Solutions Blog Insights From Experts Who Get IT
Explore CDW.com

CDW Blog

Building Effective Security Programmes: Part 13 – The Commercial Domain

23 April, 2024 / by Greg Van Der Gaast

Welcome back to our series on building security programmes. A series we hope helps not only you better secure your organisation, but also highlights CDW’s commitment to help customers approach security holistically and effectively with their unique business context in mind. 

Simple question: If we are the Chief Information Security Officers, the head honcho of security in our organisations, whose job is it to handle the commercial aspects of security?  

Who is responsible for creating brand value around security? 

Who is responsible for answering any questions around security during the sales process? And to improve the speed and quality with which those questions are answered? 

Who is responsible for ensuring that any commitments made in contracts with customers, partners, or suppliers are captured and integrated as part of our security programme? 

Whose job is it to leverage security efforts as a competitive advantage?  

Who should make the arguments that leverage security to win tenders over our competitors? To raise public awareness of our security efforts and the resulting security of our offerings? 

Who develops the commercial security strategies that can boost our company’s business? 

Who should think about how to milk out every bit of commercial value from the security work we’re doing? 

I strongly feel that it’s us, the CISOs. 

Doing these things aren’t just a significant contribution to the business (which is something we should be doing anyway), but they are also things that can help us offset the cost of the security function to the business, sometimes beyond 100%. 

After all, our job is to help the business, not burden it. 

It also means we have commercial discussions, which cause us to be included and respected in the more commercial verticals of the business, as well as with senior management. 

We’re more likely to be involved in strategy and project meetings if people think we can potentially add commercial value to what’s being proposed, rather than merely assessing its risk and potentially slowing things down or increasing the go-to-market cost. 

Finally, it’s a helpful connection point to Sales, Marketing, and Product departments, which can be hard to reach. Connections that are essential if we’re going to have visibility and influence over their risks and processes. 

The contents of this domain can vary widely based on our business and what avenues we can think of and leverage in terms of security helping the business commercially, both as a quality enhancing function and one that can help build trust among customers. 

As such, I don’t have any hard and fast recommendations for what should go in here, but I can give you a sample of the things I’ve put in this domain in past roles. 

  • A document covering the overall commercial security strategy and related messaging and objectives. 
  • Shareable studies about the business risks faced by our customers, by industry or vertical where applicable, in the context of our industry. 
  • How we’ve shaped our security programme and team to address those customer risks in our service or product (which our competitors likely haven’t mentioned or addressed). 
  • Customer-facing documentation on our full stack of internal security practices, showing how we implement relevant security throughout the entire lifecycle of the product as well as all our business processes. 
  • Definition of our brand values and how security features as one of them. 
  • Definitions on how marketing should include and communicate security messaging as part of other activities. 
  • Security messaging (page) on our website. 
  • Our public stance on security. For example: we cover the full lifecycle, we will never charge extra for security features, etc. 
  • Any additional blog or campaign efforts we produce for internal and customer-facing security messaging. 
  • Extensive RFI response documentation to help sales teams accelerate the sales process by pre-emptively providing answers to security questionnaires. 
  • A process to ensure any security commitments in contracts are captured and implemented where needed. 
  • Documentation around a portal that showed our state of compliance in real time to our customers.

I invite every CISO to put their sales and marketing hats on and add to this list by really thinking through the nature of their business, and coming up with ways where security, and the perception of security, could produce a competitive business advantage. 

In my last CISO role I hired a former sales representative as an Information Security Commercial Officer to focus on these considerations. 

He not only enabled us to create commercial value for the business, but the way in which we did it led to us being perceived as more of a business function; bringing significantly more inclusion and support for all our efforts, not just the commercial ones. It also created the potential to make the function more effective. 

All of this is good fun too! It’s an entirely different kind of problem-solving that I greatly enjoy, and helps build great relationships at the most senior levels of the organisation. 

Most of these things don’t have a whole lot to do with technology, but may drive the need for technical capabilities to do the extra things your customers might just be willing to pay for. As usual, we’re happy to help you meet any of your technology needs. 

Join us next time for a look at the final part of our sample security programme, a way of ensuring visibility and consideration of business process to ensure their security.