CISOs (chief information security officers) are a prime target for security sales and marketing because they are usually the point person who controls a company’s security budget. Given the overflow of traditional marketing and sales techniques, CISOs often cringe or are turned off, preferring instead to build relationships with vendors. To better understand how those relationships are formed, I asked CISOs to give me specific stories of how a vendor fostered a relationship with them and what they liked about it. Here are their tales and their advice.

1: Sponsor a dinner and bring your smartest to the table

“Show up, contribute to our community, and add value,” said Randall Frietzsche (@rfrietzsche) CISO, Denver Health, and distinguished fellow of the Denver chapter of ISSA. “I’ve been so surprised by many of the vendor representatives in that they are so smart, experienced, and often add tremendous value to that conversation. That is what the vendor needs to be selling.”

“Bring real-life experience and expertise to the discussion,” said Peter Gregory (@peterhgregory), CISO, Optiv.

Security professionals learn more, and start to trust each other when they share stories from within the trenches.

“They don’t need to pitch anything. We want to know them. When we are finally able to address that problem through budget planning and strategic roadmapping, we’re going to think of that person, hence that company and their solution,” said Frietzsche. “If you do that right, we’ll be calling you.”

Got feedback? Join the conversation on LinkedIn

2: Be willing to put in the time to build a relationship

One of the core conflicts that arises between security buyers and sellers are conflicting timelines. The target’s product roadmap and a company’s quarterly sales goals are rarely in sync.

“The key point to vendors establishing relationships is that it can’t be a short term investment,” said Robb Reck (@robbreck), CISO, Ping Identity. “If the vendor enters into the relationship with the perspective that they’re looking for an in-year ROI on their time, they are going to struggle. Relationships and trust take time and investment from both sides. Come, be willing to invest your personal time into my community, and make us better.”

3: Business is based on trust, so are our relationships

“Respect the CISO’s need for trust, and start a relationship by providing something of value,” said Scott Foote, founder and vCISO, Phenomenati. “Trust is not created with a cold call. Trust is not created simply through entertaining and socializing. Trust is built over time, and it is based on shared, mutually beneficial experience. Especially where there is a transfer (back and forth) of value.”

That doesn’t mean come out offering a deal or promise, said Foote, “The very nature of the CISO role is managing trust (in people and things) and to mitigate risk. We do not trust lightly… The most successful sales people are those who provide value first, build trust, and are part of one’s social network when the time of need eventually arises.”

4: Educate, don’t sell

Achieving one-on-one relationships with a CISO is not as simple as saying, “Will you be my friend?”

“There are plenty of human interactions that don’t require too much more effort,” said Sean Todd, information security engineer, Handle Financial, who suggests putting together informative-only presentations for local meetup groups.

Try to resist the urge to just do a webinar. Get out, educate, and meet your community face-to-face.

“Don’t go into how your particular product solves the problem,” said Todd about spoon-fed sales techniques. “Just explain the problem and general approaches for it. Let me draw the conclusions myself.”

5: Be a connector

While it’s impossible to know the answer to everyone’s security concerns, you could connect those who do know.

Connectors are a very valuable and powerful position. Just think about the connectors in your world – the people everybody knows. Those people are adored. A sale would be much easier if you were universally recognized for your ability to connect others.

“One of the best vendors I ever met never tried to sell his services directly,” said Elliot Lewis (@ElliotDLewis), president and chief architect, Lewis Security Consulting. “Lee went through the process of providing forums and collaboration to my peers in the local area, national and international levels. He helped drive the conversations, create great scenarios that I looked forward to participating in with my peers – collaboration that was designed and driven around critical issues we were all facing.”

Lewis admits that Lee is still a good friend and advisor to this day.

6: Be patient and wait for the sale

Kip Boyle (@KipBoyle), CEO, Cyber Risk Opportunities is the host of a ’mastermind‘ group of virtual CISOs. To manage the series he creates virtual spaces on services such as Zoom and Slack for members to engage.

