How Should Security Vendors Engage With CISOs?

How Should Security Vendors Engage With CISOs?

One CISO has had enough of the security vendor marketing emails and cold sales calls. He’s blocking them all. But it’s not a call to avoid all salespeople. He just doesn’t have the time to be a target anymore. So how should vendors engage with such a CISO? And does CISO represent most CISOs today?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome our sponsored guest Joy Forsythe, VP, Security, Thrive Global.

Got feedback? Join the conversation on LinkedIn.

HUGE thanks to our sponsor Code42

Code42 is focused on delivering solutions built with the modern-day collaborative culture in mind. Code42 Incydr tracks activity across computers, USB, email, file link sharing, Airdrop, the cloud and more, our SaaS-based solution surfaces and prioritizes file exposure and data exfiltration events. Learn more at

Full transcript

[David Spark] One CISO has had enough of the security vendor marketing emails and cold sales calls. He’s blocking them all. But it’s not a call to avoid all salespeople. He just doesn’t have the time to be a target anymore. So, how should vendors engage with such a CISO and does this CISO represent most CISOs today?

[Voiceover] You’re listening to Defense in Depth.

[David Spark] Welcome to Defense in Depth. My name is David Spark, I am the producer of the said CISO Series. And joining me for this very episode, you know him very well, it’s Geoff Belknap, he’s the CISO of LinkedIn. Geoff, say hello to our very friendly nice audience.

[Geoff Belknap] Hello, friendly nice audience and hello to the rest of you too.

[David Spark] Ah. So, we are going to be nice to the people who are not friendly?

[Geoff Belknap] You know, it’s a big tent, David. Everyone’s welcome here at the CISO Series.

[David Spark] Good point. Our sponsor for today’s episode is Code42 – reimagined enterprise data protection for insider risk. And actually, we’re going to talk a lot more about that because insider risk is often not what a lot of people think it is. And by the way, Code42 has been a phenomenal sponsor of the CISO Series, and we greatly appreciate them joining us again. But let’s get to the topic at hand.

So, Randall Frietzsche, who’s the CISO over at Denver Health, has had it with being a sales target. That’s kind of the key thing here – being a target. He made his point in an impassioned post on LinkedIn saying to simply stop selling to him and be a part of the community. Now I have argued this before and strongly recommend it as well. But you’ll see in some of the comments that I’m going to say coming up during the show, salespeople had strong opinions against this. But as I’ve mentioned, I think the root of the problem is how salespeople are measured. It’s incentivizing behavior their target doesn’t like. Now Geoff, recently I noticed that you have been very bullish about supporting the vendor community by writing mini profiles on LinkedIn, but you’re kind of an anomaly. I think most are frustrated to some level like Randall is. What do you think?

[Geoff Belknap] I think that’s absolutely true. I think I’m frustrated too, and where I took that was a little bit different direction. I said instead of being a completely random target, I would set aside time in a focused way to meet with primarily early-stage startups but also just about everybody in the startup community, and we would set aside time and we’d meet. And just today before this podcast, I met with three different vendors, and we sort of did rapid-fire calls. And that’s working out really well. It does take a lot of my time, but it focuses it in a way where it feels like I have more control over it. I do absolutely though commiserate with people who feel frustrated that they get over-targeted, I think is the right way to go, and I think this is a great conversation for us to have with our guest.

[David Spark] Yes. And let me just ask you this. What value do you get from this procedure of you conducting the meetings with these early-stage vendors? Who, by the way, I’ve noticed many of them are our sponsors too.

[Geoff Belknap] Yeah, there’s a strong overlap there. I think the thing that I get from it is that I, as part of the community and as somebody who enjoys entrepreneurism and new technology, I get to meet people who are building companies, which I enjoy, and then they’re in the sweet spot of companies that address a sector of the market that I’m directly involved in. So, I’ve kind of turned it to the most positive version of that that I can come up with. But I’m always looking to make it better.

