Selling to the Enterprise in the Age of GDPR

Part 2: Talk the talk


This blogpost is directed at startups, but is quite relevant for salespeople at larger companies as well.

This is part 2 of a three-part series. As a reminder, in Part 1: “Was it always this hard?”, your customer’s cybersecurity team just derailed your multi-month sales effort, and you wondered if there was a better way. Simply put, turning your customers’ cybersecurity teams into your strong advocates will not only rescue deals, but can even differentiate your company.

Recently, an SAP.iO Foundry¹ company in San Francisco,, began building a relationship with a customer’s cybersecurity team. NextPlay CEO, Charu Sharma, found the experience to be positive and collaborative:

“The increasing security conversations in enterprise sales make it difficult for startups to sell to large companies. But large companies really want to work with startups to stay relevant in this digital era. Their security teams understand that we are under resourced and are willing to meet us halfway.

Timely and effective communication (talking the talk) is crucial to building such a collaborative relationship.

5 tips for “talking the talk”:

  1. Engage early and proactively

Security wasn’t always part of the sales process. However, as discussed in Part 1, enterprises are increasingly managing the cybersecurity risk introduced by their IT vendors. Because this practice is still evolving, customers’ security teams are often informed rather late in the sales process. Addressing their many questions and concerns could add months to your sales cycle, which will look something like this:

Wouldn’t it be better to proactively engage security teams upfront? By doing so, you could address their concerns in parallel with your normal sales process. The proposed process would instead look something like this:

While simply addressing their concerns would accelerate your sales process, you should aim even higher, and make them your strong advocates.

2. Know your stuff

Founders should understand the most relevant cybersecurity basics, but it’s a bit much to expect them to become true experts. Instead, hire or designate someone who can talk security. Talking the talk needs to be in the language of security: threats & attack vectors, policies & controls, technologies & processes. Early stage startups can’t justify hiring a CISO just yet, but even a developer with some relevant background, basic communication skills, and a good appetite to learn security is a good start. Some external one-off consulting to set up a minimal security program and documentation would go a long way as well.

3. Communicate

There are multiple ways to proactively communicate the security of your product and company. Here are a few ideas:

  • Create a 1–2 page PDF doc highlighting important security/privacy/ compliance aspects of your product and internal processes, and share it with customers early in the sales process
  • If you can be more transparent, dedicate a “trust” page on your website, with content similar to the bullet above (here’s an example of SAP’s Cloud Trust Center)
  • Hire an external firm to penetration-test your company and product, then fix the issues and share the report with customers

4. Manage your externally visible security posture

It is difficult to build trust if your externally visible security posture demonstrates poor hygiene.

Case in point: https (AKA the little padlock icon near the browser’s address bar). Implementing https is both easy and the expected norm. If you’ve not yet implemented https, security professionals would notice and conclude that you’ve likely not bothered with the much harder — yet largely invisible — security basics.

As a side note, not all https is created equal, and you should strive for an A+ rating on Qualys SSL Labs’ free evaluation tool.

Qualis SSL Labs sample report

To take it up a notch, you should use an outside-in security rating assessment tool. Gartner predicts that by 2022, cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships². Your customers will likely use such tools for a quick (yet very incomplete) evaluation of you, so you should stay on top of it.

5. Demonstrate your flexibility and commitment

Neither you, nor your competitors will perfectly answer every security concern your prospects raise. Your openness, transparency, and flexibility could set you apart and help build early trust. You should embrace prospects’ security questions to engage in a trust-building conversation, and then address concerns in a timely, complete, and transparent manner.

Here are a few sniff-test questions your prospects may ask verbally (beyond the typical questionnaire). Engage with such questions to demonstrate your security posture and commitment³:

  • How are you affected by <LATEST BUZZ-VULNERABILITY>? (Top 2018 example was Meltdown and Spectre)
  • What are the top three cyber threats to your business? How are you addressing them?
  • Who in your org owns the cybersecurity/privacy topic? What are their qualifications?
  • What’s your business continuity plan?
  • What processes do you have in place to respond to Data Subject requests?
  • What personal data are you processing? Why? How are you using it? How are you securing it? How will you detect a breach?
  • Can we audit or pen-test your company?

Good answers will transparently include policies, technologies, and even audit reports. Here are a few bad answers to avoid:

  • “This is too confidential”
  • “We outsource that to X”
  • “We use AWS/Azure/Google, so we’re covered”
  • “No one has asked for this before”
  • “It has worked so far”

One positive parting thought

If your customers are excited about your products and you actively engage their security teams, customers will work with you to make the deal happen.

Please follow me here or on LinkedIn to catch Part 3: “Walking the walk,” a quick-start guide on delivering the security promise.

1. The SAP.iO Foundries are SAP’s global network of top-tier startup programs, including accelerators, enabling startups to build innovative software that deliver value for SAP customers. Among other benefits, the Foundry helps startups understand “enterprise readiness.” Per NextPlay CEO, Charu Sharma:

Being an SAP.iO portfolio company, we got mentorship on “taking the talk” and building out some basic security documentation to build confidence with our buyers, and it made the world of a difference.”

2. Gartner, Innovation Insight for Security Rating Services, 27 July, 2018

3. For more on this, I recommend John Elliott’s excellent 2018 RSA talk: Personality Profiling Your Third Parties for Effective Supplier Management