper, a marketing paper that you can give to a prospective customer that kind of outlines how do you do cyber risk management? How do you do cybersecurity for your product or your service? You might have an outside attestation letter, like an informal one where you hired a consultant to come in and take a look at what you're doing and give you advice. Not the same as an audit, not the same as a SOC 2 or something like that, but something a little bit more rigorous than just your own assertion. Or maybe have a SOC 2 report and if you do, then you can probably stop listening to the episode right now, because you've got kind of the ultimate power as I see it these days. It costs a lot of money.

But let's say you don't have that stuff. Let's say you don't have a SOC 2 report. Well, if you're in the cloud, then your cloud providers have SOC 2 reports. So get those and make sure you use those because that's probably where most of your production computing equipment and services are hosted, right? So you can provide those reports. Maybe you can complete the short version of their due diligence form and then see if a longer due diligence form is absolutely necessary. Here's something, let's say they come to you and they say, "No, here's the 300 question questionnaire. You don't have a SOC 2 report so you're going to have to do this one."

Okay, well, try to figure out how many hours that's going to take and then go back to them and say, "Based on the price point that we're offering the service to you, we can put maybe two hours into this long due diligence form. But if you want us to do the whole thing, we're willing to do that, but you're going to need to pay us. You're going to need to help cover those costs because I can't offer you this service at this price point with this much due diligence upfront, especially if I don't know if we're going to close the deal."

Right? So you should push back. I've had several cases where I've worked with business leaders where they've pushed back like that and they've actually been funded by the perspective customer, the large enterprise, to go through the due diligence. So if you've never thought of doing that, if you're in the audience and you've never thought of doing that, you should start thinking about that. If that doesn't work, then maybe you need to raise your prices. Because if a lot of your customers are asking you to do this due diligence, then maybe you need to raise your prices so that you can afford to do it as a pre-sales activity.

Jake Bernstein: Exactly. It has to be built into the margin. Another strategy I've seen, too, is being able to build a database of these requests and then kind of pre answer them. That can help ... Well, I think we're going to get there, won't we?

Kip Boyle: Yeah. So that's kind of like a knowledge base, right? So assembling a knowledge base of your previous responses and that's helpful. It's still a lot of work. Trust me. I mean, it, it takes an eight hour due diligence maybe down to six or four, because you still have to sort through ... As I said before, when we were comparing those five contracts, you'd get two companies saying the same thing, but they used very different words. So if you're going to do some kind of keyword search or something in a knowledge base, the first couple of times you do that, you may not come up with anything, even though there's something really good in there. So it's going to take you a while to find the pre-canned answers that you've been compiling. If anybody out there knows a great way to do that, please let me know because I'm always looking for something that'll do better.

Jake Bernstein: I've witnessed another downfall of the knowledge base, which is it can overly rely on people who don't really understand the questions, and then what they do is they end up finding answers that just don't work.

Kip Boyle: Right. So you kind of get this terrible mashup between what the question says and by the time the answer gets back to the questioner, they don't get it. It doesn't pencil for them. And by the way, whatever you do, when you're going through the second step of actually responding, you've got to avoid appearing as though you don't know much about managing cyber risk because customers, prospective customers, can smell that from a mile away. The fear, the uncertainty, the doubt on you. You've got to project a lot of confidence because if you don't and they smell that, then they're going to really turn up their due diligence process and they're going to start really drilling in.

Jake Bernstein: Or they'll just run away.

Kip Boyle: Yeah. Or they'll just run away. Here's the thing. You might think losing the sale is the worst case scenario. It's not. It's bad, but it's not the worst. I'll tell you what the worst is. The worst is you is that you get the deal and the people in the business unit love you, but the people in the cyber security unit hate you. You're going to spend the rest of your days getting regular, close, personal supervision by the cybersecurity team who are going to come and talk to you all the time and it's going to be super disruptive to your business and you may never make your margin on that deal forever.

