Mike Kelley (00:03): To what we're all trying to do here depends on one thing, add value before you try to extract value from this relationship.
Intro (00:12): Welcome to Access Points, the podcast where we discuss the tools, habits, and ideas that can help you achieve and maintain the leadership mindset so you can reach peak performance. Are you ready for your all access pass? Do some of the top minds on the topic of leadership. Let's get started. Hey everybody, this is
Cody Strate (00:33): Cody Stratehere from access and part of the access points podcast. I am joined with a couple of my illustrious colleagues, Mr. Scott Fuller and Mr. Mike Kelly, Mike, my friend, my brother in sales. Let's transition this a little bit over towards security and the role that it plays in inside of sales and marketing. Now this is a bit of a, in some cases a discovery for you and me because you know when I've been doing sales, again guys in the healthcare arena where people are very security conscious and you and I have not traditionally layered on security as one of the prime features and functions of what it is that we're selling. But it really is becoming much more important to, to layer that into our story. Right. So give us your perspective as a salesperson, what is the role of discussing security and inserting security into a sales pitch, a sales process? How should people leverage it to their advantage as a sales professional? What's the importance of it? So give me if you would please and the audience your take on that. Sure.
Mike Kelley (01:52): I would tell you that at least in the history of healthcare sales for the last 20 plus years, I think it's there. There's certainly been very few studies done or certainly looking at what cybersecurity threats kind of look like. And that's not a big surprise to anybody. What's also not a surprise to anybody is that the approach and hospitals for long time was a very siloed approach. I had my silo of my registration department and then we worked and did our own thing and we didn't care about any other departments or other functions in the hospital. It was very siloed. And I would say that health care has come a long way in the, in the recent history to change that. Um,
Mike Kelley (02:34): but it's still not where you would expect it to be in terms of other verticals that are out there. What I mean by that is that healthcare still has a, is still a very fad driven business. You know, today we talk predominantly and if you were to just look up, you know, uh, uh, case studies online or articles, it would be interoperability and if you, you know, probably typed in 10 different interoperability articles, you would baby at best to find one that would talk about cybersecurity. And so what this really represents an opportunity or it represents the, the state of the business right now and that we still have a little bit of that siloed approach. We still have a massive need for someone to raise the red flag and say, listen, you guys need to be planning for the unexpected. Ransomware, as Scott mentioned before, is not going anywhere.
Mike Kelley (03:29): It's not going down. We're going to have that. That's going to be so much more mature in terms of the conversations. I mean, it's not, I think about this because I think with, especially when you speak to interoperability, it's not unheard of. It's not a crazy thought to think of, you know, these massive well-orchestrated take downs of internet enabled medical devices. I mean, it's not out of the question to sit there and say, you know what? Based upon covert alone, we're now vulnerable because we're pushing all these data capture devices out there. I'm not even speaking to the fact that we've got five G and all these other systems, so I've just exponentially increased the amount of areas where you can attack me. [inaudible] I'm not even having the conversation about how am I protecting those devices. So it's a roundabout and a terribly long winded way of saying it's incumbent upon us.
Mike Kelley (04:25): I don't consider us a software company. I don't consider us a ill e-signature or workflow. We're a partner company that's going to help you do healthcare better, do your business better. And if I don't have a cybersecurity discussion, we're missing an opportunity. I have to talk about it as as just another portion or another piece of an extremely important and extremely valuable portfolio that you're utilizing to serve your patients and your communities. Right. Okay. So Scott, just a moment ago you were talking about a couple of different certifications and whatnot that vendors such as ourselves could receive SOC two type two if I'm not mistaken, like give me a couple of those labels.
Scott Fuller (05:11): Well in healthcare there's really two types of certifications that, that that carry weight that organization can get. One is SOC two type two, uh, sometimes referred to as SOC three. And that is a, you know, a third party audit firm that is uh, certified to do those audits come in and they review, uh, your, your security policies, your procedures and the different controls that you have in. And they basically perform two audits and do a comparison between those audits during an audit period. It's, it's about a year long process. The other one that's fairly popular in healthcare is high trust. High trust has a security framework that is very similar to SOC. There. There's a lot of things that are very similar. High trust takes a few of those points a little bit further. There are definitely a lot heavier into the security policies and how policies are are enforced than SOC audit encompasses and different healthcare organizations tend to fall on either side of that fence.
Scott Fuller (06:26): There are some that feel everything should be about high trust and SOC doesn't really matter as much and then they have just the opposite. I do see a lot more organizations are heading more towards SOC audits and prefer them mainly because the high trust has gotten so expensive and after you complete an audit it takes up to six months for them to process all the paperwork because they're doing so many to actually get your certification and then it's almost time to start your audit cycle over again. So I see SOC audits as sort of becoming a little bit the new norm. It was kind of 50 50 there for a while. And certainly some organizations do both. I think, you know, anytime that you can apply a set of security standards to your organization, if you can meet two sets of security standards, certainly not going to hurt your organization, so it's going to make you stronger.
