“I couldn’t agree more that relationship selling is the best way to sell to security leaders,” added Robb Reck (@robbreck), CISO, Ping Identity. “If you don’t already have a relationship with the leader when the project gets funded, you’ll often be left out of the consideration.”
Security vendors want to be on a CISO’s radar. Getting there requires some sort of first time engagement.
To better understand what it takes to successfully initiate a relationship with a CISO, I reached out to a dozen CISOs, two former CISOs, a CSO, and a CTO to get their advice.
Here are their stories of security vendors who successfully made first contact.
1: Get introduced through a reliable source
2: Attend, sponsor, and volunteer at industry events
“If you cannot get an intro, work up the social at events, and sponsor local associations to build up some trust,” suggested Yellow Pages’ Hébert.
Randall Frietzsche (@rfrietzsche), CISO of Denver Health, appreciated the support of one vendor who sponsored his local ISSA chapter, volunteered his staff, and never tried to sell anything. He just focused on being part of the community.
“If you build a relationship and support our cause and our community, and I do end up needing what you’re selling, you’re the first one I’ll call,” said Frietzche, “and you’ll already have a ‘leg up’ on your competition.”
“If someone comes to me that is a ‘friendly’ there is a greater chance that I will bring them into my business circle,” said Haizlett.
3: Sponsor small CISO gatherings
Ping Identity’s Reck suggests security vendors “use their marketing budget to meet up with 10-15 security leaders, and hear what’s top of mind for them.”
Denver Health’s Frietzsche concurs, noting another vendor that has sponsored multiple ISSA dinners.
“This vendor has pretty good market share within this CISO community,” said Frietzsche, “solely because they support our community, get involved, add value, and build those relationships with us.”
4: Engage in security discussion in social media
Find topical security discussions by following #infosec and the hashtag of the most current security event.
Esterline’s Cowperthwaite first connected with a vendor in a Twitter discussion with other CISOs. They were able to develop a good rapport over social media and eventually met in person when the opportunity arose.
5: For the first meeting, build trust, don’t sell
The first meeting with a CISO should be focused on making a connection with the person, not the product.
“A vendor who comes across trying to sell always raises our shields,” said Richard Greenberg (@RAGreenberg), CISO, Los Angeles County of Public Health. “Since we are all humans our armor can be pierced with humanity.”
6: Ask for feedback on your marketing message
While CISOs don’t like to be sold to out of the gate, they are willing to offer up an opinion if you ask.
“Ask the security leader to give their take on your product or marketing message,” said Ping Identity’s Reck. “Make it clear that you are NOT there to sell to them, but to solicit their feedback on whether this technology is useful and interesting.”
7: A customer is always a better salesperson than you are
“Some of the best vendor relationships I have developed because I have a colleague who uses their product and highly recommends it,” said Sean Todd, security assurance analyst, Lyft. “It’s one thing for a salesperson to give a good demo, it’s another to hear from someone I trust that their product works on a day-to-day basis.”
8: In depth research will get you the face time you so desire
If you want an organization to care about you, first show you care and understand them. You’ll be pleasantly surprised by the positive response and chances are you’ll get a lot more than just 15 minutes of their time.
“If a vendor did research and really understood what challenges my business or I faced and sold me the solution I would make all the time in the world for them,” said Dennis E. Leber, CISO, Cabinet for Health and Family Services at Commonwealth of Kentucky.
9: Get to know procurement first
“What one vendor did that I thought was very insightful and smart was build a relationship with our purchasing agent and understand how procurement worked for us,” said Lester Godsey, CISO, City of Mesa. “Government works differently when it comes to procurement versus private sector and this vendor recognized this even before she pitched anything to me.”
10: Be a solution to the existing roadmap
“Security programs are defined well in advance from a logistical and budgetary perspective. Most vendors try forcing their solution into the roadmap,” said Yellow Pages’ Hébert. “They should ask: ‘Is X in your roadmap and if so, could we help when you get there?’”
11: “May I interview you?”
In general, most people are more receptive to the question “May I interview you?” vs. “May I give you a ten-minute pitch on my business?”
By acting as journalists, my company, Spark Media Solutions, a B2B content marketing agency for the tech industry, offers the “May I interview you?” service. We go out of our way to produce videos and articles with industry experts that are most relevant to our client’s audience.
“If you’ve built trust in a relationship with a journalist, you may be able to get some ‘indirect credibility’ by asking the journalist to help you get in contact with a CISO you want to meet,” said Dwayne Melançon (@ThatDwayne), CTO, Innovyze. “Not only can they vouch for you, they can often give you some pointers on how to communicate effectively with the CISO.”
12: Prove your worth by solving a small problem
“The most effective technique is first to start small with a particular use case that solves one niche or hard to fix risk problem for the organization,” said Craig Goodwin (@securitysocks), VP, CSO, CDK Global. “This helps to build credibility and prove that a vendor is not just in it ‘for the money.’”
When a vendor tries to sell a whole suite of products and services it’s a far more difficult sale internally for the CISO.
Goodwin points to one example where a vendor sought to solve a very simple single application logging problem. Most vendors would not have pursued such a minor task as it would have generated little to no ROI. But since this vendor took on the simple assignment, they were able to demonstrate their capability and as a result rolled out their solution across many other web applications.
13: Give something of value and ask for nothing in return
“There is one way vendors have consistently been able to get on my radar and that is when they proactively give me something of value without asking for anything (including 15 minutes) in return,” said Gabe Barrett (@barrettgc), CISO, Abellio Group.
In one instance a vendor gave Barrett a vulnerability report and didn’t ask for anything in return. Most vendors would use that opportunity to try to setup a meeting. This vendor didn’t and Barrett greatly appreciated it.
“Next time I’m looking for a product in this vendor’s space, they will be getting a call,” said Barrett.
14: Help out with the CISO journey
Being a CISO is not easy. For Elliot Lewis (@elliotdlewis), now president and chief architect, Lewis Security Consulting, getting the title of CISO of Merrill Lynch required new management responsibilities for which he was not prepared. One of his company’s partners, Greg, who had worked with Merrill Lynch’s previous CISO, saw the confusion in Lewis’ eyes when he first got the job.
“Greg took me aside, sat down in my office with me and said, ‘Let’s talk about what just happened and what it means and what you have in front of you.’ He did not try to sell me services. He did not try to get his guys on projects. He just helped me walk through the environment,” said Lewis. “He helped me ‘get my head straight.’ It was what I needed, exactly how much I needed, at the time I needed it.”
Because of that event, Greg and Elliot have remained trusted partners.
15: Fill a personal need at just the right moment
In Lewis’ case, his need was career guidance. Other CISO needs can be smaller and easier to spot, but still meaningful.
Kevin Patel, CISO, ControlScan, tells a story of participating in a roundtable discussion at a conference. On stage, in front of many security vendors, he mentioned that he was feeling under the weather. Later that evening room service delivered soup with a note that said, “Hope this makes you feel better.”
The next day a vendor Patel didn’t know asked how he was feeling and if the soup helped. The two exchanged business cards and Patel made it clear that he would reach out when ready. The vendor listened and never emailed or called. Later that year Patel reached out to the vendor.
CONCLUSION: Sell yourself first, not your technology
“CISOs are good at networking and stay in touch regularly,” said Denver Health’s Frietzsche. “We’re not competitive because we’re all fighting the same good fight.”
CISOs will gladly share information about vendor solutions they support and don’t support, and more importantly they will introduce each other to the people they trust and warn of those they don’t trust. People usually stay the same. Their jobs change far more often. That’s why it’s better to know the person first.
Creative Commons photo attribution to Flickr user davidd.