[David Spark] Good point. All right. And I’m very thrilled to bring our guest on today to discuss this very topic with us. It is the VP of Security for Thrive Global, none other than Joy Forsythe. Joy, thank you so much for joining us.

[Joy Forsythe] Thanks for having me.

How are the vendors handling this?


[David Spark] Brian Teusink of EY said, “Most sales folks are required to do X emails, calls, reach outs, marketing campaigns, etc., and track their progress. It’s a requirement of their role/job. The sales ‘system’ is essentially broken and really needs to be reworked.” I strongly support that statement. Rich Chen of West Monroe said, “Cold calling and emailing me over and over and then going over my head to the CIO when I don’t respond? You could have the perfect solution, but you’ve lost my trust already.” Al Berg, CISO of Tassat, said, “Persistent follow-up when I don’t respond to your email or worse yet voicemail is a guarantee that you will never ever speak with me.” Pretty harsh. And lastly, Justin Kingston, CISO of Farnsworth Group, said, “Escalating tactics are a great way to get my attention but probably not the attention you want.” So, this sounds like a group of very frustrated CISOs and Brian pointing out, well, here’s what the problem is. Geoff?

[Geoff Belknap] Yeah. I think Brian’s right. The problem here is probably rooted even deeper than that. I’ve been in tech a long time and it seems like we are coming to the present day where this kind of antiquated approach where find the most senior executive with budgetary authority and make them your best friend and sell directly to them, get them onboard, that may have been the right approach 15 years ago or maybe even 10 years, but it just doesn’t resonate anymore. And maybe it resonates in a different sector and I’m curious to hear what Joy thinks about this, but it doesn’t work with me.

I don’t know any of my peers that think that that is the right way for them to make decisions about solutions that they need to solve their problems. You really have to pivot your sales approach to talking to the people that are dealing with the problem. Right? In my case, what I tell people is it’s not me that will decide whether this thing solves a problem, it’s the people on the front line, it’s the individual engineers that are responsible for identity solutions or detection problems or risk and compliance. They will decide if your solution solves their problem.

[David Spark] Right. And they know the user experience that they need to do their job.

[Geoff Belknap] Exactly. I’m not close to those problems. I understand the general problem, I understand the budget we’ve set aside for that, but I am not going to decide the solution, I’m not going to rule out people. CISOs are probably very poor places to invest time. Unless you’re looking for feedback on a product at a very high level, great. But go sell to the people that actually need to solve that problem.

[David Spark] All right. I take this one to you, Joy. Have you hit a certain level of frustration? My feeling is kind of what Brian says. I think the sales process is broken because it’s incentivizing this behavior.

[Joy Forsythe] I mean, I think first of all, I would just like to say that anyone calling me, I don’t pick up phone calls except for maybe my mom and my kid’s school. That’s pretty much it. To me, the idea that someone would do a cold call on the phone and that would actually result in a sale seems just ludicrous. I think the emails, I’m sure there are people who click on some of them but probably because they were already looking at your organization and you might have just built a bit more frustration. If I’m looking for a tool, I’m going to go out and look for what tools solve the problems I’m trying to solve and getting 20 emails is not going to change whether or not you’re one of those organizations. Are they trying to solve for awareness? And if you’re trying to solve for awareness, is cold emails actually solving for awareness? Are there other ways you can invest that same time and money that would result in more awareness?

[David Spark] That’s a good point. Hold it, wait. I want to pause you on just that. Investing time and money that would get more awareness, and I’m sorry that I cut you off.

[Joy Forsythe] Yeah.

[David Spark] Could you kind of lean into that a little bit more? Like where do you think that would be?

[Joy Forsythe] I mean, actually one thing that I’ve seen that I think is successful is look at the people that know your product is good and talk to them. How could they have discovered it? I’ve found out about so many great products from other security professionals. And I’ve been asked by founders to say, “Hey, could you go comment on this LinkedIn post about something we’ve posted?” And actually, you know what? I will. Because if they actually build something that I find useful, why wouldn’t I do something to help them do better because I want them to get more money and build more useful things. So, I think there’s really this part which is, “Oh, you’re trying to build awareness? Well, what awareness is actually going to be valuable?” And for me the most valuable awareness is actually knowing people who’ve used your product and still like it, don’t hate it, and also knowing what problems your product has solved successfully with what organizations.

And I think there were lots of discussions in these LinkedIn comments about participating in the community, and some people said, “Oh, well then I have to go spend money.” I actually don’t think you have to spend money to participate in the community. I think you have to go find people who are using your product and make sure they’re talking about it and invest in them even timewise. Go to meet-ups. I mean, I had a really great experience of meeting a founder for a security product at a meet-up, talked to him at the meet-up off and on over a period of about a year before purchasing it for my employer. And then actually running into a similar problem at another employer and just immediately knowing that this was the company I wanted to work with because they actually solve problems.

[Geoff Belknap] I think this is a great point. The thing I just really want to stress before any of our friends who are listening that are in sales get the wrong impression is the key to what Joy is saying is once we’re already a customer and we’re a believer in your product, we are – I’ll speak for myself and I’ll think the same thing Joy is saying – I’m happy to advocate for that. I’m happy to share my experiences. Don’t come ask me to do that first. Make my team happy first.

[Joy Forsythe] Yes. I think that’s a really good point. This is something where investing in awareness, you have to have had some success and then you’re trying to make people aware of that success.

What’s the ROI?


[David Spark] Tracy Aymond, CBM Technology, said, “It’s a numbers game. For all the folks who will block the sales attempts, some will be open to a discussion. That is enough to solve lots of problems. People are busy and don’t typically respond with the first attempt. So, what may seem annoying to you is necessary to reach the intended audience.” You’re going to get a lot of debate on that, I know. John Overbaugh, CISO of ASG, essentially is one of the people responding to it. He said, “Sales come from building relationship. Sales bro oriented environments don’t get that, so they live, sleep, and die by the funnel. Make 200 calls, make a sale. I refuse to be part of those 200 calls.” So, I’m taking this to you, Joy. This is what he said, and I hear this so many times. Salespeople, you’ve heard it before. It’s a numbers game and unfortunately, we don’t have stats on what annoying 199 people means to make that 1 sale. What’s your thoughts?

[Joy Forsythe] We don’t have stats but I will say that if I’m getting a bunch of cold emails from people, I think in particular the ones that really frustrate me are the ones where there’s no way for me to opt out and you get repeated, even if you don’t respond, they just keep responding back over and over. Sometimes they’re weirdly personalized. I went to a university that has a mascot of a beaver, so I keep getting emails that say, “Go Beavers,” from some salesperson. That’s really weird. Definitely does not make me want to buy their product. So, maybe the numbers game works but again, I just keep coming back to is this where you want to spend your time and effort.

[David Spark] Geoff, how do you feel about being a number? This goes to essentially Randall’s initial comment is, “I don’t want to be marketed to. I don’t want to be a target.”

[Geoff Belknap] Yeah. Again, I bring it back to every time I have this visceral reaction to being targeted by a sales or marketing campaign, I want to go like, “What would work better? What’s a better outcome here that would make my life easier and the salespeople’s life easier?” Because again, having worked at several startups and partnered with these sales teams to target other people that aren’t CISOs, you’ve got to connect with your market in some way. And just as an aside, I’m drinking coffee from a mug that was sent to me from my college by a security salesperson – go WGU. And cool, thanks for the mug, but this isn’t going to make us buy your product. It’s not going to get my attention in the way that you want it. And so I always just kind of cringe at the amount of money that’s spent there is a way that just is not going to return that investment.

But bringing this back to the positive, I think where your investment is going to generate value is, again, target the people that have the problems. Find your frontline managers, find your frontline risk people, find your frontline detection people. And this is where we say things like be part of the community. And let me be specific about what I think that means. Find those people. Find out where they are talking to other people that have similar problems. Come to those events. Sponsor those events. Have somebody from your product organization or your presales organization come and present the solution at that event. If you can add value in that part of the community, your message will carry much further than just impressing their boss’s boss’s boss.

