Guest Column | May 27, 2015

The Top Objections To Cloud Security — And How To Overcome Them

By Chris Johnson, Chair of the CompTIA IT Security Community and CEO of Untangled Solutions

Objections To Cloud Security

Using the cloud for business is still an unknown frontier for many businesses. Regardless of their size or the markets they operate in, very few organizations understand the cloud well enough to leverage it to their advantage. That may also explain why IT providers run into so many objections relating to its security. People don’t trust what they can’t see, especially with data breaches jumping onto the priority list of most managers and owners.

Successfully selling cloud services starts with understanding your clients’ needs as well as addressing their concerns. Until they turn to you and ask for advice on whether cloud is an option for them, you’ll be playing catchup in the “trusted advisor” game. Cloud is a very hard concept for lay people. Sadly, the term is used so generically that it becomes part of the objection.

The Issues Of Information Assurance And Compliance

Compliance issues and concerns such as not knowing where a company’s data actually resides often adds days if not weeks to the sales cycle. Suddenly you’re addressing concerns that were seldom (perhaps never) raised about their current information threats and vulnerabilities. Once the word “cloud” enters the discussion, concern for information protection becomes a big deal.  Go figure.

In the cloud, client information can be spread across dozens of servers around the globe. Even in a “private cloud,” where the data is easier to keep track of, solution providers have to have clear and concise explanations ready before they can count on consistent deal flow. Often what seems like an objection is lack of information, and we all know that a confused mind makes no decisions. Customers are scared of the unknown. When you consider the complexity, such as public versus private cloud or is the equipment in a colocation site or in someone else’s data center (or their basement), it’s no wonder business owners need to understand what they are buying.

There are three things to do: 

  1. First, Become An Authority. This increases your credibility. Publish an article, a use case, a success journal, and get certified and show the badge. 
  2. Second, Build A Customer Personal Learning Plan. You know what they need to know. Their objections tell you so. Assemble an education packet from your vendors, the Internet, or from any other sources you can think of.  It’s a digest of why, what, how that’s tailored to what they need to know and nothing else. I’m talking about three articles, not an encyclopedia. Why cloud for you? What will it be? How will it work?
  3. Third, Tell Their Cloud Story. Build a “future space” scenario using their people, processes and problems. Simple story frameworks are best. To introduce their current problem think of it like a children’s story: “Once upon a time, there was a baker named Dave who made the best biscuits in Baltimore. One day he noticed that the number of orders he took were doubling every three months. This made his nightly backup times grow. His information was growing so fast his storage and data protection process needed help…”

The Issues Of Availability, Recoverability And Redundancy

While ambiguity about the meaning of “cloud” is a hang up for many businesses, security and redundancy remain the top two objections solution providers have to overcome when selling virtual services. I’m going to pause here and geek out a bit.

Data Security is a very specific term that addresses three things: confidentiality, integrity, and availability. Providing security means you provide all three of these simultaneously. There is no “security fix.” There are only these three outcomes from a well-designed and executed security program and you must have all of them or you have secured nothing.

Regardless of the vertical markets an organization serves or the number of people they employ, your clients need to know where their data is and what measures are in place to secure it.     

There are five things to do:

  1. Deconstruct your cloud offers into focus areas that you can explain and use to dominate your competitive landscape. IT professionals who can accurate convey location details and protection measures (the things your prospects and clients truly need to know to feel comfortable) will be more likely to succeed.
  2. Explain features and benefits differently. Go the extra step and stop giving them a checklist that explains features across a pricing matrix. Explain why that feature matters.  Explain how not getting it puts them at risk. Give them reasons to adopt it by showing them the implications of a decision to stay with the status quo. Explain their “new normal” using processes that they depend on that are better protected, expanded and expedited by the cloud. For example, do you tell clients, “your data can be found in the following data center and it’s redundantly stored in this one over here because it needs to be 100 miles or more from the primary site so that natural or man-made disasters won’t take out both of your recovery sites?”
  3. Make your vendors do the heavy, customer-pre-sales-education lifting; that’s why they have marketing departments and product managers. Every bit of content that they produce about how, why, what, who, when, or where their cloud offer is “The Solution” needs to be given to you and your sales team. You can re-assemble the info into info packages as you wish but you should never have to pay anyone to write an educational piece, a whitepaper, a training course, a technical manual or a guidebook for you.
  4. Differentiate early and often. Use details to help them draw a distinction between you and your competition. Start providing cloud prospects with deeper details up front, such as: 
  • Your business information is in the following data center…
  • We picked it because your needs clearly required these things…
  • Our company and vendors use the following security measures to protect your information…
  • Here are the tools we provide to help your employees access the appropriate data…
  • This is the process for migrating your company’s information in the event we are no longer your solution provider…

This straightforward approach may not solve every concern, but it will go a long way towards earning the trust of new and keeping the trust of existing clients. Along with respected industry business credentials and clear lines of communication, the list of objections should diminish considerably. 

  1. Make best practices your mantra. If we aren’t asking the tough questions of our vendors in the cloud space, our business, as well as our customers businesses, are at risk. Trust often centers on how their security stack performs. If a vendor isn’t weaving information protection best practices into their platforms and solution sets, are you truly sure they can be entrusted to protect your customers’ data?  

Suppliers with a CompTIA Cloud Trustmark+ have made a commitment to those standards, ensuring that security protections, redundancy, disaster recovery, and a host of other measures are firmly in place. That’s as close of a guarantee as solution providers can get from their vendors, a business practice credential backed by the IT industry association, vetted by an experienced third-party professional.  With many business clients and solution wanting to know how their vendors’ cloud solutions are secured, the Trustmark makes perfect sense. It reduces the fear and mystery of what happens behind the scenes, and offers a level of comfort to all involved.  

In addition to encouraging your vendor partners to seek Cloud Trustmark+ and seeking a Security Trustmark+ credential for your own business, what else can you do to overcome cloud objections with your clients?