While I make my living doing security and the benefits are obvious to me, I've come to the realization that most of the time security and privacy don't sell consumer products or services. While good security won’t make the sale, weak security can concern customers and create sales objections.
If your core customers are large, mature shops, they'll ask some pointed questions about your security. If you're doing the right things, you can show them that your product or service isn't a substantial risk to them. If you can't, you may not keep the business.
However, telling your security story to smaller businesses and non-power user customers can be a tricky business. They are concerned about security and privacy, but are not experts. Your approach to explaining your program needs to be accessible to them and meet them where they are.
My favorite analogy is that of the ice cream shop.
You visit an ice cream parlor. You want to buy an ice cream cone. At this point, it's the proprietor's sale to lose. They might not have your first choice, but you've come this far, you are going to buy some ice cream. You look at the tubs, read the names and muse over flavors. You even decide if you need chocolate sauce or jimmies.
Then you read the sign hanging above the counter: "Our ice cream is guaranteed 90% free of broken glass"
This ice cream shop wanted you to know about the security of their product. But now, you may not be buying ice cream there. In fact, instead of imagining how good the ice cream will taste, all you can think of is the glass that you might be hidden in your ice cream. And now, each time you buy ice cream from here on out, you'll be looking for some guarantee that your sweet treat is also glass free.
In a way, talking about your security program is similar. You need to tell your customers your security story. The mature shops that understand the details will understand why you’re telling them that your ice cream is 90% glass free. But how to do this in a way that doesn’t trigger concern or objections from those who don’t understand why glass would ever be part of the ice cream making process.
How do you explain security to your customers?
First and foremost, don't assume your customers are ignorant or uninterested. They’re smart enough to consider your product or service, just not expert enough to understand the how of security.
They need a jargon-free approach that puts what you’re doing in context. Explain why you have these controls and how they benefit from your actions.
The WHY: Explain why you do security, but explain it in an accessible voice.
Convey why you protect their data. Convey that do not do security because you're afraid of a regulator or a lawsuit, but that it's your business imperative.
"We understand that we hold your valuable, sensitive information. We'd like to explain what we do to keep that information confidential, accurate and available to you. We do this because we know that without you, we have no business."
The HOW: Explain what you're doing and how it keeps them safe. Make it meaningful for them.
It's not just what you do, but how it benefits the customer. There's no need to explain every part of your program, but you're going to want a few highlights- how you hold their data, any external audits you've passed and perhaps what else you do. Here's another example:
"We monitor our own networks for unusual or unauthorized activity. We collect that information so we can see if someone's trying to log in as you from an unusual location or time. This lets us know if someone's trying to pass as you. This lets you know if you need to change your passwords".
Often, a simple explanatory page on your site can help you turn your security program/story into something that soothes customer concerns and prevents sales objections. You get or keep a customer and you get paid. Perhaps you should buy some ice cream in celebration.