Home > Integrators/Service Providers, Manufacturers, Peak Performance, Security Management / Operations > physical security directors need to learn to run a business, and vendors need to learn to sell

physical security directors need to learn to run a business, and vendors need to learn to sell

Have you read some of the press releases and marketing campaigns coming from vendors (manufacturers) lately?  It’s like they live on another planet.  I sometimes think there is an alternate reality where some vendors, consultants and trade magazines live in perfect harmony piecing nonsensical words together, feeding them to each other and then having a community cud-chewing festival.

[Sorry, did I just piss everyone off?  Ed and Lorna, I don’t include you in that crew.  Not you either, Michael.]

What I read rarely relates to the conversations I have with CSOs, COOs and risk management executives.  I tell this to the vendors, and they whine and squirm and declare that they know their customer better than anybody.  Maybe so.  But that would simply mean their customers are not the CSO, COO or risk management executives I’m talking to.


Maybe these vendors are content selling to facilities managers and the security directors who’ve been buying access control and DVRs for years.  That would make sense.  Those folks are competent security professionals who understand the technical and procedural requirements of access and surveillance.  So of course the vendors enjoy selling access and surveillance equipment and services to this crowd.

But then why do executives think things look askew? 

Two reasons:

  • Because neither the vendors nor the security directors have been successful describing the business value of specific security initiatives in terms of measured economic impact; and,
  • Because neither the vendors nor the security directors think of physical security departments as business units.  Therefore, they feel no need to use business language, set up common business processes, and report on metrics the way other business units do.

It could simply be a matter of not selling high enough.  The senior executives tell me that they see physical security as essentially screwed up.  “How did physical security get so messed up” was the exact quote of one of these execs last week, after he investigated the processes of risk management in his very large corporation. 

He expected to find a business unit with standard processes for setting goals and quantifying performance metrics.  Instead, he saw a 1970s police department with what he described as an archaic operation of “security for the sake of security.”  “How do the words ‘command and control’ fit into my business?” he exclaimed with frustration.

In short, physical security is not run like a business, from the business executive’s point of view.  It is run like a police department, or a military base.  Nothing wrong with that, intrinsically, of course.  Law enforcement and military operations are very effective for managing risk – if your organization is a city or university or war zone.  If we are talking about a business, however, security should be run differently.  It should be run like a business.

Vendors don’t get that, it seems.  So they don’t sell that message.  And they don’t create products that enable security directors to run a business.  Here are three things vendors should start doing right now to solve the real problems faced by the companies they sell to.

1. Describe solutions in terms of business service management.  Create sound, believable measurements of ROI, TCO and overall economic impact for each solution.  Be ready to map every major function of the product to specific business requirements.  Basically, you want to empower your traditional security director or facilities manager customer to carry the message of business value up the ladder.

2. Sell higher. If you can’t sell your product to a COO, then maybe you shouldn’t be selling it at all.  My point is that a product or service purchased in the organization should be valued and appreciated by the COO.  If it’s not, then either your message is wrong or your product is.  Investigate new business development methods to permit you to sell to senior executives.  You’ll make more money and solve bigger problems.

3. Stop the “me too” feature war.  Customers don’t really care what features your product has or what boxes the consultant can check off on the requirements list. Some features are more important than others.   Find out the relative weights of customer requirements and then you’ll be able to see how closely your product comes to actually solving the problem.  Otherwise, you are just showing that your product sucks less than the other guys.’  See my post, “Most product comparisons tell you jack

In this economy, no one can afford to pass by opportunities to provide the highest value to end user customers.  Slackers will die.

  1. March 2, 2009 at 3:03 pm

    (one of my CSO buddies sent me this comment -sh)
    If I were advising Security vendors, I would suggest they develop a sales paradigm along 3 lines of attack. In my past life we paid over 1.5mm for “D&O” (Directors and Officers) coverage without blinking an eye because it was “a cost of doing business”.
    The objective of a security vendor sales staff should be to choreograph a risk management scenario that leaves the COO with the conclusion that the security product suit is analogous to D&O coverage, “a cost of doing business”…
    The second ally is GAAP (Generally accepted accounting practices). GAAP is an ancillary objective which has security overtones and the CFO’s full support. There’s strength in numbers!
    Last is internal audit. How many vendors are smart enough to get the auditors in their camp? How many business managers want to see “severity 1” audit comments, the career threatening kind?
    When the head of internal audit, the COO, and the CFO are on the same page, the CSO
    gets the funding…..

  2. March 7, 2009 at 1:25 pm

    I like your points. Infact, I try to teach organic security departments to sell compliance to the senior company officers. Companies cannot afford to do business the old fashioned way by dumping money into overhead budgets as you said “for the sake of security”. Security managers should learn the language of business and risk management, then present solid recommendations.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: