Sector playbooks
Three pages of sector-specific selling: the regulatory trigger, the objections you'll hear, and the close that works. Plus the sector-agnostic playbook for everything else.
Healthcare
HIA deadlines: GP clinics 2027, specialists 2028.
Charities
Governance pressure plus PSG grant subsidies.
General SME
Tender requirements and owner-level risk.
Healthcare GP clinics · specialists · allied health
The trigger
The Health Information Act (HIA) brings mandatory cyber and data security requirements for healthcare providers, with GP clinics in scope from 2027 and specialists from 2028. Clinics hold exactly the data the Act protects, and almost none have IT staff. The deadline does the selling; your job is making the path look achievable.
Credential worth using: StrongKeep's founder co-authored the HIA technical standards in his former role as a national cybersecurity regulator. When a clinic asks "how do we know this will actually satisfy the requirements," that is the answer.
Objections and counters
| You'll hear | Counter |
|---|---|
| "The deadline is years away" | Start on Protection at $39/month now for immediate risk reduction; upgrade to Compliance when the standards publication lands. Locking the phased path now beats a panic purchase in 2027. |
| "Compliance is too complex for us" | The platform surfaces only the clauses relevant to a clinic's scope and pre-fills evidence automatically. Show the guided assessment in the demo, and the Neumark Surgery case study as the clinic-sector proof point. |
| "Is it worth the cost?" | Frame against regulatory risk and patient trust, not IT budget. A data incident at a clinic is a clinical-reputation event, not an IT event. |
| "What about our USB devices / clinic equipment?" | Device policies are configurable per-clinic. Scripted answer on the FAQ. |
"Your HIA deadline is fixed. The only choice is whether you spread the work across two comfortable years at $39 a month, or compress it into a stressful quarter when enforcement starts. Your patients' data is protected either way; your evenings are not."
Charities & non-profits IPCs · social service agencies · foundations
The trigger
Two forces: governance expectations on data security from the Commissioner of Charities and sector bodies, and boards that increasingly ask "what is our cyber posture?" after every publicised incident. The buyer is usually an ED or operations lead with no IT support and a board to answer to.
The money question
Charity budgets are tight, so lead with the subsidy and the phased path:
- PSG grant: eligible organisations can have up to 70% of the cost subsidised. Verify current terms at gobusiness.gov.sg before quoting figures.
- Phased entry: Protection at $39/month now; Compliance when grant approval or budget cycle allows.
Objections and counters
| You'll hear | Counter |
|---|---|
| "$159/month is heavy for us" | Start at $39/month Protection; move to Compliance with grant support. Never let the top-tier price end the conversation. |
| "The board needs to approve this" | Provide a formal written proposal with the PSG framing included (see collateral). Boards approve documents, not demos. Offer to present to the board directly. |
| "We need multiple quotes for governance" | Expected: charities typically need two or more vendor quotes. Provide yours promptly and completely; slow paperwork loses these deals more often than price does. |
| "Is it worth it for an organisation our size?" | Regulatory and donor-trust framing: a compliance failure costs more than $49/month, in money and in mission. |
"Your donors trust you with their data the same way they trust you with their money. With the PSG grant, protecting both costs less than your monthly printing bill."
General SME Sector-agnostic
The trigger
For SMEs outside healthcare and the charity sector, the two reliable triggers are tenders (government contracts increasingly require Cyber Essentials certification, and large corporates are pushing security requirements down their supply chains) and incidents (their own near-miss, or a peer's publicised breach). Cold interest without a trigger rarely closes; qualify for the trigger first.
The pitch skeleton
- Find the trigger. "Are you bidding for anything that asks about cybersecurity?" The qualification questions apply as written.
- Run the five-layer test. Whatever they have today, walk the battlecard comparison for their incumbent's class.
- Prove it's achievable. The AZAntz 8-day certification story is sector-agnostic by design: a non-technical team with no IT staff, certified in eight working days.
- Price the path. Protection at $39/month or Compliance at $159/month, with PSG grant support where eligible.
Sector-agnostic objections
| You'll hear | Counter |
|---|---|
| "We're too small to be a target" | SMEs are targeted precisely because they're unprotected, and attackers automate: nobody is choosing targets by hand. The DNS firewall report after two weeks of trial usually settles this with the customer's own data. |
| "We already have something" | The five-layer test. Open the battlecard for their incumbent's class. |
| "Will it slow our machines down?" | The Cortex agent is lightweight; offer the trial period to validate on their own hardware. Scripted answer on the FAQ. |
| "We'll deal with it next year" | Tenders don't wait for budget cycles. CE certification takes days with tooling, but the requirement usually arrives with a two-week tender deadline. |