Jake Bernstein: Another almost even worse possible response or result is that that happens, you eventually lose the deal because the cybersecurity folks really don't like you, and then they talk to their friends and you find that you're locked out of an industry.

Kip Boyle: Absolutely. Your reputation will go into the toilet and you'll be behind the eight ball from the beginning the next time you go to a large insurance company, because like you said, the cybersecurity teams have compared notes and they already know before you even show up that you're a problem child.

Jake Bernstein: Yeah. It happens. It's important because that's one of the purposes of information sharing.

Kip Boyle: Right. Absolutely. So just know the cybersecurity people talk to each other, they often do it in binary so you can't understand it, but they do talk and your reputation as a secure provider is either going to go up or down based on how you interact with these teams and how you handle yourself through the due diligence process. So you are going to get a reputation one way or the other. But, okay, so this is step two, right? So we're talking about how do you actually respond to the request? Again, I'm just going to tell you that if this stuff all seems crazy to you or you're just thinking to yourself, "I can do that, but there's so many other things I can do with my time," get an expert.

Jake Bernstein: Yes. Get the expert.

Kip Boyle: Get the expert. Now, there's a third step that we want to talk about, which is how are you going to handle future requests for cyber risk due diligence? Okay. So we talked about the one-off situation, but really you need to think about how are we going to deal with this on a going forward basis. I see a couple of choices here. You could either continue to deal with it on an ad hoc basis, which we've kind of talked about in the first step, right? Which is evaluating what's being asked for. The risk there is that you're going to incrementally build a patchwork cybersecurity program that is just too big for you as a small company. So that's not where you want to end up at all. You're going to end up with all these gaps, these overlaps, duplicate spending, it's going to be very poorly, poorly optimized and it's just going to really, at the end of the day, it's just going to be like this Potemkin village that looks really great from your customer's perspective but there's nothing going on there.

Another issue is that if you try too hard to satisfy your customer's requests, then they will take you to the cleaners. A giant insurance company is going to demand that you, as a small SAS provider, have enterprise class systems and solutions in place, and you can't afford that. I'm telling you right now, you cannot afford that. You've got to stick to your guns and you've got to tell them like, "There's no way I'm going to implement Splunk. I can't do it. We're not big enough. I don't have the manpower to do it. If you make me do it, then I'll have it, but I probably won't do anything with it. It's just going to sit there and you'll get blinky lights security," and we've talked about how effective that is.

Jake Bernstein: It is, and the other part too is to keep in mind that to push back on people to say, "I'm not an enterprise, I don't need enterprise class security systems. In fact, they're often counterproductive." I think that is a really important thing to say, because if you just push back and say, "It's too expensive for us, the response you get may be, "Well, you're not taking security seriously enough so we're not going to use you." Whereas if you say, "Look, we have our own reasonable cybersecurity program that we put in place that is specific to us and our size and we are completely comfortable with our system and its defensibility."

Kip Boyle: "We know how to use it."

Jake Bernstein: "We know how to use it." That is a much more confident and reassuring response than particularly if you just submit and buy something that doesn't look good on many different ways and it destroys your margin and ... the negatives go on and on.

Kip Boyle: It does. It really does. I am helping customers all the time try to figure out things like intrusion detection systems. I just had this conversation the other day where the person in charge of IT asked me at the SAS company, "Do I really have to install an intrusion detection system? That's what my customers are wanting." And I said, "You mean like some kind of a Splunk or some kind of a Snort or something like that, some kind of a big enterprise system? He goes, "Yeah, I just don't see that as being workable." And I said, "Absolutely not. Do not even think about installing that." I said, "But what you can do is ... here's a list of 10 common indicators of compromise, and you can write reports that will tell you if one of these things happens."

As an example, I said, "Look, anybody who attacks you wants to become an admin or a route. So what you need to do is you need to monitor the number of admin accounts, the number of root accounts you have, and every 24 hours at a minimum, you should be receiving a report about how those accounts have changed in the past 24 hours. If you see any change that you didn't authorize, because you're a small company, you'd know, then you have an intruder and you need to get on it immediately." Right? So who needs an enterprise class system when you can write a report from some log entries that you can pull out? And it's just a common path to exploitation, is people are going to become [inaudible 00:27:26], they're going to misuse the accounts. So it's just one example of how you can satisfy a requirement without spending a ton of money trying to figure out how to deploy an enterprise class solution.

So this third step we're talking about is how are you going to handle future cyber risk due diligence requests? So we just talked about ad hoc, right? Just figuring out as you go. Or, and I think this is more powerful, is you can put a more structured response into place, which is ... so for example, could you put together a canned response that would answer most of their questions upfront? A position paper, a piece of marketing collateral that just kind of orients them to the way that you do things. Not that that's going to solve the due diligence issue. But I think what that's going to do is it's going to send a signal that you get this. You don't even have to be asked to do the due diligence. You're going to offer this upfront as a way of telling them you get it, you understand where they're coming from and you've thought about this, and it's going to make them feel a lot better about you upfront.

Another thing that you could do is that knowledge base that we talked about, right? So a place where you can go and say, "Has anybody ever asked us this question before?" and pull that out. You could possibly outsource the completion of the big security questionnaires and then pass the invoice on to the company that's requesting you to do that due diligence. I've seen that. If you're a small company, that's really wise because the last thing you want is a scarce resource like the vice-president of IT, who should be doing all kinds of really important strategic things for your business, bogged down trying to answer these questionnaires. That's a massive mismatch of talent to need. Think about the opportunity costs.

A couple of other thoughts that I wanted to share with the audience is ask yourself would customers respect and ISO 27001 or a NIST cybersecurity framework certification from an outside auditor of some kind? That sometimes can be a suitable substitute for a 300 question questionnaire, or you may have to go all the way and get your own SOC 1 annual report. I know we haven't really described what a SOC 2 report is, but I'm counting on people in the audience more or less to know what that is. It's when an outside auditor comes in and does an actual formal audit to see if your cybersecurity program is everything that it should be. It's really expensive to get one of those. Your first one's going to cost a ton of money, and when you start doing one, you're never going to stop. So just realize that if somebody asks you for a SOC 2 report, realize that that's a lifelong commitment. It's not a small thing.

I think the last thing is that you can softly position your brand as the secure choice. I wouldn't put a neon sign. I would not say to everybody, "We're totally secure, we're the most secure." Don't do that because you're just kind of encouraging people to prove you wrong. However, when you get that marketing piece and you give it to your prospective customers proactively, that's a soft position of your brand as the secure choice. So you don't need to blast that all over your website and any of your ad campaigns, but just make sure that when you're talking with prospective customers, you bring that up. I think that's going to impress them and that's going to possibly allow you, again, to make that small price premium increase so that you can afford to do the due diligence and make it look like easy breezy. Right? That's what your customers really want to see.

Okay. So that's my recommendation, my three-step recommendation for how you can get over these sales hurdles related to cyber risk whenever they come up on you. I'd love to hear from anybody who has other ideas about this, or has very different experiences. I'd love to hear from you. So you can just send me an email, kip@cyberriskopportunities.com.

Jake Bernstein: All right. Well, that about wraps up this episode. So let's go ahead and close out.

Kip Boyle: Yep. Okay. We talked about, today, how to quickly and profitably close deals with your cyber security intensive customers. Thanks for listening. We'll see you next time.

Jake Bernstein: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management podcast. Remember that cyber risk management is a team sport, so include your senior decision makers, legal department, HR, and IT for full effectiveness. So, if you want to manage cyber as the dynamic business risk it has become, we can help. Find out more by visiting us at cyberriskopportunities.com and focallaw.com. Thanks for tuning in. See you next time.