'Be AFRAID Be Very AFRAID '

Fear sells. That's what many information security (IS) technology sales representatives are counting on-and it's time for them to stop, according to Thelma Snedaker, security administrator for $4-billion United Airlines Employees' Credit Union.

"Threats are so typical when vendors sell an information security service or product," Snedaker said. "The scare tactic method of sales is old, and it's time to move on."

Threats posed by vulnerabilities or new malicious code and the fear of regulatory violation are often used to sell IS technology to credit union executives, she explained.

"The scare tactic approach to selling IS technology is popular because many security vendors attempt to sell to the highest levels on the organizational chart," said Snedaker.

"IS is so complex," she continued. "You can't expect a high-level executive to know what a packet sniffer or even a firewall is, or the differences between the types and if or how those would help the credit union's overall security posture.

"No one executive can make a decision about what security products the credit union needs unless he or she has invested a lot of time in research and completely understands the product as well as the application of the product to a defined security risk."

With the scare tactics sales model, "making security purchases will be based on the perceived threat of what will happen if you don't, rather than understanding how that security product or service will actually help you accomplish your business goals," said Snedaker.

What's necessary is that security is built into the business, she said. "In other words, when evaluating systems to accommodate a new credit union service or product offering, the inherent risks and security solutions should be identified up front as part of the TCO."

At that point, sales information could be filtered by IS departments and then summarized for executives, she said.

Vendors may also promise compliance with Gramm-Leach-Bliley Act (GLBA) security rules or NCUA guidelines. Too often, sales reps have only a vague idea of what that means, she said.

"My point is: Don't try to scare us. We know that the next SQL Slammer or SoBig variant is out," Snedaker said. "We also know that our auditors, both internal and external, will be looking for assurance that we're complying with regulations. So if you're going to use GLBA in your pitch, then use it knowledgeably."

"Besides, regulation is a by-product of our business, it's not our business," Snedaker continued. "Yet sales reps always focus on regulation."

In addition, sales reps often tell executives that their product is a one-stop, all-encompassing solution, she said. "There is no such thing in IS."

But Snedaker isn't suggesting that IS sales reps close up shop. "I'd like sales vendors to know what the specific business needs are for credit unions and how their products address the needs," she explained. "And I'd be wary of people who say they could address all of the needs."

Snedaker prefers sales reps who don't overuse the words "audit" or "compliance" in their spiels. Examples of firms with a good approach to sales are SecureWorks; Subject, Wills & Co.; and Symantec Corp., Snedaker said.

Credit unions without IS departments should consider screening vendors via a four-point checklist, Snedaker added.

Snedaker, who herself took a short detour into the IS technology sales world, suggested that the checklist include:

* Actual deliverables of the security product or service. Request those be stated clearly and in writing early on in the RFP process.

* Business objectives the security product or service will help the credit union meet.

* References from existing CU clients, if possible.

* If the potential vendor has stated its product/service will help meet regulatory compliance, then a written list of specific regulatory requirements that will be met with reference to the exact requirement.