'Be AFRAID Be Very AFRAID '
Fear sells. That's what many information security (IS) technology sales representatives are counting on-and it's time
"Threats are so typical when vendors sell an information security service or product," Snedaker said. "The scare tactic method of
Threats posed by vulnerabilities or new malicious code and the fear of regulatory violation are often used to sell IS technology to
"The scare tactic approach to selling IS technology is popular because many security vendors attempt to sell to the highest levels
"IS is so complex," she continued. "You can't expect a high-level executive to know what a packet sniffer or even a firewall is, or
"No one executive can make a decision about what security products the credit union needs unless he or she has invested a lot of
With the scare tactics sales model, "making security purchases will be based on the perceived threat of what will happen if you
What's necessary is that security is built into the business, she said. "In other words, when evaluating systems to accommodate a
At that point, sales information could be filtered by IS departments and then summarized for executives, she said.
Vendors may also promise compliance with Gramm-Leach-Bliley Act (GLBA) security rules or NCUA guidelines. Too often,
"My point is: Don't try to scare us. We know that the next SQL Slammer or SoBig variant is out," Snedaker said. "We also know
"Besides, regulation is a by-product of our business, it's not our business," Snedaker continued. "Yet sales reps always focus on
In addition, sales reps often tell executives that their product is a one-stop, all-encompassing solution, she said. "There is no such
But Snedaker isn't suggesting that IS sales reps close up shop. "I'd like sales vendors to know what the specific business needs are
Snedaker prefers sales reps who don't overuse the words "audit" or "compliance" in their spiels. Examples of firms with a good
Credit unions without IS departments should consider screening vendors via a four-point checklist, Snedaker added.
Snedaker, who herself took a short detour into the IS technology sales world, suggested that the checklist include:
* Actual deliverables of the security product or service. Request those be stated clearly and in writing early on in the RFP process.
* Business objectives the security product or service will help the credit union meet.
* References from existing CU clients, if possible.
* If the potential vendor has stated its product/service will help meet regulatory compliance, then a written list of specific