I gave a talk last week at a large security conference and at the last minute, was asked to join an international panel of Chief Information Officers (CIOs). Being the only former Chief Information Security Officer (CISO) on the panel but now a security vendor, I was asked what it was like to work in such vastly contrasting roles. My response was that, in both roles, I truly felt like I was saving the world every single day. Which means of course that as a vendor, while I have to believe our technology is awesome, even more importantly, I have to believe in my heart that our customers are more secure because they work with my company. In addition, being on the vendor side of the table now, I know what customers want to hear, and what they don’t want to hear, because I’ve heard hundreds and hundreds of vendor pitches over the years. I often share this with our own sales team as well as sales teams in other companies I work with because it's inside the firewall insight that most salespeople never hear.
I was also asked about, as a CISO, how I dealt with the constant stream of security vendors who wanted time on my calendar and how I was able to weed out the good from the bad. One thing salespeople probably don’t realize is that a CIO or CISO typically agrees to a meeting for one of three reasons: 1) as a favor to a friend, the CEO, or a Board member; 2) a persistent – but not annoying – salesperson; and 3) because I read about, or saw your product, and really want to know more about it (this is obviously your best opportunity). A number of years ago I developed what I call my 10 Rules for Cybersecurity Salespeople and this was the perfect opportunity to share it with an audience. Here they are:
1. The customer’s time is valuable, treat it like the valuable thing it is. Remember that if a CIO or CISO works 60 hours a week, giving you 1/60 of that week is a considerable sacrifice. Don’t squander the opportunity.
2. Do your homework. Then do some more. Know the customer, professionally and personally (the Internet and LinkedIn are your friend) and know the customer's challenges (any recent media activity for the company?).
3. Tailor your presentation. The CIO is different from the CISO is different from the cloud architect is different from a security engineer.
4. Never talk down to the customer. Don't assume you are smarter than them, because you probably aren’t.
5. Don’t waste even one slide of your vendor pitch telling me how bad the cyber threat is and who the bad guys are. I’m a security professional in the technology business – I already know this. It insults my intelligence and makes me question yours.
6. NEVER, NEVER, NEVER, say, “My company would have "prevented Mirai, or WannaCry, or Meltdown/Spectre.” It may be true (doubtful) but you’ll only appear arrogant, which is never endearing to a customer.
7. Don’t talk about how bad or incompetent security staffs are these days. That’s my tribe you’re talking about. I’ve put my life-blood into building my team and many of these people are my personal friends who are way smarter than me.
8. Make a sale opportunity so compelling that the customer can't lose. Be creative with timing, pricing, and services, and be prepared to close today. Make it easy on the customer.
9. LISTEN! LISTEN! LISTEN! Don’t be so focused on your sales script that you miss what really matters to the customer because you are talking too much and listening too little.
10. Help the customer be a hero in their own organization. Who doesn’t want to be Batman?
These rules have evolved over the years and are cobbled together not just from my personal experience, but from the experience of a lot of other CISO’s I respect like Ed Amoroso, who has his own Top 10 Rules here, and Dan Lohrmann who wrote a great piece here.
As I was talking on the panel, I was reminded of an article from a couple of years ago, written by a CISO to security vendors. After searching through my treasure chest of goodies, I finally found the series of articles, Part 1, Part 2, and Part 3, written by John Masserini in 2015. After re-reading them, I realized why I remembered this series. John is a great writer and these articles are valuable material for salespeople that don’t generally recognize, acknowledge, or understand the daily challenges of a security operator. This is a blueprint for good cybersecurity salesmanship and I promise that if you actually take the time to read the articles, you’ll discover some nuggets that will make you better prepared to do your job. Which will make your customer’s happier. And your boss happier. And will make you more successful.
If you’re a security product vendor or a security salesperson, know a security product vendor or a security salesperson, or run a security product sales team, please feel free to share. And if you’re a CISO, there some goodness in there for you too.
Mark Weatherford is SVP and Chief Cybersecurity Strategist at vArmour. He has more than 20 years of security operations leadership and executive-level policy experience in some of the largest and most critical public and private sector organizations in the world. Prior to vArmour, he was a Principal at The Chertoff Group an in 2011, was appointed by President Obama as the DHS’s first Deputy Under Secretary for Cybersecurity. Before DHS, he was VP and Chief Security Officer at the North American Electric Reliability Corporation (NERC). Prior to NERC, he was appointed by Governor Schwarzenegger as California’s first Chief Information Security Officer (CISO) and was also the first CISO for the State of Colorado. A former U.S. Navy cryptologist, Mr. Weatherford led the United States Navy’s Computer Network Defense operations and the Naval Computer Incident Response Team.
Mr. Weatherford holds a master's degree from the Naval Postgraduate School and holds the CISSP certification. He was awarded SC Magazine's "CSO of the Year" award in 2010, named one of the "10 Most Influential People in Government Information Security" by GovInfoSecurity in both 2012 and 2013, selected for the 2013 CSO Compass Award, and presented the 2017 SC Media Reboot 'Influencer' Leadership Award.