When Selling Compliance Implies Too Much
Marketing collateral can leverage a trend in the wrong way. When this happens, buyers often tune out and go somewhere else. These people are subject experts, so their response makes it more important than ever for collateral to responsibly associate your product or service with words of a trend.
A word keeping many hi-tech vendors alive of late is compliance. It’s a word of requirement to obey laws and regulations and is a force selling lots of IT hardware, software and services. As one vice president of marketing told me last week, “We’d be dead without it.”
Another in-word is policy. This C-level word appears in compliance collateral because it is superior to everything and sets the rules of compliance. Policy is a power word that spawns images of mahogany desks, skyscrapers, tanks and Air Force One. There actually are people in marketing departments who hope that using the word will make executives want to read their data sheets and sign up for a free webinar.
Collateral can proudly wear these monikers if the products and services tackle compliance in a big way. Question is, how big does that way have to be to join the winner’s circle?
As a marketing person ponders a blank computer screen awaiting ideas for new collateral, it is important to resist temptation and not succumb to the credo of an impure journalist, “Don’t let the facts get in the way of a good story.” Unfortunately, some fall, and even the biggest companies commit this sin – sometimes to the point of provoking buyer cynicism.
For example, Google just paid $625 million for Postini, a “communications security and compliance” company. The purchase underscores Google’s plan to expand beyond consumer products into on-demand enterprise business applications. With bravado, Google said the Postini purchase will resolve enterprise “issues with security and corporate compliance.” The press release oozed compliance. Quotes by Google executives said that with the acquisition of Postini, users can “streamline the complex information security mandates within these organizations.” And: “By adding Postini products to Google’s technology … the [large user] company achieves the security and assurance it needs.” Just like that.
Compliance with laws and regulations is more complicated than these assertions imply. For example, consider compliance by the U.S. federal government, which is required to obey many laws and regulations. Keeping this simple, we will restrict the illustration to information security compliance. “Policy” starts with the Federal Information Security Management Act (FISMA), which is Title III of the E-Government Act of 2002 (P.L. 107-337). FISMA delegates technology directives for compliance to the National Institute of Standards and Technology (NIST). Its Computer Security Division issues detailed directives for FISMA compliance, a key one being Special Publication 800-53. This document specifies security controls in three classes: management, operational and technical, which corresponds to major sections of a comprehensive security plan. SP 800-53 assigns 17 families of controls to these classes. It contains a lot of detail and references many kinds of security products.
In a way, every security product fits somewhere into compliance frameworks like FISMA, CobiT and others because, by definition, frameworks attempt to cover every area of security. There are certainly hundreds if not thousands of products that can be used for compliance. Given that Postini addresses just a few aspects of compliance (message encryption and archiving electronic communications), a cynic could say the press release is more fodder for the marketing stereotype of exaggerating facts to sell stuff.
For now, the software industry will discount these marketing assertions as “irrational exGooberance,” but given the business position and vast resources of GOOG, and its obvious requirement for acquiring many more companies to fill in an enterprise-class portfolio of compliance capabilities, what the marketing people say today may happen in years to come. Could it be that we’ll all eventually work for Google?
Meanwhile, consider what compliance is really all about. Vendors often think of compliance in terms of features delivered by their products. Business executives think of compliance in terms of avoiding prison. To this point, laws and regulations rarely mention detailed requirements for using particular information technology. But you may be sure that if some non-compliance is egregious, lawyers and judges will definitely consult specifications in Chapter 8 of the United States Sentencing Commission’s Federal Sentencing Guidelines.
People who were rock stars of business were or are in prison for non-compliance with laws like 75-word Section 404 of Sarbanes-Oxley. On the other hand, have you ever heard of a conviction for non-compliance with FISMA? That one has no teeth, which may be a clue why 21 of 24 federal agencies have “significant weaknesses in information security controls,” according to the U.S. Government Accountability Office who is the FISMA auditor.
