The issue of security has risen to the executive level throughout business, government and industry. The rise has energized sales people for two primary reasons. First is the opportunity – security spending is forecasted to increase through 2014. That is good news for technology and services sales people. The second is the criticality of security and the risks to organizations has made it an issue for the top executives and the sales people love to call at the executive level or as they say the “C” level; “C” being CEO, CFO, COO and so on. However, in many cases this creates a huge issue and risk for all parties involved.

Recently, I participated in a conference call about security with a major organization. The sales people that had to be a part of the call outnumbered the customer attendees by nearly 3 to one. But wait it gets worse. The number of sales people outnumbered the technical specialists on the call be 4 to 1! They tried to demonstrate that they were in charge and tried to restate what the technical folks had discussed. The problem was because they were not knowledgeable about security, they failed to pick up on the nuances and subtleties. This was what prompted me to think about some of the recent issue that came up due to the absence of security knowledge and experience of some of the sales people. Here are the top three that stuck in my mind:

--A sales person told on organization if you’re PCI (News - Alert) compliant you don’t have to be concerned about regulations
--One sales person downplayed the importance of understand the organization’s security risk profile prior to defining the solution
--A sales team took the statement of work created by the security consulting, modified it and submitted the modified document to the customer without the review of the technical staff

Another management consultant was in the car while I was on one such conference call where similar issues were evident. He looked at me after the call and said, “There are those that know – who really know, those that don’t know and know they don’t know, and those that THINK they know that you will never convince otherwise. Unfortunately those who think they know far outnumber the sum of the other two groups.”

Philosophy drives attitude. Attitude drives actions. Actions drive results. This is what I was taught and I believe it has not changed. My philosophy is that the dynamics of security are such that there are no experts. We are all still learning. Every single day I wake up and wonder:

--What new attack techniques will be used today?
--What has changed in the security threat environment?
--What do I need to know that I don’t know?
--What do I need to do or need to know to keep up with the changes?

With the critical role security plays in our organizations and our everyday lives we have to have informed sales people who can accurately articulate the offerings and know when not to answer and let the technical team take the lead on the answer. Given the poor “I Know” attitudes seem to be dominant, maybe it is time security sales people have to be educated and certified before the insert more risk into an already risk heavy equation. Learning is a life-long process. The sales people need to accept that!