[David Spark] Let me make a comment about – and I want to hear both your thoughts on this – is I think about the nonprofit groups. The ISACAs, the ISSAs, the B-size organizations that are out there. And I notice from the people who attend there’s a great appreciation for the people who sponsor it because they’re making those events actually happen, and that’s a really good feeling you want from the community. Do you experience that yourself, Joy? Do you appreciate the ones specifically that target these nonprofit groups?

[Joy Forsythe] I mean, I definitely appreciate it. I think there were some comments about, “That’s expensive,” and I appreciate that. If you’re a big budget vendor, yeah, you should absolutely be out there sponsoring all these events. It’s going to get you face time with people that you want to talk to. And people, not just again CISOs, but actually people who are doing the work, who would use the products that you build. Those are the people you really want face time with. And so I think sponsoring’s great.

I think for smaller ones, I previously have worked at small vendors, and I used to go and talk at every little conference that existed because that was one of the things our sales team had done is they would find all these little conferences. And we had a bunch of different little presentations we could give, and they would send them off to these conferences and the conferences would be looking for someone to talk. And I definitely remember driving to Sacramento in a very, very big rainstorm which is a lot for us Bay Area people because I was speaking at a local Sacramento conference, and it was really useful for me. It was interesting, I got to talk to people, and a salesperson came along with me, of course, and they got to talk to the same people. So, to me, I think showing up is not just sponsoring but it’s also, again, putting together presentations. And it’s not just big-ticket conferences. It’s meet-ups and smaller local conferences too.

[Geoff Belknap] I can’t stress this enough. This is effectively how I got my start in security. I pivoted from telecommunications engineering. I went to a security startup because I had an interest. And I, just to learn and get involved in security, I went to all those little conferences that Joy is talking about, and I met a ton of people who are now very well-known in the industry. It came from you hang out at these conferences, you meet people, you connect with them. Yes, I was selling a product, or I represented a company that was selling a product. Some people didn’t want to connect with me, but I’ll tell you what. The overwhelming majority of people were happy to talk to me regardless of whether I was a vendor or not because I had an interest in the community and the space and I wanted to learn, and we absolutely made sales as a result of those connections. I never sent emails to CISOs or went on meetings just with CISOs. It was always focused on that community-building, and I think we might have lost sight of that a little bit in the industry.

Sponsor – Code42


[David Spark] Hey! I do want to mention our sponsor before we go on any further, and you’re going to want to listen to this so stay tuned. It is actually Code42 and they’re awesome and we are so thrilled of their continuing patronage of the CISO Series. They’ve been a great supporter for us for years. So, Code42, if you don’t already know this, is the insider risk management leader addressing the full spectrum of data loss – malicious, negligent, and accidental. Code42 delivers a SaaS solution built with the modern-day collaborative culture in mind. Did you know that there’s a one in three chance that your company will lose IP when an employee quits? I bet it’s even higher, but that’s what their data says. Economic uncertainty has created workforce volatility. A lack of confidence in job security means that many employees are taking actions to protect themselves, understandably. And they’re gaining the competitive advantage by downloading IP, customer lists, or sales strategy. All of this makes data protection more challenging. Code42’s product Incydr gives you the visibility, context, and control needed to stop data leak and IP theft. With Code42’s Incydr, here’s what you can do. You can see what data is exfiltrated without setting up strict classifications, eliminate excess alerts for your security team, contain data leaks without disrupting employee productivity, and maintain compliance with security standards and corporate policies. All sounds pretty darn good. Well, why not visit to learn more about Code42 Incydr – a new approach to data security.

Why are we blaming users?


[David Spark] Pierrot Ferland of SPAK said, “I don’t agree with your strategy. Your job as a CISO is to be open to the market and evaluate new products. By doing this – ignoring calls and marketing emails,” and by the way, this is all targeted towards Randall, “You will miss a lot of opportunities to learn about the new trends. If I were your boss, I would be angry reading something like this!” A little spicy, don’t you think, Geoff?

