As a cybersecurity vendor, CISOs and other security leaders will be a large part of your customer base. Selling a product to these leaders can be a difficult task. You have to be determined and persistent to sell. You also need to have a strategy and know that there are ways in which CISOs will be more likely to listen than others. Conversations CISOs have on LinkedIn, voices from vendors themselves, and podcasts such as the CISO Series Podcast provide valuable first-hand insight on what CISOs like- and what they don’t. In this article, we will be looking at these opinions held by CISOs and discuss 5 ways in which vendors can improve their sales pitches to better sell to these cybersecurity leaders.
#1 – Understand where vendors’ goals and CISOs’ goals overlap (and where they differ)
There will be pressures to push a product without taking the time to really communicate and foster a business relationship with a CISO. For a vendor that is offering cybersecurity services, this can put the salesman and the CISO at odds. Many CISOs voice opinions about the importance of forming a business relationship with a vendor before they make any purchases.
On this subject Yaron Levi, CISO at DOLBY, says, “Sales professionals are focused on hitting the numbers short term, and what they do is fairly transactional. But for the CISOs, to deal with what we are dealing with, you have to play the long game which is a completely different mindset. So, I think … what the market is telling the vendors is that, ‘We need you also to play the long game’ Which is based on building relationships and trust and not just closing a deal.”
Fostering a relationship pertains to service vendors more than software vendors. However, software vendors also face challenges of their own when it comes to trying to make high volumes of sales as quickly as possible. Oftentimes CISOs will not make a hasty decision to purchase new software.
It is common for vendors to make their pitches when a CISO is first hired. This can be a good opportunity to get your name out there while the CISO is looking to make changes to the existing security architecture in place at their company. It is important to keep in mind though that many CISOs don’t immediately have a set security strategy in place. It can take months for them to thoroughly plan out their strategy.
So while there is pressure to make quick sales CISOs goals often do not align with this. It can be a good idea to keep an eye out for new CISOs and just give them a quick introduction to your product. If you’re a service vendor this can be a time to start trying to build your relationship with the CISO, and if you’re selling software it can be a time to at least get the CISO thinking about your product. There can then be a follow up later on while you focus on making a sale to those who may be actively looking for solutions.
#2 – A good business relationship is built on trust
One thing CISOs talk about is that they respect vendors more who are upfront and honest about their capabilities. This respect leads to long term partnerships. No tool will ever be a perfect solution to every security problem that a CISO has. There will be strengths that the product brings to their security, and there will be areas that the CISO may wish were better.
Not only is being honest about the product a way to build trust, it will inevitably lead to problems down the road if a vendor is not honest. The CISO will come back and ask why the solution is not working the way they were led to believe. They may not only drop the solution but also cause that vendor reputational damage. CISOs often communicate with each other and ask each other about vendors.
As a service vendor another way to build trust is to take the time to really understand the CISO’s needs, problems they are having, and learn about their business.
William Klusovsky, Global Industry Cybersecurity Lead at Avanade, says about what a good CISO/vendor partnership looks like, “Partnership upfront, before the sale, not just about the sale…. helping understand your business and providing you thought leadership and guidance on all things security, not just what they sell. The ability to support your projects through the entire process from strategy, design, implementation, and management. I want to be the person the CISO picks up the phone and calls first when they have a question or want to bounce ideas off of. At least that’s what I strive to do with my partners (clients).”
Many CISOs echo this. Brian Markham, CISO at EAB, says, “The best vendors I work with are focused on helping me address problems or challenges. They’re confident in their product and their ability to provide value. They listen. They don’t try to upsell before the initial sale is made. They treat my team as an extension of me rather than second-class citizens. These things seem obvious but as I’m sure you know, it’s rare to work with vendors that do these things.”
#3 – Use accurate language CISOs will understand to describe your product
There are two elements to this tip. The first – don’t use buzzwords for the sake of using buzzwords. Many tools out there nowadays use common buzzwords for their tool even when they do not accurately fit. Two examples of this in recent years are “AI” and “Zero-trust”. CISOs know what these terms mean. This also means they know when these terms are being used in a way that makes it look like the vendor either does not understand the terms or that the vendor is being disingenuous. Neither option makes the CISO trust the vendor.
Director of information security at OVO, Simon Goldsmith, says, “Key characteristics [of a good vendor] for me include… using common terms accurately (not their own invented terms or applying terms because they sounded good in the sales training).” This quotation touches on the fact that vendors should make sure if they are using a commonly used term, they are using it correctly. Does your tool really use AI, or does it just use machine learning? While zero-trust tools do exist, many CISOs feel that the word is overused to the point of becoming a buzzword. The quotation also brings us to the next tip, which is to use words that are commonly understood in the industry.
Not all CISOs keep up to date with the newest Gartner articles. These articles often coin new phrases and terms. These terms can add valuable frames of reference to discussions and add to the overall cybersecurity discourse. But when you are trying to make a sale you don’t want to have to stop halfway through and break down what the term you are using means if the CISO has not read about it. This slows down the pitch and is likely to irritate the potential client.
#4 – What to avoid when starting your pitch
Cold calls are a controversial topic among vendors and CISOs. Some vendors say they are a necessary part of the job. Others say that they are not beneficial. Some CISOs will listen to these calls and others will not. Sales reps face the challenge that frankly people do not always like getting solicited. CISOs often don’t mind being introduced to your product, but they may not pay attention to an overly aggressive pitch off the bat.
Some CISOs feel that any cold calls are inappropriate. Darren Desmond, CISO at The AA, says “Right click and block most of the cold callers. It’s quite frustrating that the sales people think a CISO wouldn’t know their market sector, be capable of doing their own research or already have a trusted network on which to fall back on. There’s a lot of snake oil out there and the sales people seem to have little in the way of real world security experience. Or understanding the complexity of a transitional cloud / on prem business, which is where most of us sit.”
