The cybersecurity sales process is so terribly inefficient. And everyone, the targets and cybersecurity leaders, are losing valuable time because of that inefficiency. Where can we start making improvements?
Check out this post for the discussion that’s the basis for this podcast episode. This week’s Defense in Depth is hosted by me, David Spark (@dspark), producer, CISO Series. Our guest co-host is John Overbaugh, CISO, ASG. John and I welcome our guest, Jerich Beason (@blanketsec), commercial CISO, Capital One.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor Compyl
[David Spark] The cybersecurity sales process is so terribly inefficient, and everyone, including the targets – cybersecurity leaders – are losing valuable time because of that inefficiency. Where can we start making improvements?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I am the producer of CISO Series. Joining me as a guest co-host for this episode is John Overbaugh who is the CISO over at ASG. John, please, everyone wants to hear the sound of your voice. How does it sound?
[John Overbaugh] It sounds great, I hope. I’m glad to be here and excited for today’s episode.
[David Spark] You, I am very excited to have you on specifically and our guest on because the two of you are ludicrously passionate about this subject, not to say there aren’t others passionate about it. Trust me, I know there’s tons that are, given the number of people who commented on your very post about this, but I’m glad to have both of you. Hold on. I do want to mention our sponsor today. That is Compyl, they are a brand-new sponsor of the CISO Series. Let me point out, they spell their name C-O-M-P-Y-L. You know, it’s cool for the startups these days to spell their name not the way they sound, so it’s Compyl. All-in-one security and compliance. A very cool solution that solves like 85% of your compliance issues automatically. Pretty cool. I’m going to tell you more about that later. But John, you posted on LinkedIn about your frustration with cybersecurity sales.
[John Overbaugh] Yes.
[David Spark] And you calculated that you were wasting about 18 hours a year just dealing with sales emails that are of no interest to you, and you estimate others are probably wasting far more time, and it’s everyone in the ecosystem – salespeople and their targets. So, you asked what could be done to improve efficiency. Do you feel you got an answer to your question?
[John Overbaugh] [Laughter]
[David Spark] Because I don’t know what the answer is.
[John Overbaugh] I got a lot of answers. Not a lot of them were great. Most of the answers were commiseration on both sides. On the sales side, there’s the whole funnel approach, and the funnel theory or philosophy where I got to send 200 emails to get X number of contacts, to get X number of meetings, to get X number of sales. None of those are working and we’re wasting a ton of time. We just need to find a better way to do it.
[David Spark] Right. I don’t think we’re going to greatly answer this question, but I think we’re going to put some interesting thoughts and some direction here because I wish there were a simple answer, and we all know there is not a simple answer here. The person who’s going to help us with this conversation, who I have quoted on this very subject before, is none other than Jerich Beason who is the commercial CISO of CapitalOne. Jerich, thank you so much for joining us.
[Jerich Beason] David, thank you for having me. This is my third time on your show, second time with a co-host, I don’t think you want me to meet your host.
[David Spark] It’s going to happen. Don’t worry.
How are the vendors handling this?
[David Spark] George Kamide of Bare Knuckles and Brass Tacks said, “The vendor/customer divide is growing, and it isn’t a recipe for making our systems any safer.” What George hits there is literally the reason the CISO Series started because we saw this as a major problem. David Fetherston of Electronic Sensors said, “I seek out the need, not the sale. The sales come when I find the need, explain it, and demonstrate how solutions eliminate their need in a win/win relationship.” Now, I know a lot of people listening going like, “That’s what I’m trying to do too,” so we’re going to come to that.
And Chris McNeill of Infinite Convergence Solutions said, “The challenge is ensuring that we are part of the conversation when someone on your team goes out to market to find a solution. That challenge can be compounded if we are part of a smaller company that doesn’t fund its placement on industry reports or have a huge marketing engine to drive awareness at your level, so we have to work with the tools we have.” And I will say Chris’s comment is what I hear from almost every sponsor that approaches us. So, John, this seems like a good, rounded way to look at the problem. While you are not in sales, are you compassionate to their concerns?
[John Overbaugh] Absolutely. I mean, I have the very same problem. I want to make sure the right vendors are part of the conversation when I’m going to market to look for a solution. I want to have that relationship and have a relationship based on that need and on mutual respect like David is talking about. I 100% agree with George. There is a gap, and it is growing. I mean, look at the passion, and we’ll use the word “passion” in the responses, including the one guy who responded and said, “It is my job to listen to salespeople,” right? That is just a growing chasm of misunderstanding and I think also frustration.
