Every time I engage with a new security client, I always ask, “Who do you want to reach?”
Inevitably, I get the obvious answer, “We want to reach CISOs and CSOs.”
To which I respond, “Join the club.”
Of course security vendors want to reach CISOs and CSOs. They control budget. They make the final decisions.
During the eight years I have covered the security industry, I have interviewed countless CISOs and have worked for many security vendors. From my vantage point, the CISO/security vendor relationship is a multi-faceted combination of delight and frustration for all involved parties. To better explain this thinking and try to understand what’s going on, I’m dedicating this multi-part series to the examination of the different aspects of the CISO/security vendor relationship.
Should security vendors use the same fear tactic on a CISO that they use to scare my mom?
One of the most common and effective security sales ploys is to use a recent crisis to sell your product:
Do you want the Company X security breach to happen to you? Company X didn’t have our security product which could have prevented the breach from happening.
For non-security-minded folks like my mom, this technique works perfectly. Unless a security story makes it into mainstream media, my mom won’t read any security news. All you have to do is tell her about the threat, ask her if she wants it to happen to her, and that will probably be enough to scare her into buying your security product.
But should this technique be used for all your sales targets? Given that CISOs and CSOs live with security concerns every waking moment, they’re probably not as susceptible to such pedantic content marketing and sales practices.
Mike Johnson, CISO at Lyft, expressed his great displeasure with this technique: “I cannot believe I have to say this: vendors, do /not/ reach out to me using the latest breach as a pretense. This is the absolute quickest way to make it onto my ‘do not do business with’ list. This is as true now as it will be with the next breach, and the next. You have been warned.” (From LinkedIn)
Johnson may be annoyed, but he begrudgingly knows this sales technique works. He tries to rally the troops to stop it.
Much like spammers, they keep doing it because they are successful every now and then. Do not respond to the ambulance chasers.
While Johnson offers a very enlightened response, it’s hard, even for the most seasoned professionals, not to look at the accident on the side of the road and fear you could be the next one.
I can’t imagine any CISO admitting to falling for such an obvious ruse, but each breach renews and emboldens the CISO concern that they’re simply not doing enough. And those concerns bubble up to all C-level employees. There’s always something more that they can do.
“For me, scare tactics are a big negative, and often such messages end up in the trash. FUD (fear, uncertainty, and doubt) is a move of desperation and generally represents a lack of imagination,” said Peter H. Gregory (@peterhgregory), executive director – CISO advisory services, Optiv, “Instead of selling on fear, how about selling on business benefits?”