“How do I approach a CISO?” It’s the most common question I get from security vendors. In fact, I have another podcast dedicated to this very question. But now we’re going to tackle it on this show.



Check out this post for the basis of our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Ian Amit (@iiamit), CSO, Cimpress.

Here also is my original article with Allan Alford when he first launched this engage with vendors campaign.

Thanks to this week’s podcast sponsor, Sonrai Security

Identity and data access complexity are exploding in your public cloud. 10,000+ pieces of compute, 1000s of roles, and a dizzying array of interdependencies and inheritances. Sonrai Security delivers an enterprise cloud security platform that identifies and monitors every possible relationship between identities and data that exists inside your public cloud. 

Got feedback? Join the conversation on LinkedIn.

On this episode of Defense in Depth, you’ll learn:

  • All CISOs are different so any advice we provide will vary from CISO to CISO. Plus, we have an entire other show, CISO/Security Vendor Relationship Podcast, dedicated to this very topic.
  • We acknowledge that this is tough because to be really on target you need to know what the CISO has, what their mix of products are, and how your product could work in their current security maturity and mix of security products and processes. It’s all a very tall order for a security vendor.
  • Vendors must stop thinking of themselves as point solutions, but rather how they fit into the overall makeup of a security program. You’re not coming in with a blank slate. How do you interoperate with what’s existing?
  • There’s unfortunately the trend of the people who make the contact, then initiate a meeting, and hand off to someone else. CISOs do not welcome that kind of engagement, although it may be very cost effective for security vendors to hire junior people to make those contacts and hand offs.
  • Lots of argument about the efficacy and the acceptance of cold calling. Those who claim they don’t like it are often working at organizations that do it repeatedly to great success.
  • The pushy salesperson who eventually gets through after repeated attempts even when they’re told no may show success, but they don’t calculate all the people they’ve angered and the word-of-mouth negativity that has resulted from that behavior. If you push beyond a request to stop, the worse that can happen is your reputation will be destroyed.
  • CISOs are more receptive to market pull into your organization. That can happen through traditional marketing, content marketing, podcasts, analyst reviews, and word-of-mouth. Problem is these techniques don’t leave any room for salespeople to operate.