[Geoff Belknap] It is a little spicy. I’m going to disagree.

[David Spark] That’s a shocker there.

[Geoff Belknap] Well, I think it’s important just to be very direct about this and not coy.

[David Spark] Yes.

[Geoff Belknap] It is not my job to make sure that I am evaluating new products as they come out. Is it something that I do?

[David Spark] You just wouldn’t have time to do your job.

[Geoff Belknap] It just isn’t. But let’s just be clear. It is not a CFO’s job to evaluate all new spreadsheet technology that comes out. It is not a lawyer’s job to evaluate all new copies of software that write legal documents. It is not the CEO’s job to evaluate something that displays new metrics or new sales techniques. It is our job to run our part of the business. And in my case, specific to my job at LinkedIn, it’s my job to protect our members, to make decisions that protect our customers, and to ensure that we’re making the right decisions when we balance all the equities and the risks, that we’re protecting our business. It is not my job to give time to salespeople and to evaluate new products.

Now, is it important? Do I find value in doing that? Yes. But to sort of take that position that the CISO is not doing their job if they are not responding to these sales calls I think is just wrong. And I think that kind of comes to the whole crux of this discussion that Joy and I have been talking about. We need to kind of change how we think about how we market and sort of target people to learn more about these products.

[David Spark] And let me just pause right there and we’ll go to you, Joy. Is that to start with that expectation it’s your job to know this and this is what derives the anger. But as you said, really part of your job is to know what’s going out there. It is kind of their full-time job to make a product and sell it. That is their full-time job. Your job is to, as you said, protecting your business and its members, and a portion of that is learning about new technology. It is just a portion. And then your specific company is a portion of a portion. So, it’s a pretty thin slice. Joy?

[Joy Forsythe] I was just going to say that I think it’s also that if it is part of my job, then I have a limited amount of time and there’s a lot of companies to learn about. So, what’s the most efficient way to do that and how do I make sure I spend my time on the most valuable companies? And I don’t think that reading emails is really the efficient way to learn about companies.

[David Spark] Very good point.

[Joy Forsythe] I think we all know that those emails have very little actual content. So, I’m always going to choose the approach that gets me high signal, like which companies are actually helping other people. That’s a pretty good signal they might be helpful to me. And then high value – how can I actually figure out what this company is doing? And that’s where, again, I think one of the challenges for me is if I am interested in a vendor, if somehow, they did intrigue me, the information I want is never going to be in those emails, it’s never going to be in those calls. Because it’s going to be how do they solve problems, let me go look at some case studies, let me have someone on my team look at some of the technical documentation.

And then here’s the other part. Where’s the pricing information because can I even afford this product. Because if it’s something that’s so far… I mean, I tend to work for smaller startups, I love working at small startups, but that comes with it some budgetary concerns. So, am I really going to spend a bunch of time on a phone call with someone and then three more phone calls and then find out that this is just not a product I’m every going to be able to purchase?

[David Spark] Okay. This is really important. I want to get into this pricing thing before we go on any further because this is a really, really good debate. Because most B2B products do not publish their pricing unless they’re self-service SaaS type products. But there has to be a point that you know the pricing and sometimes you have done your due diligence and you want that information right away. And actually, Dan Walsh was on the show, and we talked about this, and he says, “When I’m saying give me a ballpark of the price, I’m not going to hold you to it, it means I’m trying to fit you into my budget. And if you can’t do that and you force me into a big meeting, then we’ve got a big problem.” Geoff?

[Geoff Belknap] I agree. And certainly I’ve been on both sides of the spectrum. I’ve worked for startups in the very early growth phase, and we’ve migrated and worked at the higher growth and more mature phase. Budget is still a concern. I am blessedly very well-funded in my current job but budget’s still a concern. I have high scale. That means if I’m interested in any product, there’s hundreds of thousands of licenses that I’m probably going to need for anything and that adds up very quickly. So, I have definitely felt this same struggle of this might be interesting, but I need to know what the ballpark cost of this is going to be upfront to even understand whether this is worth considering. And that can be very, very difficult to get to because of course, people want to gate that behind very many meetings. Which let’s be frank. It’s because that’s how they’re measured and incentivized.

