Sales & CISOs - What to do...

Sales "Do's"

? Develop relationships. Play the long game - the average tenure of a CISO is 18-24 months. What does that mean? That means having a relationship with a CISO will only increase your opportunities as they naturally hop from post-to-post. Also, having a relationship with a CISO goes a long way when you yourself switch roles. If some of my key account executives and business development folks were to move to another vendor, I'm absolutely going to be interested to see their new product because I know I can trust the person.

? How do you develop relationships, you ask? Start small and "Like" posts that speak to you, posts you appreciate or that you want to support. Post comments answering the author's questions or ask questions about the topic. There are no stupid questions if they are coming from a place of genuine curiosity. As you interact with someone's posts, they are more likely to interact with your posts...

? Even though you represent an organization and are selling their product, don't feel like you need to "work" the conversation towards your product or company. Just contribute - you are not your company! You have views, opinions, questions, curiosities and those all are valuable to the cybersecurity community as a whole.?

? Do you have an interesting white paper that could be pertinent to a CISO's needs? Send it over to them with no expectation of outcome other than hoping they derive some value from it. Maybe there is a pertinent news story that they could benefit from or a meaningful statistic that is noteworthy to their industry...Give value where you can

? Emailing personalized, targeted, intentional emails is quite alright but I recommend you read on to see how you may be able to show value in your emails and contribute to the success of the CISO and their organization.

? Post content. I read somewhere that less that 1% of users of LinkedIn post content. This is a huge opportunity for you as a salesperson to post relevant, salient contributions to the cybersecurity industry. You don't need to reuse marketing posts or blog posts from your company's website...Sign up for ISACA's or SecurityWeek's daily newsletter that sends a condensed articles of cyber-specific content. Post your thoughts on an article that stood out to you or pose a question to your LinkedIn audience. Also, stick with it! It can take months of consistent posting to start seeing some traction. Your personality will inevitably shine from your posts and comments on other's posts - this lets CISOs (and other executives) view you as more than "just a salesperson".?

? Be transparent. Self-explanatory but being honest with your intentions. I mentioned yesterday with the "Don't" list that saying you want me to check out your product to get my thoughts is 99.9% of the time is not genuine - what you really want is me to become a customer. That in itself is not a bad thing it's just that you weren't up front about that.?

? Be educated on your product/services. We don't expect you to be the technical subject matter expert but you should be educated on how your solution/service fits into the security ecosystem. If you're selling firewalls, you should understand how a firewall works (at a high level), how a firewall can protect against various attacks. If I tell you that my environment is most all third-party SaaS applications, I'm not likely going to need a heavy hitting firewall or an SD-WAN architecture. All of this information adds up to better targeting of your audience. Knowledge is power - don't rely 100% on your sales engineers because they may not be readily available when you get the chance to make your pitch.?

? Sell what you're passionate about. I know this isn't always possible but seriously, passion is contagious. If you are selling something that you don't see the value for your customers or the product doesn't excite you - that's going to translate to your sales. Selling something that you're passionate about is a gamechanger and makes it feel less like "work". Even this week, I was meeting with Manish Kapoor from TruKno (a tool I found out about from reading the CISO Evolution book) and his passion for the product drew me in instantly. Seriously, before he even spoke about pricing I knew I had to figure out a way to have this tool. Passion sells!

? Be educated on your prospects. LinkedIn has a substantial amount of information on various companies, what their services are, the industry they are in and you can usually deduce who their clients are, how their environment works (to some degree), who their competitors are, etc. Also, you can see how a CISO rose through the ranks or what industries they were previously in...All valuable nuggets of gold.

? For example, I work at an Accounting Firm - I'm likely not interested in targeted products that manufacturing companies use or that hospitals use.?