Cody Strate (07:19): So, so let's, let's look at this then. So w what you're talking about, you, you listed off a couple of things are specific to healthcare. Okay. SOC two, type two and high trust and out, regardless of the industry that you're playing in, what you're, what you're doing is you're subjecting yourself to a third party and at the end of that process you get a certification of some sorts, correct? Right. You get a seal or something that you get to be able to show to your, to the world and your prospects. Like, look, we've gone through all these, this exercise. It was a painful process. But as a result of it, like you can rest assured that we are appropriately certified according to these standards and you can feel good about that. That again, that's generally, that's how that works, correct?
Scott Fuller (08:04): That's correct. There's even something that frankly I consider even more important at the, at the end of that trail. And that is the final report. And that is the auditor's report on how well you met the standards. Um, not everything is just a check box. Um, so you know, there, there's some where you've met the standard, but perhaps you're a little weak and there'll be recommendations on what you need to do to get stronger. Those are actually very important. And the thing with security, you never cross that goal line. You never spiked the football because the minute you cross the goal line, you stand there for a few minutes and next thing you know, you're, you're back on the 10 yard line. You're wondering what happened. I already ran the whole field. How can there be more to go? But it is, it's never ending. And so audits are, it's, it's a continual process. But that final report you get along with the certification, the certification basically says you've met enough of the standards for them to basically endorse you as being secure. Right? But you, you have areas that you could work on. And I, I've never seen a security report that came back really from anybody ever. That's just been 100% on everything. Everybody's always got a few things that you work on because there's just so much to do,
Cody Strate (09:20): right? It's, it's like landing a 10 out of 10 in the Olympics. It's like, no, you didn't know. Okay. So, alright, so what I'm hearing you say is, and I would assume that this is regardless of the industry, so we're talking about sales and marketing concepts here, Mike, right? So your organization is subjecting themselves to the appropriate industry certification standards where you've gone through those gyrations at the end of it, you come out to be a certified Scott. You bring a very interesting point there that not all certifications are the same. You might have, so keeping with the Olympic mindset, maybe a bronze, silver, gold report, not only do we receive this certification, but we received the gold version of it, right? So Mike, what is the value of that? What is the value as you, as somebody that is selling technology solutions to business problems to be able to, given that your organization went through those gyrations and you came out with that industry appropriate certification, how do you use that in a sales process?
Mike Kelley (10:15): Well, I think to answer the question, what is the value? It's, it's tremendous. It's, it's hard to put a particular dollar amount on it and I don't even think that that's necessary, but I'm going to back it up and say, you know, for those that want to put a dollar amount value on cybersecurity, that means they're taking a very novel, siloed kind of approach to it. And my point in saying, and I think what we're all trying to really get at here and moving towards a security mindset or a security culture, is that unless you are aligned with your patients, you're maybe not delivering the best care unless you're aligned with your vendors. You're maybe not getting the most out of what you could be getting. We talk in these podcasts about principles around helping our hospitals achieve their success and we bring it up every time that we say if you were to do a project with us and you look back after 12 months of a relationship with us, what has to have happened for you guys to call that a success and so that the mindset that we bring to the table, there's, there's an extreme value to that.
Mike Kelley (11:23): There's an extreme value to the fact that we're going to bring our gold standard certification, our good housekeeping seal to this discussion because we don't necessarily think it's a novel approach and overwhelmingly our hospitals don't either. They think it's, it's, it's much bigger but it is a scary situation. Much like we've kind of demonstrated here today and they want to have the discussion, they want to be educated on a SOC two type two or a high trust and those types of things and that's where we can deliver that tremendous value to them. They can see a very simple message that is very invaluable to them that is aligned with everything that they're doing. And by all means is a top priority for them. So it's kind of that snap methodology and we stay very close to that. And I think if you do that and you deliver on that and you, you deliver value long before you ever deliver product or solution or a sale, then you've got a relationship that can really deliver some incredible results, outcomes, however you want to look at it for hospitals.
Cody Strate (12:29): Here's a couple of additional things to think about and to consider in this. And you know, Mike, I want to hear your feedback on this. And Scott, I'd love to hear your feedback as well. Put yourself in the role of an it professional and how would this go to you? Right. So say for example, a vendor such as ourselves, this is where a vendor and we provide technology solutions, but we provide solutions that really cover the enterprise. Now, whether you cover the enterprise or not, technology is technology and there's a security component to that. But I say that we're, you know, we're enterprise and it's important to say that because Mike, to your point, whenever you're talking to people and you're trying to provide them a solution to their business needs, you're going to talk to a variety of people, especially if you're dealing with enterprise technologies, uh, across a number of different departments, each of which have their own specific problems as they perceive them relative to the world that they occupy in their department.