Dallas Haselhorst, founder of TreeTop Security who we recently interviewed, jokes, “So I shouldn’t call to let you know your car’s extended warranty is about to expire?” We followed up with Dallas to get more of his insights into the subject. As a successful vendor he can shed light on what works and what doesn’t. “The point I was trying to make in my reply comment about the extended warranties is because everyone is familiar with them, but do you know anyone who has ever actually followed through with purchasing one? Most likely not.
While you may think selling these would be a lesson in futility, it has obviously worked because otherwise they wouldn’t do it. Are there better ways to advertise your security wares if you are selling something “better” than a commodity extended warranty? Hell yes! To double down on that last statement and something that should give every sales manager some pause, I would argue there may be no better way to have your company ostracized than using uninformed, piss poor cold call sales tactics.”
Any sales representative who has made a cold call is likely aware of this opposition that exists. There are ways to reach out to cybersecurity leaders to get your name out there besides launching directly into a sales pitch. It is good to find an in that will be as pleasant for the CISO as possible. Sometimes this might also mean giving up cold calls and instead focusing on getting introductions with these leaders.
Dallas went on to tell us, “For anyone who has studied marketing, they understand there are different types of marketing. Some marketing is meant as a reminder, some as an introduction, some as a call to action, some very direct, some indirect etc. Perhaps introducing your company at a conference 3 years ago helped jumpstart that conversation that is occurring today once the organization is *ready* for your solution? Maybe your lead engineer presented at a local security meetup that helped someone in the audience realize you have a fantastic team willing to raise the tide for everyone so they will give your solution an extra look?”
There are some other things you can avoid to make a better first impression. Geoff Belknap, CISO of LinkedIn, says “I watched a YouTube video about how to send a “gotcha” email to grab somebody and you get sort of like the subject line is, ‘You’re vulnerable right now.’ And if you’re tricking me into reading your email, we’re not going to have a great relationship.”
Vendors who jump right into telling a CISO they can solve their problems, without really taking the time to understand what those problems might be, can also make CISOs distrust your product. The takeaway is that you should not be trying to “trick” any CISO into getting your product. You should have confidence in your product and in many ways let that speak for itself.
Make use of online communities
Before the pandemic, many professionals – both CISOs and vendors – used physical meetups and conferences as a way to network and have conversations with vendors. These places also allowed for a more conversational discussion to take place without it feeling like just a sales pitch.
Geoff Belknap says, “pre-pandemic, I’d tell you Black Hat and DEF CON are a fine place to put together some people, and especially in those situations you’re prime for that. If I’m going to a Black Hat or DEF CON, I know that I’m going to interact with vendors. And honestly, I’m looking to be like, ‘Great, I’m going to connect with some vendors and hear about them in a hopefully low-pressure scenario where I’m going to see a bunch.’ If there’s not that, and I understand Black Hat and DEF CON and RSA are not things that are easy to do right now because of the pandemic, I’m looking for opportunities like that.”
The pandemic brought on the need for online communities to grow to have these discussions. Even as the world eases restrictions and conferences can resume the world has shifted to a more digital landscape. There is no reason a community should not exist online to have these discussions and be limited to meeting once or twice a year in person.
At the moment not many websites exist for this to happen. In regards to places to view reviews of vendors David Spark, producer of the CISO series podcast, says, “There is not a good Yelp! equivalent for cybersecurity products… We don’t have something that good. And that’s, in fact, one of the major problems of our marketplace is there isn’t something to look at like that… And there are attempts, like G2 is a company that’s trying to do that but it’s not populated enough by any stretch.”
LinkedIn is a site many cybersecurity professionals use. You can use this as a place to connect and talk with CISOs. Even so, there are things to consider when using this site. Yaron Levi says, “My problem is not with people who want to connect, my problem is where people say they want to connect ‘Because we have many connections in common’ (for example) and then immediately follow with a sales pitch once I accept the connection.”
David Helkowski, CTO at Dry Ark, agrees, “I’ve also encountered those who launch into inappropriate sales speeches upon connecting. I dislike those and tend to react negatively to them.” So while LinkedIn is a good place to meet CISOs and other cybersecurity leaders, it should not be viewed as a place to jump into a sales pitch.
LinkedIn is good for forming connections, but it does not provide a single community solely dedicated to cybersecurity professionals. You still have to go through and make connections, only to then hope someone opens up a discussion. Here at PeerWise, we are building a community whose sole members are in the cybersecurity field. We bring together cybersecurity and IT leaders from all different organizational sizes. We also cater to vendors and are building a community where these different groups in the security field have open conversations with each other.
Dallas Haselhorst stresses the importance of community interaction in a world where cold calls are very unlikely to work. “ If a cold call works, it’s either a) because that “leader” doesn’t understand their environment AND shouldn’t be in that role or b) they have already narrowed down their selection to a few vendors and said vendor unknowingly already made the cut. So the underlying question is how do you go about making the cut in the first place?
Well, through product exposure, relationships, and building trust. These can happen via numerous avenues including some you already alluded to — attending conferences, attending CISO/security meetups, showing support for the infosec community, or even having their team members contribute knowledge to the community. That is how you make a connection with an infosec leader who is known for building well-respected security teams and programs. “
Join the community
Cybersecurity leaders often share similar opinions on how they like vendors to communicate with them. They want to find trustworthy vendors open to conversations. For vendors selling services, they want to build partnerships with them beyond just a buyer-seller relationship. By signing up for PeerWise you gain access to the community we are building. This will allow vendors to engage in conversations with these leaders about vendor solutions that are available, and also about cybersecurity in general.
Leave a Reply