? How can you deduce how their environment works? Let's look at a few examples...If your prospect is a CISO at a law firm, you can deduce they likely have a hybrid environment dealing with government entities (Department of Justice, Attorney General's offices, etc). Why hybrid environments? Well, do lawyers need to be in an office to do their work? Probably not. Do they need to meet clients in their office? Probably. I'd be willing to bet most law firms are in a "hybrid" mode of office/home work. Because of the type of work lawyers do, you can understand that they likely use a document file repository to store client data, a case management software, secure-file sharing is probably used each and every day, electronic signature platforms are likely used, a workflow management tool and since they are likely hybrid, they may have an SD-WAN network architecture with a VPN connection or they are using a virtual desktop infrastructure. Because the DoJ has a Civil Cyber-Fraud Unit, there could be situations where clients of the law firm are being charged for knowingly having deficient cybersecurity products/services. This might be something they aren't equipped to understand or support their clients in! Look at the amount of possible data points we built in a hypothetical situation...

? Another example would be a CISO at a retail organization. Given it is retail, they likely have a large focus on physical security controls (cameras, merchandise anti-theft tags, a loss prevention officer or team, etc), most certainly need to adhere to PCI-DSS to collect/store/process customer payment card information and probably have a substantial reliance on the supply chain...

? For CISOs that are within 100 days of starting their role, they are likely going to be eager to see some technology/services to mitigate risk and close some gaps.

? Expand your LinkedIn Network. Who you know is critical! As you engage with CISOs and others on LinkedIn and post more on LinkedIn, it will naturally give you opportunities to connect with folks on LinkedIn. Also, if you attend or host a workshop/demonstration, add the attendees on LinkedIn. This is especially true if this is an event where your company is sending something to the attendees. For me, I'm a sucker for bourbon so if I am joining a whiskey tasting event thrown by a vendor, I will absolutely accept connection requests from those throwing the event.?

? Intentionally Target. One tip that I recommend is to go through the published lists of "Top 100 Companies to Work For" because in general, companies that are highly favored to work at usually invest money into technology. Do this for every state or large city that you're near - there is tons of this kind of information available. I'd also look at Glassdoor for company reviews - the higher the ratings, the more likely they invest in technology. Additionally, you can find comments of folks complaining about not having XYZ capability - this is gold.?

? A little not-so-secret tip is that we have a joke as CISOs to "never let a good incident go to waste". The idea here is, the cash floodgates are generally opened in the immediate aftermath of an incident - and rightly so! Companies don't want to experience what they just went through so what will it take to plug the holes in the boat? Is it new technology, people, service providers? Stay abreast to the news and if you hear about a breach, you may be in a better position to reach out to the CISO. Let me be clear that I'm not saying you should spam CISOs who are having a bad time - I'm saying, let them know you're there to support and assist if there's anything you can do.

? Another tip, when CISOs move jobs, a friendly, "Hey, congratulations on the new gig. Of course you're going to be inundated with getting up to speed in the new environment but if you find you need a partner for XYZ product/service, I'd love to help out!" message doesn't hurt.?

? Customized videos work well! It shows that you put some effort into creating something specifically for me.

? Connect with individuals who manage a security operations center (SOC), analysts on a SOC, GRC professionals - anyone who reports to a CISO. Why? Because any CISO worth their salt values the opinions and recommendations from our team. I'm not saying spam your way to the CISO by "using" the individuals on their team. What I am saying is, invite those analysts and managers to webinars/events, offer to show them the cool new technology you just released to just get their input on it without any sales obligation. They'll give you gold on what they like, don't like, whether the product would be beneficial to their environment. At the least, you get your name/product into their line of sight. Many of these folks are the cyber execs of the future! I've spent hundreds of thousands of dollars on products that my team was interested in once they showed me the value proposition.

? Sponsor CISO Workshops/Peer Group Networks/Cyber Podcasts. CISO peer groups (such as CISO ExecNet, Evanta) are wonderful for us cyber execs to get together and share strategies, what we're seeing in the wild, what's working/not working with our boards, etc. Each of these peer groups invite sales teams to portions of the roundtables. Talk about primetime! You are actively engaging with decision makers who have buying power - it doesn't get any better than that in my mind. Many of us listen to podcasts such as CISO Series, The Cyber Ranch and others...

? Host Webinars/Events. Work in tandem with your Marketing teams to host events that feature speakers on relevant topics but make it fun! Do a tequila tasting, a taco making event, a golf outing or something that isn't a boring lunch-and-learn. These events work! I don't know statistics to support that but they've worked with me and certainly some of my peers...Why do they work? It's all about building relationships.