The reality is if we get to another suggestion that I think helps solve a problem here, this is why I advise so many startups, especially security startups, to potentially investigate a ground-up go-to-market motion. Which means I’m not going to name any other specific products here but there are many, many products where you can just try it yourself. You don’t need a meeting. The pricing’s on the website. Now it might be the free version or the pro version or the low-end version of the product before you get to the expensive versions. But if I or one of my engineers can just try it themselves for 5 or 10 licenses for very cheap or for free, we can immediately get a sense of whether this thing adds value, whether we can afford it, and whether we want to go further. And think of all the meetings that we’ve cut out by just trying it ourselves because it was interesting. Now yeah, you have to get our attention, but make it easy to quickly let us determine if there’s value and then we can have that conversation. We can build a relationship from there.

[David Spark] Joy, I want to get your thoughts on the whole pricing issue, the frustration of that. I mean, you do understand that publishing it for many is a tough call, but how would you like to get that information then?

[Joy Forsythe] I mean, I think for me, there’s two ways. If we can do a freemium POC type approach, amazing. And I’ll do that without necessarily a ton of pricing information because I can just go do that, we can play around. And then at that point, when we start to be like, “This is actually a thing that could solve our problem,” we’re going to want the pricing information because that’s the point where we have enough information to start talking about budget, so we need to know if it’s even in the realm of possible.

I think there are other products where they haven’t enabled that, or it doesn’t make sense for their business model for some reason. Maybe it’s one of those products that requires a pretty significant investment upfront. I’m willing to have conversations about what are the problems I’m trying to solve, what are my requirements. Which if I’m actually talking to a vendor, I want to have a list of requirements or at least a pretty good idea of what problem I’m trying to solve, and I’m happy to share that with the vendor at first because I recognize there’s not a one size fits all.

But if we’ve had one to two meetings and we’ve had that conversation and you’re not willing to give me pricing information yet, then to me it starts to feel, “Oh, does that mean that I’m not going to be able to afford this? Then in which case, why am I spending time on you?” And I’ve had experiences where I do finally get the pricing information and that is actually it turns out to be true. This is so far out of the ballpark that we’re just not going to proceed any further.

What would a successful engagement look like?


[David Spark] Magdalena Kernie of Egnyte said, “Some salespeople belong to organizations that don’t have the resources to sponsor such events. Such events and community involvement don’t make you want to buy my product.” I don’t know if I agree with that, but she goes on and says, “You may respect us and like us, but only pain can make you buy our product,” true, “And pain comes from open and honest conversation.” Don’t know about that, I want to get your thoughts on it. Mark Fermin of Ingram Micro said, “The vendor landscape is already huge and crazy. We’re all trying to get a piece of the addressable market. But at the end of the day we need to go back to basics and focus on the things that ultimately bring mutual success in solution sales – building trust and relationships.” So, some different feelings about how you target. Mark sees building trust through maybe – he doesn’t say it – but through these community events be valuable. Magdalena thinks, “Ah, it’s great. You’ll get aware but it’s not going to cause you to buy.” What are your thoughts, Joy?

[Joy Forsythe] Well, she’s right that I’m not going to buy something because I like you, but I will buy something because you solve my problem. And that’s where none of these emails convince me that you’re solving my problem, so I don’t see how that’s a better sales strategy than sponsoring an event. I think if sponsoring an event isn’t in your budget, then find other ways to be present at those events. Again, I think we talked about it before, it’s the go and give talks, do demos, have conversations, physically just showing up. Or in the case of now maybe it’s not physically but it’s participating in other ways.