“My group members want a safe environment to compare notes about challenges they are facing without being hounded to buy something. Through my conversations with them, they learn what we can do so I don’t have to sell anything,” said Boyle. “This kind of patience on my part can get expensive in terms of ‘waiting for the sale’ but it’s the only sustainable approach I know.”

7: Find your voice, not the company talking points

“Be authentic. The cadence of someone’s voice when they are regurgitating a script is unmistakable and no one wants to be another number in your target list,” said Gabriel Barrett (@BarrettGC), CIO, Abellio Group.

Approved corporate ‘talking points’ don’t operate properly in normal conversation. They backfire. It’s impossible to trust someone who spouts out prepared marketing messages.

“It doesn’t matter if you’re a junior salesperson or the company founder; know your product inside and out and find your own voice. Then you won’t have to worry about sticking to a script,” said Barrett.

8: Engage where they engage – and make it public

Mike Johnson, my co-host for the CISO/Security Vendor Relationship Podcast, and the CISO for Lyft is extremely active on LinkedIn. He has admitted on the podcast that he reads all of the comments on all his posts. Yet, even when he makes it perfectly clear where to connect with him, I still get people asking how they could get ”15 minutes of his time.“

“Meeting in person always gives you the best chance to make a connection, but it’s entirely possible digitally,” said Abellio’s Barrett. “If you’re reaching out to me I expect you to have done your research on my business and come armed with at least some informed guesses about the security challenges I face… CISOs are human too and genuine empathy with our common challenges puts you on our side.”

9: Technical marketing and engineering teams first

“I want vendors that are open with their roadmaps and are eager to introduce me to their technical marketing and engineering teams. They are usually the first to move up on my list of vendors to hear out. It shows that they firmly believe they have a solid solution and a very capable team behind them to help educate me on what they are building,” said Vijay Bolina (@_jamesbaud_), CISO, Blackhawk Network. “I don’t care about existing customers and latest placement on a magic quadrant.”

10: Social media is for building relations, not sales

“The mistake I see some vendors make is that they use social media to make a sale. I never decide to buy something based on a social media message,” said Lewis of Lewis Security. “Social media needs to be used to build community and show intelligent mind share. Show that you understand the problem and provide intelligent discourse and access to intelligent conversation on the problem.”

11: Let a friendly CISO broker the relationship

“Connecting with CISOs remotely/digitally is definitely doable for customers,” said Ping Identity’s Reck. “The best way I’ve seen this accomplished is by leveraging other CISOs who are already champions for you.”

In the interviews I’ve conducted with CISOs, I hear this all the time: “We talk to each other.” Use CISOs who already love you to connect you with other CISOs.

“If you’ve got a wildly successful customer who is willing to share that success with their peers,” said Reck, “that can be your in and your way to establish a new relationship.”

12: Give back to the community

Fighting cybercrime is a community effort. CISOs appreciate it when vendors educate and support the community. As mentioned earlier, many CISOs recommend sponsoring a local conference, an ISSA meeting, or a CISO dinner. You can also support schools or donate technology to a college.

“Care about the profession and our cause, and be a part of fighting the good fight, not just developing the next cool box with blinky lights,” said Denver Health’s Frietzsche.

CONCLUSION: CISOs believe the key to sales is less of it

“If your marketing strategy in InfoSec is cold calling, you’re greatly missing the boat,” said Denver Health’s Frietzsche. “Cold emails and cold calls just make it harder, by wasting our time that would be better spent doing the job we must do.”

A CISOs job is to solve problems. Finding solutions to their problems often come in the form of advice, talented staff, advisors, reconfiguring existing solutions, implementing new solutions, or a combination of all.

Knowing there are many ways to solve a problem means the solution can’t always be “buy my product.” If you want a CISO to trust you, help the CISO solve their problems by other means that don’t necessarily require a purchase order.

Got feedback? Join the conversation on LinkedIn