? Be patient. Keep in mind that MOST cyber executives cut their teeth on more technical tracks and are not familiar with the inner workings of sales. Most CISOs saw how their leaders or managers dealt with salespeople and likely picked up habits or methods of how to interact with you.?It takes time to break bad habits or to build trust or even to get through the budget cycle. The larger the organization, the longer the process is going to take and the more complex deals get. Patience is key...

? Frequently engage with your existing client base! The salespeople who have sold me large deals that check-in every quarter to see how things are going only increase their stock with me. They are investing in a relationship with me that will certainly pay off for them in many ways. Increased license spend, additional product skus, leads from my peers looking for XYZ service/product, to name a few. I've taken my money elsewhere before when I didn't feel valued or taken seriously as a client.

CISOs "Do's"

? Engage more! Operating in a silo with blinders on to the outside world only hurts you. I have some key vendors who are paramount to feeding my team quality information surrounding vulnerabilities or other concerning topics. In fact, we had some in depth conversations with an MSSP in the early days of the Russia/Ukraine war that ended up helping us be more strategic in our preparedness and response. They equipped me to be able to brief the board with up-to-date information from the latest intelligence - I wouldn't have reaped these benefits if I declined that meeting. Also, there are some salespeople on LinkedIn who provide some seriously great content!

? Being friendly, considerate and transparent with salespeople will save you money at the negotiating table, give you improved service (everyone prefers to deal with kind people), and leverage when you need something in a pinch or have an unusual request. You'd be surprised at the amount of "No, we can't do that" that get softened to a, "We actually might be able to help - let me see what we can do" when you have rapport with salespeople.

? Accept LinkedIn connection requests from salespeople. If someone is pushy, doesn't respect your "No" or just annoys the hell out of you, you can remove the connection. Most all salespeople respect if I say, "Hey, honestly I don't have a need at this time but if it arises in my next budget cycle, I'd be more than happy to let you know".

? Consider joining events/webinars/product demonstrations. You can be clear of your intentions but there is a ton of great things happening in our industry that you can learn about with these types of events.

? Continuously learn. Salespeople see a lot of customers, industry verticals and have a close ear on what's happening "out there". There is value in this knowledge! Have you missed the boat on something? Is there a product you're using that many people are jumping ship from? What's the "new" product everyone is talking about? Some companies are out there solving tomorrow's problems or creatively mitigating risk in ways you are not privy to.

? Change is a good thing! I can't tell you the amount of times I've said, "Oh, I didn't know you did that?" and learned of a new (even if it was new to me) offering from a vendor. I'm guilty of having pigeon holed vendors to what I originally purchased their product for and closed off any future opportunities. Just like your security program matures year over year, vendors and their offerings can improve year over year. There are 100 ways to skin a cat. Seeing how new products or technologies can solve problems that you think you've got a handle on today may provide some increased value!

? Involve your team. Send your team to conferences, events, webinars, anything that gets them involved with the cybersecurity community. This will give them great exposure, a massive opportunity to learn more and they'll naturally be able to see how others are solving problems you may be dealing with or they can find some new technology that they believe could mitigate risk. Include them in the sales process so that they can learn the ropes, understand what you look for, what it takes to get a deal done, introduce them to the VARs - give them a chance to build their own relationships. If you hit the lottery tomorrow and retire forever, would your team be ready to step in and fill your shoes? I firmly believe you should be building up the person(s) who will replace you and ingratiating them with quality vendors and salespeople will only help them in the future!

? Give salespeople a chance. It takes a lot to prepare collateral, make an introduction, pique your interest, schedule demonstrations, educate you on their product offerings, obtain pricing and to follow up with you. Most of us have crazy calendars and take for granted the sales process...An extra measure of grace, patience, and giving salespeople a chance could very well make their year and drive value for you. I remember last year when a younger business development representative was so overwhelmed and in disbelief that he was able to get me on a call that he spent many minutes talking about how blown away he was at my certifications and the size of my organization. It was awkward but I didn't let that awkward ness impact the overall call (I think of the funny saying, "it's only weird if you make it weird") and we ended up doing business together in the end. Sure enough, each time we met he was more collected and confident...

I hope this has been helpful! This is not meant to be a one-size-fits-all or applicable to everyone type post...Be kind to each other out there because we are truly better together!