Chapter 2: Sales Basics – Selling Information Security to the Board


The three basic sales concepts that any information security professional needs to understand are:

  1. Needs versus Wants
  2. Features versus Benefits
  3. AIDA.

Needs versus Wants

‘Want’ can be defined as ‘having a strong desire for something’, whereas ‘need’ is usually understood as being ‘a lack of something basic or fundamental that is necessary for continuation’. ‘Need’ is most commonly understood in the context of an individual’s shortage of food, accommodation or healthcare.

The salesperson needs to differentiate between these two human drivers. People often do things they need to do, even if there is something else they want to do instead: the organisation, for instance, may need to comply with a law that limits access to its financial information, even though it wants to tell some shareholders what it’s up to. At other times, the desire to tell selected shareholders about an upcoming acquisition might be so strong that the organisation (acting, of course, through its directors) ignores its need to comply with non-disclosure regulations.

An organisation that wants to supply online services to the UK’s Department of Health needs to comply with the requirements of ISO/IEC 27001; without such compliance, it will not be able to proceed. On the other hand, an organisation that perceives certification to ISO/IEC 27001 as conferring competitive benefit, might proceed because it wants to do so; it certainly doesn’t need to.

The salesperson who can differentiate between ‘need’ and ‘want’ is able to craft a proposal that is appropriately balanced, in line with the needs and wants of the board of directors.

Features versus Benefits

A ‘feature’ is an attribute or characteristic of a product or service: something it has or does. One feature of some GRC software solutions is that they have an enterprise dashboard. A ‘benefit’ is a description of the value of a specific feature to its user. The GRC application dashboard enables the Board to see, at a glance, where there are significant control breakdowns and to take action before they turn into costly problems.

People buy benefits, not features. The words that link a feature to a benefit are: ‘which means that’. ‘This anti-malware solution has hourly updates (feature) which means that we are protected from zero-day attacks (benefit).’

Most technology proposals fail because they focus on features, not benefits. The suggestion that people ‘buy the sizzle, not the steak’ is one of the better metaphors for the idea of selling benefits, not features.


AIDA is an acronym. It sets out the four most basic steps in any sale:

A – Attention I – Interest

D – Desire A – Action

You first have to capture an audience’s attention, then build interest, and once the audience is genuinely interested in the subject, you can begin to build desire for the solution that you are proposing. Once desire reaches a certain point, action is usually easy to get. You certainly can’t get action without having gone through the first three steps and, if you miss a step (e.g. ‘Desire’), you’ll not get a result.

For each issue on which you want board commitment, you should work out how to take them through these four steps.