Cody Strate (13:23): Okay. Now you have some departments like information technology that sort of span across the, you know, their, their concerns and their troubles span across all these different departments. It's not just the concerns of finance, it's not just the concerns of, uh, human resources. It's not just, it's the concerns of everybody because there's some global implications to what they do. Okay. So whenever you're presenting technology to these people, you're trying to sell them some solutions. What does it mean then if you're speaking to the audience and you're talking to the different department people relative to their troubles, but you say, look guys, also you have to pay attention to the fact that we are a technology company where we're providing you software solutions and we understand the importance of security and the role that that plays inside of your organization. And we understand all of the strategies that you have to deploy at your organization to ensure that you are as secure as possible.
Cody Strate (14:17): Rest assured, we get it, that we understand it and we factor it into the building of our technologies and processes. And as a result of that, because we put so much of a focus on it, we have these fill in the blank industry specific industry named certifications. So let me ask you first, Scott, if you're an audience and you're the it person in there, and you hear a vendor say that, and again, they're like, we get it, we understand it, we understand what you go through. And as a result of that, we put a lot of importance on it and we've got these certifications named specifically for the industry. How would you perceive that?
Scott Fuller (14:53): I would perceive it as they're a good partner. They understand what's important to me. And particularly in healthcare right now, it's hard not having that discussion about security when looking at new partners, new vendors, new solutions, that has to be part of the conversation. Right? And if a company is going to be proactive and bring that to the table, that tells me that they understand that. And you know, a big part of what security professionals, you know, when we're talking to one another, you know, we, we don't expect people to be walking around with just coming from a perfect organization. Every, every hospital has security challenges that they're working on. W what's appreciated is transparency and people that get it. And to me, if I have a vendor come in and, and explaining that, you know, they do take security seriously, that they've have audits and they have certifications.
Scott Fuller (15:51): It's telling me they get it and immediately kind of paints a picture for me of kind of where they're at. And then, you know, they're willing to disclose their final report to me. That just gives me all the insurances. Otherwise I really kind of have to assume the worst and they have to prove me differently. And cause that's, that's the other approach. If a vendor just really tries to gloss over the security components of things, well that makes me wonder, do they really get what the concerns are and if they don't feel like it's really affects them or it's not really their job because well, you know, we just provide this little piece of the puzzle to me, it shows me that they don't get it and they aren't really wanting to be part of what I'm referring to as a security culture.
Cody Strate (16:37): Right. Okay. So that's your perspective as an audience member, listening to a vendor make a pitch if they're talking about security. And they put out some of those industry specific certifications. Right, Mike, from a competition level, right? You and I deal with this all the time. We have, we have competitors out there. Anybody out there that's selling a product more than likely has some other vendor that's doing something either exactly like it or adjacent to it or whatever. So how is it that you would perceive using some of these specific security certifications and the ability to garner somebody's trust like that? How do you use that as a competitive advantage?
Mike Kelley (17:13): Yep. Simply put, if we're going to make a statement about a security certificate or the fact that we have it, you can easily follow up that conversation with this one simple statement and what this means to you. I mean, I can count it off on my hand because it's something I've used for years and years and years. What this means to you is such a powerful method to speak with that customer. The security folks at the hospital think that you know there, there's not much to this and they're going to gloss over it. You know what? Maybe they're not the perfect fit for us because our position, and I would say in almost virtually all of the opportunities that we're currently working on, security is a massive issue. It's, it's massive enough that I can get a security questionnaire from, from a hospital that is literally sometimes 40 pages long.
Mike Kelley (18:04): That's how important it is. Like we're not even going to continue down the pathway of working with you guys without having this security questionnaire filled. Oh, but by the way, you guys have your SOC two type two Oh, okay. Well then you eliminate the need for even having to fill the security questionnaire out. We know that you guys get it is essentially what they're telling us. And so for us to say, how would we use it, it's just that simple. Is it aligned with our customers a hundred percent aligned and is it invaluable? It could not be more valuable. I mean, because all of the risk and the mitigation of all of those risks is, is such a massive thing for our hospitals to deal with on a day to day basis. So we talk about it every day.
Cody Strate (18:45): All right, so here's my 2 cents on that and then I wanna start wrapping this up here and we'll summarize this guys. Okay. From a competition standpoint, as it pertains to sales here, it is not traditional for a, for a company, a technology company to make security one of their primary selling points. However, what I would suggest is that if you have a industry specific security certification, you've gone through all this trouble, you've gone through all this, you have the ability to incorporate that obviously into your sales pitch, into your conversations to make sure that you speak to the concerns of the it professionals, that what keeps them up at night, that you proactively bring that up and they feel like you get it. And as Scott, as you said, they're not just a vendor, they're a partner, okay? That's a tremendous way to do that.
