Security: Get the Gotcha

When selling security services you can often overcome objections and close business, or get the needed approval from upper management, by showing them their "gotcha".

Mar 21, 2023

A very large media company had invited us in to talk about their security requirements. As the meeting started, we got the creeping feeling that we were just going to be their validator. They asked many questions about what we thought of the security measures they already had in place. We listened patiently and answered insightfully. But it was going nowhere

.When your objective is to convince a client to engage you, or to get your employee to approve and allocate funds for your proposed project, you’ve probably encountered moments like this. The prospective client or senior executive claims to be quite satisfied with their current state. You’ve done the homework to disprove that, and you’ve presented it. But they’re still deeply invested in proving you wrong and your proposal unnecessary.

Not fun.

Get the Gotcha Before You Go

What you really need to do at this point, as kindly and without insulting them, is punch a hole in the middle of their story. You have to demonstrate that there still are things they haven’t thought of, that they haven’t provided protection for.

At the point where I was realizing we simply had nothing to lose, I decided to take a risk. I had spoken to a few people from the company and one had complained about something they wish would be fixed. I was about to prove them right…or wrong.

“So, you feel comfortable,” I launched in, “that your network is impenetrable. That nobody can stop it or penetrate it. Right?”

Everyone on the client side of the table nodded enthusiastically, almost giddily.

“Okay,” I continued. “Let’s see something.”

With that I rose from my seat, gestured that should all do the same and follow me. I then walked them out of the meeting room and down the hall to where their server room was. They began to grumble amongst themselves, theorizing with what I might be up to. When we finally reached the server room, I grasped the doorknob, turned it…

And I then walked into their unlocked server room.

Because enough is never enough I walked over to a rack of servers, put my finger on a power switch, and looked at them disapprovingly. They were dead silent. All of them. It was a precious moment.

We Got the Work

We were awarded the project we had proposed to thoroughly investigate all their security measures, and we added an entire section on physical security, making sure everything was locked up.

This is not unlike the story of the CEO who went home one night and left his office door open. He had also left his computer on and signed in.

The head of the company’s IT security department happened to pass by and notice the open door. He walked in and sat at the CEO’s desk. Nice comfy chair!

He then opened his boss’s email and sent a letter saying to the addressee that they were immediately fired, to pack up their things, and leave immediately.

The Next Morning

The next morning the IT security director printed the email he had sent to himself and stormed into the CEO’s office, fuming. “What is the meaning of this? What did I do to deserve this. Hey, listen, I can sue for wrongful termination!”

The shocked CEO read the email in amazement, his mouth gaping as he double-checked to see his own email address in the From: field. “I…I didn’t write this,” he stammered out.

“Well then who did?” asked the IT director incredulously.

Deciding he had taken it far enough, the IT director began to laugh. He then explained that he saw the office door open, and the computer still logged in, so he decided to illustrate the importance of everyone taking security seriously at every level, and get the CEO’s buy-in to a project he was about to propose.

The CEO was slack-jawed. For a moment, it flashed in his mind just how funny it would be if he then just fired the IT director for this prank. Turnabout is fair play, and all that.

Dismissing the idea, the CEO acknowledged that the IT director had a good point. He then approved the project on the spot.

The Gotcha is Often Small, but Powerful

A HIPAA expert I once worked with told me that the way he won business from healthcare clients was to ask them what their greatest security threat was. These were doctors and administrators, so they had no clue.

“I’ll tell you what it is,” said my friend, “It’s the same in most every healthcare facility everywhere.” Invariably, the target says, “What is it?”

The expert would then answer, “People walking away from computer carts without logging out of their session. It’s all too easy for someone else to step up to that station and have complete access to more data than they should have access to. That’s probably the biggest hole in any healthcare computer system.”

Of course, the target asked, “Well, what can we do about that?”

The expert would then demonstrate how sometimes the best solutions are simple solutions. He proposed that they connect a small video camera to every station, with software that would log out the computer automatically if the user stepped away for more than ten seconds. Simple, yes, but the target was astounded. “Genius!” they thought.

Which was just what my security expert friend wanted them to think.

The Morale of the Story

When you do your homework in preparation to meet a prospective customer or a senior executive with approval power, look especially hard for the little “gotchas” that abound in every environment. Be sure to do a “SWOT” analysis of strengths, weaknesses, opportunities, and threats. These are usually fertile fields for growing nice health gotchas. You may have to reach out to people who live in the environment; nobody is more sensitive to the gotchas than the people who are affected by them.

Then be patient. Don’t rush to show your hand. Keep the gotcha close to your vest. Let the hand play out. And when the target thinks they have negated your proposal, spring the gotcha.

Be gentle. Don’t smack them in the face with it. Just calmly show them something they might never have thought of. A great sales VP I worked for in the beginning of my career was fond of reminding us, “It’s the salesguy who shows the customer something they had never thought of before who gets the business.”

Gotchas qualify.