[David Spark] Jerich, what do you think? And again, I pulled these three quotes because I think they just give from slightly different angles a well-rounded response to the issue.
[Jerich Beason] Yeah. You know, vendors are a key part of our security ecosystem and the vitriol I see spewed in their direction isn’t always warranted. But to David’s point, I’m at a stage where I make decisions for 2024 in 2022, and by the time I’m ready to buy something, I initiate the conversations myself. Imagine a plumber contacting you out of the blue and asking if you want to have your toilet replaced. The stars may align and one day the answer may be yes, but most of the time the answer’s no. And that’s what sales is like today and we need to fix that.
[David Spark] That’s a really good way of pointing out, and I want to also quote you on something that you said, Jerich, a while back that I quoted you on about when salespeople come after you during a great time of need and just say, “I don’t have time to buy hoses to fight a fire in the middle of a firefight. What I need is you to just come with your darn hoses and help me put out the fire.” And that I think was, even if I wanted to, there’s no conceivable way I could do it. So, while in most situations, what seems like a moment of urgency isn’t a way to sell, is it, at all? And you must still get this all the time. Yes, Jerich?
[Jerich Beason] Yeah. You’re referring to the ambulance chasers.
[David Spark] Yes, yes. I quoted you on that.
[Jerich Beason] That is definitely a challenge that we have to deal with, but the reality is is if I have a partner, if I have someone that I’m working with on a regular basis, the ambulance chasers are just noise-making sirens and so forth, while I have the people that I’m already working with. And that is the way sales works today. You have to have that relationship because there’s just so much noise we have to cut through.
[David Spark] And I’m going to close with you, John, of what is an opportunity that you’ve seen a salesperson just sort of take advantage of, and not just solve a problem but just to make a touchpoint that was key at a given time. Has that ever happened?
[John Overbaugh] Oh, that’s a good question. I’d say it isn’t but let me give you a hypothetical example that I think would work great. Right? So, we’ve got all these recent breaches, let’s just look at Log4j. So, that would have been a fantastic time for a vendor to reach out and say, “Hey, I’m not trying to sell you anything. I found seven resources that might help you, open-source resources that might help you find instances of Log4j. Give them a try. Give me a call someday if it helps you.”
Does anyone have a better solution?
[David Spark] Tim Howard over at Fortify Experts said, “It’s called using an attraction campaign. We create and post high-value content and host leadership forums to create trusted relationships who know what we do.” And Justin Perron of 13 Layers said, “LinkedIn is completely the way to go so long as you treat it like building a real-ationship,” that’s his word, “Active listening, caring enough to really help, getting to know the other person, giving in addition to asking, being patient, etc.” So, essentially it’s a comment about going to content marketing, sponsoring things like us, and also really trying to build relationships, of which LinkedIn actually allows for that. Let me ask you, both of you are active posters, I’ve got to assume you read most if not all of your comments. You have a good idea of who are the people who participate the most. Yes, Jerich?
[Jerich Beason] Absolutely. Absolutely. And I agree with both comments here. I’m going to make the call where I have the relationship, and I’m going to build the relationship where there are credible vendors. And to your point about the comments, they can build credibility through comments and through content and other contributions to the community. Either way, it’s the long game.
[David Spark] Yes.
[Jerich Beason] Being a security leader today is nothing like it was in the ’90s or the 2000s, but the sales playbook is still very much still the same and that’s what we’re trying to address here.
[David Spark] Excellent point. John, have you been approached by somebody for which you have built a relationship online through comments or messaging, anything like that?
[John Overbaugh] So, one example I think is a gentleman by the name of Reno Ancheta who used to work for Deep Instinct. Reno had almost twice a week, if not more, posted video blogs about what was going on in the cybersecurity space. He wasn’t trying to sell anything. It was an informational blog that was very helpful to myself as a CISO, and that’s the kind of trust that’s built. He’s moved on and kind of left the cyber market, so I don’t have a connection with him from a sales perspective, but he would have been the one I would call, and I did in fact, when I had a need in his area. So, that’s a great example of building that relationship, building that trust, and leveraging it going forward.
[David Spark] Jerich, do you have a similar example? And it could just be not somebody who’s creating content like that but just someone who’s left a lot of comments and you just know them well, like, “Oh, this is the person that leaves me comments all the time.” For example, there are certain people who contribute to this show all the time who are amazing contributors and I believe they’re making relationships with the community because, “Oh, they’re the one that the CISO Series quotes all the time.”