Cody Strate (19:37): But furthermore, if you bring these types of certifications up, and if you do this and you do it appropriately, then you have the opportunity to render your competition obsolete no matter how good they are at solving the exact same business problems. If they are less expensive than you at solving those same business problems and they've been around long enough. If you're able to insert the security certification and you put it out there to the degree where you insert a little bit of fear, like are you able to go forward with a vendor that doesn't have this type of certification? Obviously security is an important part to your organization. So it is imperative that you go forward with a vendor that you know, the technologies will not just solve the problems, but that it will help keep you safe. It's not going to expose you to additional risk.
Cody Strate (20:27): So we get that, we understand that we have those certifications and if your competition doesn't have those certifications, then how can your customer go with that competition? So you're able to really change the playing field, change the landscape by virtue of saying, uh, by virtue of leveraging these security certifications and whatnot. So it actually, the security certification is an extraordinarily powerful sales tool that helps exclude any sort of competition. As long as you bring that up and you bring it up appropriately and you make it an issue. Okay. Now with all that being said, guys, let's, let's summarize this a little bit here. What we've covered so far is a high level look at the different types of cybersecurity attacks, right? We've talked about fishing, we've talked about malware, we've talked about you know, all the role that that plays underneath the umbrella of, of ransomware.
Cody Strate (21:11): We've talked about how business executives and owners can think about that and it's a largely associated with making sure that your team understands that they have some responsibility, they have obligation to be vigilant and to not let anybody inadvertently into their system to be able to wreak havoc and chaos from a vendor side. I really like what you said there, Scott, and that vendors, especially if you're selling technology solutions, it is incumbent upon you not just to solve their business problems. Does it come coming upon you to do that safely, right factor insecurity into the development of your product because you cannot expose these people to risk while trying to solve their problems. And certainly the last thing anybody wants is the bad press of we as an institution were hacked because of vendor X. Nobody wants that publicity and that certainly does not bode well for your reputation and that industry going forward as a company providing solutions to that industry.
Cody Strate (22:07): We talked a little about how you can apply security and the perspective of a sales and ensuring that you're able to create some competitive advantage and also build trust with your prospects and customers by speaking to their needs and factoring into the equation. So security while oftentimes thought about in a very mundane, necessary evil in many respects, it is in fact massively important to the overall strategy of your organization. But if you're a vendor out there selling technology solutions of some sorts, it is a critical component that you can incorporate into your sales story and into your marketing story to create advantages that you seen,
Cody Strate (22:44): never have you leveraged before. So recognize that and incorporate it. Mike and Scott, anything else, gentlemen that you want to add today's session? Otherwise, I think that we have covered a lot of ground that I want to thank the listeners for listening on this. Scott. Mike, anything else that you guys have? The last thing I'll say is the key to what we're all trying to do here depends on one thing, add value before you try to extract value from this relationship. I like that. All right. Scott, Mike, gentlemen, thank you for your time, for your insights. Listeners, thank you for your time as well. Feel free to give us a little bit of feedback on the comments as we would love to hear how we can make this podcast better and more effective and applicable to you and your everyday life. Everybody. Thank you very much. Take care and for our listeners, again, we're always looking for feedback on this podcast. Hit the subscribe button. Give us some critical feedback, how we can make this thing better. Go to our email@example.com. Check us out there. Find us on Twitter. Find us on Instagram, find us on Facebook. Give us a light. Give us a tweet, give us a thumbs up and appreciate you guys listening.
Due to a wide range of using data capture devices, the amount of areas exposed to attacks increased exponentially leaving you vulnerable to massive well-orchestrated takedowns of the internet.
It is incumbent for service providers not just to solve business problems but also to take into account security in developing their products and services.
Today’s episode of Access Points Podcast focuses on the role of cybersecurity in the sales and marketing process, how acquiring a security CERTIFICATION and FINAL REPORT from third-party audit firms acts as an extraordinarily powerful tool that excludes any sort of competition and helps in building trust to prospects.
Access Points Podcast talks about the principles around helping hospitals achieve success. They discuss the leadership mindset along with what has worked, what has not worked, and the lessons we’ve learned through the experience.
“To what we’re all trying to do here depends on one thing, add value before you try to extract value from this relationship.”
– Mike Kelley
In Today’s Episode:
1:32 – The role of cybersecurity to the sales process
4:55 – Types of certifications should a healthcare software vendor acquire
8:04 – The significance of the FINAL REPORT in parallel to earned CERTIFICATION
9:59 – What value can Certifications offer in the sales process
14:53 – How mutual recognition of the role of security inside the organization is perceived.
17:13 – Advantage of having a security Certificate in gaining the trust of prospects
How to get connected: