Regulatory compliance: Getting customers to look at the big picture

Regulatory compliance has driven a whole lot of business for security resellers in the past few years. But that doesn’t mean you can just walk into a customer site, say “compliance” and successfully sell whatever you want.

Security experts Anton Chuvakin and Rich Mogull both recently wrote about the “checklist mentality” that most customers take when addressing regulatory compliance. What that means is, CSOs have a list of what they need to be compliant, and if what you’re selling isn’t specifically on that list, they don’t want it.

DLP is newer than  most regulations (PCI DSS, HIPAA, FISMA, etc) and – what a shock! – the documentation for these mandates just doesn’t mention DLP (or CMF) by name. Sure, they talk about data protection (e.g. PCI DSS Requirements 3 and 4), but mostly in terms of encryption, access control, logging (of course!).

Also, PCI DSS directly and explicitly says “get a firewall”, “deploy log management”, “get scanned”, “install and update AV” – but where is DLP? Ain’t there…

In his reply to Chuvakin, Mogull said you should only use the compliance pitch when what you’re selling is on the customer’s checklist. Otherwise:

Evaluate the tool or process in the context of compliance and show the business benefits. Does it reduce compliance costs? Does it reduce your risk of an exposure? For example, DLP content discovery, by identifying where credit card data is stored, can reduce both audit costs and the risk of non-compliance. Database Activity Monitoring can reduce SOX audit costs and the cost of maintaining appropriate logging on financial databases.

With so many compliance products on the market today, it’s easier than ever to differentiate yourself from competitors. But the more you differentiate, the further away from the checklist you move.

Is the checklist mentality common among your customers? What are your strategies for getting customers to look at regulatory compliance more holistically?