[Jerich Beason] Absolutely. We develop a recency bias, and when we start to see some of the names on a regular basis over and over, and that name just happens to be the one that shows up on the RFP, we have an immediate sense of familiarity even if we’ve never spoken to the person. Just being present and being visible has a huge impact when it comes to getting opportunities and getting that initial phone call.
[John Overbaugh] But can I butt in?
[David Spark] Sure.
[Jerich Beason] Please.
[John Overbaugh] It has to be relevant, it has to be professional, and it can’t be opportunistic, right? So, if someone makes a comment on a post of mine and then follows up immediately with a pitch in a LinkedIn direct message, I’m like, “Look. That’s so transparent.” Right? I know it sounds like we’re building a really high bar. Really, the bar is we are in the same community, let’s act like it and let’s work with each other instead of looking at each other as either kind of like a vulture or like a target. We got to solve these problems together, not apart.
[David Spark] Before I mention our sponsor, I do want to ask both of you are you hiring right now. It’s a weird time right now where I used to get 100% of our guests saying, “Oh, yeah. Of course we’re hiring. We’re always looking for talent,” and now because of the economic situations, it’s changed. So, what’s your situation, Jerich? You hiring?
[Jerich Beason] We are hiring, capitalone.com/careers, and we’re hiring in cyber as well.
[David Spark] Hiring in cyber. Are you hiring people, first, like very green people?
[Jerich Beason] Every year we bring a new cohort of we call them cybersecurity development professionals and those are people with zero experience but a lot of ambition and a lot of passion for the industry.
[David Spark] And have you personally had to train any of them?
[Jerich Beason] I personally have three that started in my team about five months ago.
[David Spark] Awesome. All right, John. Are you currently hiring?
[John Overbaugh] Yes, we are, alpinesg.com, no hyphens. We are hiring for all levels of technology. Also, we do currently have one or two cyber roles open at our operating companies.
[David Spark] Oh, excellent, awesome.
Sponsor – Compyl
[David Spark] I do want to mention our sponsor today. That is Compyl. You remember I mentioned them at the beginning of the show? C-O-M-P-Y-L. Please, everyone, remember that. So, GRC solutions often cause process roadblocks within organizations. They are either antiquated and lack the functionality needed or so stripped down they can’t fix the problems you set out to solve. So, that’s why the team over at Compyl, they created the all-in-one security and compliance automation platform. Compyl quickly integrates with the tools you use – that’s good – and automates 85% of the, I’m going to throw in, the boring day-to-day tasks, the things you don’t want to be doing all the time, and you shouldn’t be. And it does it all while providing complete transparency and comprehensive reporting along the way. So, you can start a free trial with it. Start your free trial with Compyl today and see all the efficiency gains you can expect from a leading solution. Learn about Compyl today at www.compyl.com/getstarted.
There must be a better solution.
[David Spark] Ray Harrison of Abira Security said, “That wasted time can be virtually removed by having trusted VAR that knows the vendor space inside and out.” And Max Mason of Arctic Wolf said, “The solution is to distribute products and services 100% through VAR/MSP/consultancy channel. These trusted consultants can be your go-to resource to remove the noise and deliver the ‘magic top three vendors’ for each and every project you and your team has.” So, I know there’s lots of pros and cons with going with VARs. Interested to know what your experience has been. And I’ll just throw out this – I remember talking to Wendy Nather when she was working for 451 Research, and she said – this goes back a number of years ago so it’s a lot more – she said there’s somewhere between 3,000 and 4,000 security vendors out there. We have a heck of a time just keeping up with 1,000 of them and that’s our full-time job. So, just to give you an idea, even when it’s your full-time job, it’s literally impossible to do this. So, I’ll start with you, John. Do you work with VARs? Have you worked with VARs? What are the pros and cons of it?
[John Overbaugh] I have. I do. The pros of it are, as you said, so a trusted VAR is someone who understands your ecosystem and knows what’s going to fit and what’s not going to fit. So, there’s a pro there. The downside is it’s hard for startup companies to get on with those VARs, and therefore, I don’t find it revolutionary innovation. I may encounter some evolutionary innovation. So, I think they can be a roadblock as well, and I do have to say, I just love the term “magical top three vendors” because my top three vendors and the top three vendors of some of those research firms, they’re usually very different.
[David Spark] I will say this. I once quoted Mike Johnson in one of our memes saying, “I’m not going to ignore a vendor just because they’re not in Gartner’s Magic Quadrant,” and boy, did that blow up.
[David Spark] Wow. It blew up like you wouldn’t believe. Jerich, what’s your experience with VARs?
[Jerich Beason] Yeah, I agree. The VAR is the way to go. To your point John, it does put direct sales professionals and startups at a disadvantage, unfortunately. But to make it as my VAR, the “V” and the “A” are imperative. Right? If you’re adding value and you’ve consistently demonstrated reliable and credible behavior over time, I’ll trust you. With that trust comes better knowledge of my org and our challenges, with that trust also comes influence in the decisions I make when addressing those challenges. It requires time. We have to go through the trenches together for you to elevate from reseller to VAR. A lot of companies are resellers calling themselves VARs and that’s part of the problem.
[David Spark] And honestly, I do not fully understand the ecosystem, but I got to assume some VARs have better deals with certain vendors than others. And because of that, I’m sure they push other vendors over others, and I’d be very, very uncomfortable if that were the case. Is there a way to know if they’ve got those kind of relationships in place?
[Jerich Beason] So, you have to look at the VAR. A lot of the times, the VARs will pluck high-ranking sales professionals from other companies and that’ll be their flagship company that they can get you the best deal on. But the reality is is the companies are giving each VAR pretty similar deals. It’s the overhead that comes with each VAR that results in what your price is. So, if you go with a VAR that has 5 people on it, the overhead is going to be significantly different than a VAR that has 1500 people in their organization. And there’s also going to be a difference in quality of service, capabilities, implementation teams, yada-yada-yada, so there’s pros and cons of going with a larger VAR versus a smaller VAR, but those are some of the things to think about.
[David Spark] And have you done both?
[Jerich Beason] I have. Some people like to have a single VAR. I have found that that does not work necessarily for me because a lot of the time you want that VAR to help you roll out the technology and most of them don’t have the expertise across the breadth and depth of their portfolio. So, I usually have to take those things in consideration when deciding on my VAR and who I’m going to use.
[David Spark] So, you need a VAR that can be a true integrator too as well?
[Jerich Beason] Absolutely.
[David Spark] All right. So, John, do you have a sort of opinion versus large versus small and have you worked with both?
[John Overbaugh] I have worked with both. I would say I agree with Jerich. There are times when that small VAR is fantastic because they’re very niche and they really understand the niche they’re in. There are other times where they’re winging it. Right? And it’s hard to tell the difference and that’s why, for me, a trusted VAR is a challenge to find.
Whose issue is this?
[David Spark] Stephan Little of Zero Limits Ventures has a comment. I’m going to set this up, it’s a little on the spicy side.
[David Spark] “It’s your effing job to meet with vendors, share the challenges you have, and listen to the innovative ways they can help you solve your problems. The job of the sales professional is to serve. They don’t want to waste their time any more than you want to waste yours. The question is not about how they can be more efficient with your time. It’s how can you be more efficient with theirs. It’s likely their hour is worth one heck of a lot more than yours.” Okay.
Before everyone jumps down his throat on this line, I do want to qualify this because Allan Alford, who used to be the co-host of this very show, truly believes that part of his job is to know what’s going on out there, and not knowing is not providing a service to his organization, and he wants to be more efficient with the vendor’s time and his. He puts out a vendor email every year and he sets aside time to meet with vendors all the time and he just says, “These are the three bullet points I want. Just send me these and if it’s of interest to me, I will call you back and we’ll set up a meeting.” And essentially, he created the playbook for vendors to communicate with him, which I thought was a really, really good model. Okay, with that being said, Jerich, your thoughts about Stephan Little’s comment.
[Jerich Beason] So, it’s actually well documented in print and podcast form that for about three straight years, I met with a new vendor every week. I didn’t stop until I joined my current company. It kept me up to date on the latest and greatest and more importantly, the problems that the tech was solving. So, I believe in what Stephan…
[David Spark] So, you did something very similar to Allan?
[Jerich Beason] 100%. So, I believe what Stephan is saying. That said, it’s my job to meet these vendors but on my schedule when I need them. If I’m one year into a four-year contract and I’m happy, I’m not going to need a vendor that has a competing solution. If I have a flat budget going into the following year and I have no wiggle room, I’m not going to meet anyone unless the strategy is to consolidate the portfolio and I’ve sought out suitors. It’s a waste of our time if I meet you just for the sake of meeting you.
[David Spark] It’s a waste of everybody’s time.
[Jerich Beason] 100%.
[David Spark] John?
[John Overbaugh] Yeah. So, look, I respect this comment, actually. I don’t think it’s right, but I embrace the passion in the comment.
[David Spark] Yes. There’s plenty of passion there, and you can hear his frustration as well. It’s more of like, “Hey, guy. Come meet us halfway here.”
[John Overbaugh] That’s right.
[David Spark] Yes.
[John Overbaugh] And I can’t deny that part of this comment; however, it is part of my job to know what’s going on out there, but at the same time, it is a small part of my job or maybe a medium-size part. I have a ton of things I do, and this is not the only one. So, it’s important for me to find an efficient way to communicate, and if I’m hitting delete on those emails coming in all the time – I estimated 18 hours, it might have been more than that, I don’t know how much time I really waste on this – that to me is a disservice to me as well as to the community in general, and it just comes back around to there has got to be a better way. There needs to be a Tinder of sales, right? Swipe right, swipe left. You get a quick introduction, and you can make a more educated choice.
[David Spark] By the way, the number of organizations that are trying to do the equivalent of that is astounding.
[John Overbaugh] Yeah.
[David Spark] There are some like G2 is a service that does it for sort of all products for that matter, not just cybersecurity. But I’ve talked to many people trying to create the Yelp of cybersecurity products, and heck, that is what research firms are doing as well.
[John Overbaugh] Yeah.
[David Spark] It’s just not so simple, is it, Jerich? That’s what makes it so tough.
[Jerich Beason] One walk down the Expo at RSA and you realize why no one has succeeded. It’s far too many vendors, there aren’t enough success stories, there aren’t enough horror stories, and it’s really hard to cut the wheat from the chaff.
[David Spark] Let me pause here and let me add something to that, Jerich. I was on the floor of RSA, and I was talking to CISOs and I said, “Just look at all those brands in front of you. What percentage would you say you know what the heck they do?” And I got maybe 10 to 15%. And I was just thinking about what other industry can you be at a show where the smartest people in the industry have a 10 to 15% clue of what the heck’s going on?
[Jerich Beason] It’s the intersection of us having a fairly new industry at the time of innovation throughout the world and everybody is chasing the same thing. The one point I’ll make is he said, “It is my job.” It is my job to be a father and protect my family, but I don’t meet with a new security camera every week. Right? It’s no different.
[David Spark] Very good point.
[David Spark] All right. Let’s bring this to a close and this comes to the point where I ask both of you which quote was your favorite and why and I’ll begin with you, Jerich. Which quote was your favorite and why?
[Jerich Beason] George Kamide, “The vendor/customer divide is growing, and it isn’t a recipe for making our systems any safer.” We need our vendors, 100%, and without our vendors we will not succeed. We have to figure out a better way to court each other and to work with each other.
[David Spark] Very good point. All right. John, your favorite quote and why?
[John Overbaugh] Man, so George’s quote’s my number two. My number one is David Fetherston’s quote, “I seek out the need, not the sale. The sales come when I find the need, explain it, and demonstrate how our solutions eliminate their need in a win/win relationship.” I am looking for relationships with vendors who understand me and who know when they can help, and they know when they don’t have the right solution for what I’m doing. It is a partnership and that’s what I want to have is establish good partnerships with good vendors.
[David Spark] A very good way to close out this very episode. Huge thanks to my guest, John Overbaugh who is the CISO over at ASG. He played the part of guest co-host of which Jerich feels that I am trying to keep him away from the regular hosts. I’m blocking and tackling preventing him. That is not the case. Which host were you on with before?
[Jerich Beason] I was on with Geoff, and I was also on with Jimmy Sanders from Netflix. Maybe next time I’ll be the co-host so I can not meet a co-host again.
[David Spark] Or you could just be on with an actual co-host.
[Jerich Beason] That works too.
[David Spark] Either way. It works the same.
[John Overbaugh] Well, wait. What does that make me? I’m not an actual co-host?
[David Spark] You are an actual co-host.
[John Overbaugh] I’m an amateur co-host.
[David Spark] No. You’re a guest co-host of this episode. Thank you very much, gentlemen. And thank you to our audience. It is your job, it is your effing job, audience, to send me in awesome conversations. I don’t know what you’re doing currently but your job is to send me in awesome conversations that you see online from which we can make an entire episode here on Defense in Depth. So, thank you for your contributions and listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe, so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site, CISOseries.com, where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.