The risk of prison apparently motivates executives more than the Ten Commandments so the ideal marketing campaign will focus on laws and regulations that have the most severe penalties. People at risk of prison for non-compliance will be more motivated to sign the P.O.
Whatever type of compliance is in your campaign, be sure to aim collateral at the right readers. Technology gurus are not into compliance the way that a CEO or Chief Compliance Officer might be. This behavior may relate to the low risk of techies going to prison compared to the kill rate of guilty executives. Yet it’s amazing how compliance pitches quickly devolve into tech talk.
The issue of properly targeting compliance collateral is not clear cut – even to end user organizations. The org chart for compliance is still a matter of dispute because theories differ as to who should own responsibility. Again, risk of prison is the culprit behind this hot potato, so consider who among your primary prospects are most likely to welcome a message of fear. Heavily regulated companies such as healthcare and financial services usually have a Chief Compliance Officer (CCO) who reports to the Chief Executive Officer (CEO). Some organizations have a Chief Security Officer (CSO), often reporting to the Chief Information Officer (CIO). The latter situation can be dicey from a risk standpoint if the CIO wants to push the envelope with innovation while her CSO employee wants to lick the envelope to limit risk. For this reason, some organizations give the CCO/CSO audit power and perhaps make him or her an officer of the company – maybe reporting to the Board of Directors. Politically, this stirs a perception that the CCO/CSO is higher than a CIO, and equal to or even higher than the CEO. And that’s a no no.
Some organizations have the CCO report to the Chief Counsel. This makes sense because laws and regulations are written by lawyers, which ostensibly gives them a leg up on knowing how to keep clients out of prison. The involvement of lawyers on anything related to compliance also means that compliance collateral should relate products more explicitly to respective laws and regulations.
So how much should your collateral push a compliance story? The answer is simple. Push it as much as you validly can, but no more. If your product or services cover many compliance requirements, your story will impress lawyers and IT people alike because the scope of assurance is real. If your reach covers just one or two requirements, make the most of it but don’t pretend to do more. For most vendors, it’s likely that their solution will solve just a small piece of the compliance pie.
Compliance is a huge, important trend in marketing that requires responsible association of your product with the respective laws and regulations. Every vendor wants strong collateral that persuades readers of comprehensive capability for compliance. But skeptical CCOs and lawyers will buy your compliance pitch only if data backs the claim. Here are some guidelines for creating compliance collateral:
Clarify who you are talking to and use language appropriate for their world view. Reserve tech talk for techies and keep it to a minimum in collateral aimed at compliance officers, lawyers and business executives.
Be realistic with your compliance story. If your offering helps comply with many aspects of a law or regulation, play up the comprehensive angle. If you address just one or two aspects, describe those well without pretending to be a total compliance solution. People who know
what the laws require will see through attempts to be more than you are.
Be brief; don’t drag it out. Complex convincing may need a white paper but due to short attention spans, try to make your compliance story as simple as possible. Often you can get the point across on two to four pages. State the legal or regulatory situation, position your solution in terms of compliance requirements, then describe how your offering satisfies compliance. Illustrate your story with a concise matrix. Put requirements of the law or regulation on one side of the matrix and how your product provides compliance on the other – point by point. If you don’t connect the dots for the CCO and lawyers, you won’t get the P.O.
Segregate your story by treating each law or regulation on its own. Make a series of collateral pieces to show how you address each compliance situation. Technology used for compliance may be applied in different ways according to unique requirements of each rule. Your collateral can also serve prospects by helping them evaluate technology providers with a clear picture of what they need to buy to address overall compliance. They’ll appreciate that and be more likely to buy your solution.
Want to tune up your compliance collateral? Call me and let's discuss how to make your collateral turn compliance into sales.
Contact: ghostwriter@pacific.net
Website: www.davebuerger.com
Listen to the PODCAST of this webletter: When_selling_compliance_implies_too_much.mp3