Honestly, I think if there is one type of cold email that is successful, it’s when vendors actually send out sort of webinar invitations talking about a topic that’s of interest. I have junior people on my team and so there have been a couple good webinars that have come through on topics that I’m like, “This is useful for someone on my team. Maybe I’ll point them to that.” And they’re going to go and learn some information and maybe learn about your product. That might be a way to participate in the community that isn’t going and sponsoring an event. A webinar’s not super expensive to hold. Those are the kinds of things that I think would be more valuable sales strategies than just cold emails asking me if I’m going to respond when I haven’t responded three other times.

[David Spark] Good point. By the way, if those people listening don’t know, CISO Series has a program called Super Cyber Friday which is an alternative to a webinar, and we talk about any topic you would like. Geoff, just a little plug for CISO Series right there, isn’t it?

[Geoff Belknap] I know. I was just laughing. It’s so self-serving. But at the same time, the whole point, like the whole reason I got involved with CISO Series, especially this podcast, was so we could have some deeper conversations like this. I mean, the entire CISO Series network started so we could solve effectively this problem. How do we bridge the gap between people who provide solutions and people who need solutions.

[David Spark] And by the way, this is not the first time we’ve done an episode on this either too.

[Geoff Belknap] No, no. So, people are not bored of this, and it’s still not solved. But I do think it is getting better. Now what I was going to say about that is Super Cyber Friday, maybe this isn’t the solution for everybody, but it’s an example of this is a unique way that people can find out about solutions without you having to target them directly. And again, I don’t know what the new solution is. What I do know and I have very high conviction of is that we can no longer rely on just targeted emails and then kind of what Joy and I, both of us have experienced, is the six follow-ups of just bumping this up to your inbox, and then the final one that’s like, “Well, I guess you don’t want to be friends.” And I’m like… It’s very frustrating I think for both of us.

[David Spark] Yeah. Questioning you.

[Geoff Belknap] Yeah. But I go back to what Joy said earlier. It’s like A, if your solution is so complicated that it takes a lot of work to implement it, then your solution probably doesn’t belong in the space. And two, if you can’t find a way to engage the broader community other than just the CISOs and the CIOs, hire a new marketing person, hire new BDR people, we have to rethink how we do this. And to be clear, I don’t think what you’ve heard either Joy or I say is, “Go away salespeople forever.” That is not what we’re saying. What we’re saying is we have to find a different way for information about your solution to reach us so that we can do our jobs and so our teams can discover these new products and we can decide if we need them. It’s just not directed email.

I will just say here I’m a big fan of Mark’s point that we have to build relationships. The relationships have to sustain for the long term. I have absolutely built relationships with salespeople who have moved to different companies, and I will still take that call because I know that I have a relationship with that person, that I can trust them, that they know what kind of problems I face and how I like to solve them and how we like to look at buying something new. I can’t stress enough – if you’re a salesperson, be thinking of the long term.

[David Spark] Can’t stress that enough, yes.

[Geoff Belknap] Don’t think about selling this thing at the company you’re at now. Build that relationship. And you’re only going to do that if you go to a conference. If you go present in a meeting, if you meet me someplace other than my inbox, you have a thousand percent higher chance of building that long-term relationship. It’s not going to happen with a cold email.

[David Spark] Let me close with this question for you, Geoff, and I don’t know how active you are in social, Joy, but Geoff, have you built a relationship with somebody who you were first introduced to because they commented on something that you posted?

[Geoff Belknap] You know what? I absolutely have. Especially, now that I’m thinking about it, now that I’m doing this sort of experiment of meeting earlier-stage startups, there have been several where they’ve been really interesting, engaging products. And I think they’re generally cool founders and they are solving real problems and we’ve absolutely had follow-up and longer-term engagement. Which is why I encourage anyone listening to this, if you are a security leader, think about modeling a similar approach to what I’m taking here of you set aside a little bit of time, either every week, month, quarter, whatever it is, and open yourself up to take some meetings from startups that otherwise wouldn’t reach you. And I can assure you my team is frustrated that I opened it so widely because I think I have like a year of these appointments backed up. But lots of people will be very excited to spend some time with you. And if you can control that time and you can limit it, there’s a lot of value that can be derived from that.

[David Spark] I’ll let you have the closing comment here, Joy. Are you active in social at all and have you engaged with people either I guess at an event or online like this?

[Joy Forsythe] I love a hallway track of a conference; I think that’s my favorite. I will talk to pretty much anyone at an event. I think in the COVID times, I’ve done more virtual. I wouldn’t say I’m necessarily super active on public social…

[David Spark] That’s fine.

[Joy Forsythe] …but some more private smaller networks? Absolutely. I’ll talk to people. As a result of that, I’ve done calls with startup founders, and I tend to be very open about whether or not I’m in any way in the market. And if I’m not in the market, I often am actually perfectly happy to look at what they’re doing and give them feedback based on previous roles and just my general thoughts. And then there’s a product that I know something about, that in the future, if it turns out it actually is valuable to me or someone I know, I’m going to have a lot of information about it. But to me being able to actually see what your product does, talk to you about what you’re thinking about as you build it, that seems much more valuable than any interaction you’re going to get in more of a cold email way.

[David Spark] Very, very good point.



[David Spark] Well, now we’ve come to the point of the show where I ask you which quote was your favorite and why. Joy, which was your favorite quote and why?

[Joy Forsythe] I actually like the quote from Rich Chen at West Monroe, but I like the full quote, you sort of cut it down. The first part was, “I think how you reach out matters. Building a relationship with me after meeting me at a conference or another setting, sure, I’m open to hearing what you have to say.” And that’s absolutely how I feel.

[David Spark] Very good point.

[Geoff Belknap] That is a great point, yeah.

[David Spark] All right, Geoff. Your favorite quote and why.

[Geoff Belknap] I’m going to do something a little weird here. I’m going to pick – and boy, I hope I’m saying this correctly – it’s Pierrot Ferland from SPAK.

[David Spark] That’s what I think. Or I said SPAK, it might be S-P-A-K, I don’t know. Apologies abound, Pierrot, if we’ve mispronounced your name or your company name.

[Geoff Belknap] Yes. I’m sure we’re doing this all wrong. But they said, “I don’t agree with your strategy,” talking to Rich, “Your job as a CISO is to be open to the market and evaluate new products. By doing this, ignoring calls and marketing emails, you’ll miss a lot of opportunities.” And I think I get the point, but I think it just gets to the crux of the matter. This isn’t our job. We’re not hired to evaluate new products. And I think we have to reevaluate how we connect with people, and this is a great example of there is frustration on both sides and we both need to find new ways to approach the problem. But I think this highlights that exactly.

[David Spark] I will close with this. I spoke with Wendy Nather when she was at the 451 Research Group, and at the time, there were far fewer vendors than there are now. And she said, and I don’t remember the numbers, but it was at that time her job to evaluate products and she couldn’t deal with it, and that was her full-time job. So, even when that is your job, it’s extraordinarily difficult to do and even harder today when there are tons more vendors. Joy, thank you so much for joining us today. I greatly appreciate it. Are you hiring over at Thrive Global?

[Joy Forsythe] I’m not at the moment but always happy to meet and talk with people in the industry and learn more of what you’re doing.

[David Spark] All right, very good. And I know things are always moving, ebbing and flowing at the wonderful world of LinkedIn. Correct, Geoff?

[Geoff Belknap] Always. We’re always looking for new talent and interesting people. If that is you, please check out this little website we’ve made, go to, and see if we’ve got something that matches your experience and interests.

[David Spark] And if you for some reason don’t want to work for Geoff, it is also a great place to find a job anywhere else.

[Geoff Belknap] Yeah. Like from Joy.

[David Spark] Yes. And I want to think our sponsor again, Code42. Remember, their website is – reimagined enterprise data protection for insider risk. A huge thanks to Joy. A huge thanks to you, Geoff. And thanks to our audience. We greatly appreciate your contributions and for listening to Defense in Depth.

[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe, so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site,, where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at Thank you for listening to Defense in Depth.