A CISO's Advice on Selling to CISOs

Kevin Morrison, MBA, CISM, CISSP, CISA

It's one of those “Hotlanta” thunderstorm kind of weekend days, so since I can't play golf, I thought I would take time to draft a more in-depth article to address the completely unexpected volume around the post I recently made after returning from a short vacation to a high volume of sales pitch voicemails awaiting my return.

While not intended to be an exhaustive list of DO's and DON'Ts, or approaches that can or should or should not be taken, if you're selling solutions and/or services to CISOs, hopefully you will find this beneficial.

Comments left to date in my original post (which admittedly was written out frustration with little guidance in crying “Uncle”!) have been an interesting mix of reactions. While most have been positive and offered genuine insight and/or a different perspective, it's also generated a handful of responses from others with surprising personal insults and snide remarks. If that's you and you're in sales, good luck with that approach.

That said, many have have asked the same question, whether publicly, or taken the time to reach out privately, which is, “So what do you recommend for how we can or should engage you if not through cold calls or email?” That's a very valid question and I'm glad it was asked. To set the record straight, I and others in my role obviously recognize the importance of sales in any organization, as well as the value that a trusted vendor/partnership can provide. Without such, an organization simply can't succeed. A good salesperson can even make our jobs easier (and even fun, sometimes), for which we're always grateful.

While many of us in my role may have never held a role with “sales” in the title, we “sell” your solutions to our bosses through the business cases we develop to justify the spend that typically stem from the roadmap we created (which we also had to sell our organizations on), so I would venture to say that we have a healthy appreciation for challenges related to sales.

Alrighty then, here's my humble advice...

DO:

1. Be genuine.
2. Research your potential customers and understand if they would likely be bleeding edge, industry followers, or laggards in the technology that you're selling.
3. Understand that we honestly want to have a trusted relationship, which – in my experience – doesn't occur through cold calls or email. When such relationships are developed, they will follow you through many future employers. I personally enjoy the company of a few friends in the sales profession that started professionally and now extend outside of the work environment.
4. Understand that you, as someone we've never met and have no trust established with, are trying to get us to open an attachment, click a link in an email that you want us to visit, or take other actions that we coach those in our organizations on a daily basis NOT to do. Probably not going to provide the success you're looking for.
5. Participate in local security chapter meetings and events (ISSA, ISACA, InfraGard, CISO Executive Network, Technology Executive Network [T.E.N.]. etc)
6. Get introduced to us by an existing customer. No greater way to build a solid relationship than through one of our trusted peers who you've been working with. I've personally reached out to a number of sales people over the past few years who were recommended from discussions with my peers about solutions that I was considering.
7. Introduce yourself to us in person if even in a quick passing moment to say hi and give your 30 second elevator pitch. That will give us an opportunity to quickly determine if what you're selling may be something that fits in our roadmap, as well as allow you to provide your business card and allow us to then research the solution or service later, if desired.
8. Send us some physical materials (yes, it's more expensive, but if you've done your homework and/or feel your product or service really stands out, then you should feel confident about the potential return on that investment). Doing so keeps the materials on our desk front and center and provides us the opportunity to research it further when we have the time.
9. Participate on a conference panel, as a sales person just did with me and another person recently. Great visibility and opportunities there, if received well.
10. Present at known events (i.e. the “Innovation Sandbox” is something that many of my peers and I look forward to when we attend RSA).
11. Get your solution published in SC Magazine, reviewed and commented on by Gartner or the like, or on any number of respected security-focused websites or blogs (not your own).
12. Understand that most of us in my role have honestly stopped answering calls coming from an outside number (and some of us have even told our administrative assistants to do the same, since they were constantly bombarded with those sales calls).
13. Understand that if the solution or service is the right fit, we'll fight for it in our organizations.
14. Seek to learn our budget planning cycle, so that you can level set expectations within your sales environment for if and when the sale may materialize.
15. Understand that if by rare chance you reach us by phone, you've probably caught us between meetings, conference calls, in-person discussions in our office, or other important deadline-driven or backlogged work we're focusing on. Your call won't receive our attention, and will likely be seen as a distraction to where our attention needs to be.
16. As I noted in a response in the original post, recognize that 10 minutes multiplied by the number of salespeople requesting that time can easily add up to hours each week with the volume of calls we receive. And when you leave your voicemail, you have no idea how far back you are in that request queue with others having left a similar message. This is why already having established an in-person relationship is the most effective way to get a return call.
17. Recognize that we don't rely on sales people to get us up to speed on what solutions are available in the industry. There are numerous avenues available that keep us current. See #2 above in the event that you do introduce us to a technology that's hot off the press that we've not heard about.
18. Distinguish yourselves from your competitors, both by quality of the sales person, and the product or service itself.
19. Have pre-established business case documentation that you can provide us, so that in the event we move forward with your service or solution, it will be that much easier.
20. Recognize that if you or your organization choose to continue with the belief that cold calls to CISO's (or other leadership) is the most appropriate avenue to generate sales, your numbers and lack of relationships will reflect that poor decision.
21. Invite us for a quick coffee or lunch (even if we pay for our own, we still have to eat). Evening drinks are always harder, as many of us have families and other responsibilities awaiting us back home after work.

DON'T:

1. Use a script in your calls. You're not a robot, and if you think we can't tell when you're using a script, you're fooling yourself.
2. Call every couple days after the relationship is developed to ask for a status on a proposal. We understand the quarterly deadline you're under, but our procurement process doesn't usually care about those deadlines unless there's a significant financial benefit or risk gap to address to move us faster (and even then, it's not always enough).
3. Do the opposite of #2 above and drop off the face of the earth until the next time you have something to sell (or during renewal periods). Find an appropriate balance.
4. Move to a competitor after selling us a solution, and then talk about why the solution you're now selling is so much better (yes, that has happened).

As numerous folks in the original post pointed out, the industry continues to grow rapidly. We need each other, and while I'm sure there is a plethora of other things that can make vendors stand out and become true partners, I believe that sales professionals will have better success with selling to CISOs by following these recommendations.

Finally, as an example, what would you think would be more effective in the following options?

1. Leave a cold call having never met us in person, or;
2. Follow up with a brief call saying “It was great to meet with you at the [name of the security chapter/other event) and briefly talk about our [name of product/service] and how we can partner with you to show real value in this area. I look forward to speaking with you at your earliest opportunity.”

Hopefully this article will be received with the intent desired, which is to make all of our jobs easier and reduce the friction that clearly exists.