How to Follow Up With a CISO

How to Follow Up With a CISO

Cyber sales is hard. But don’t let the difficulty of doing it get in way of your good judgement. So what is the right way to follow up with a CISO?

Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Jack Kufahl, CISO, Michigan Medicine.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor SolCyber

At SolCyber we’re hell-bent on delivering Fortune 500 level cyber security for small and medium-sized enterprises. When you’re being targeted by the same bad guys, nothing else will do. We bring to the table a curated stack of leading technologies and around-the-clock SOC support, all simply priced per user. Let us do the heavy lifting.

Full transcript

[David Spark] Cyber sales is hard, but don’t let the difficulty of doing it get in the way of your good judgment. So, what is the right way to follow up with a CISO?

[Voiceover] You’re listening to Defense in Depth.

[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series. And joining me for this very episode is the one, the only Geoff Belknap. He is the CISO of LinkedIn. Geoff, thank you so much for joining us today.

[Geoff Belknap] David, thanks for inviting me back. I’m always happy to be here.

[David Spark] I’m always happy to have you on. Our sponsor for today’s episode is a new sponsor. We’ve had him, I think, just one or two episodes prior, but it is SolCyber. Bring simplicity and affordability to your cyber security. Aw, affordability. Not many companies pitch that element of cyber security, which rings true with everyone. Anyways, more from SolCyber later in the show. Now, today’s topic came up from Jason Chan, who used to run security over at Netflix. He posted an image from an email that just said, “Hi, Jason. I’m following up on the previous email.” To which Jason added the caption, “Please don’t.” There was an insane response – over 1,900 reactions and 360 comments. Salespeople feel compelled to keep prodding, and security professionals don’t like to be prodded. I think, and I’ve said this before…I think the reason this happens is the way salespeople are measured and the pressure they’re given. They feel compelled that they have to do this, and it’s a tough job. Geoff?

[Geoff Belknap] It is a very tough job. I feel a lot of respect and appreciation for people in the sales industry, having worked at several startups, like real startups where we were starting from nothing, and supported the sales team. I have worked directly with those folks, and I’ve been a sales engineer. I’ve supported sales teams directly early in my career. It is probably a harder job than working in security, if not equally hard. But the reality is the CISO role has got to be one of the top five roles that are targeted by salespeople or business development reps or account development reps.

[David Spark] I would go to top one in fact.

[Geoff Belknap] Yeah, I have a hard time imagining who else is getting more cold reach out and getting targeted for more sales. It sets up this situation where it’s very challenging. So, I think today would be a great conversation to have about what do we do about it.

[David Spark] I’m going to reassert… We were just talking about this before we all went on microphone. The goal here is to be as positive as possible. We don’t want a litany of, “Don’t do this. Don’t do that. Stop harassing us. Don’t do that.” Honestly the whole CISO Series brand started because there was far too much of that, and it wasn’t helping anybody. And so our goal to help, and the person who’s going to help us on this journey is the CISO over at Michigan Medicine, Jack Kufahl. Jack, thank you so much for joining us.

[Jack Kufahl] Thanks for being here. This is going to be fun.

What is everyone complaining about?


[David Spark] Jim Wellington of Just Me said, “You as a company or CXO blowing us off if we have composed a thoughtful response is pure arrogance. Simply respond you aren’t interested. I can personally vouch I won’t bother you again in that regard.” Stephanie Moulder, TMC Transportation, says, “It takes a lot of courage to cold call people. Instead of treating us like something you stepped in, just give us the courtesy of saying you are not interested. You are never too big to be nice to people.” I kind of like that last comment there. Michael Donnelly of Orca Security said, “Reps are in a no win situation. They’re either pissing a prospect off or not doing enough in the eyes of some.” You hear a lot of frustration in those comments. One thing that I didn’t see in the comments is what a lot of people don’t understand is you’re not the only one. If you were the only one, it wouldn’t be the problem. The problem is it’s a litany, and that’s I think what pushes a lot of CISOs over the edge. Yes, Geoff?

[Geoff Belknap] Yeah. Look, let’s level set for a second. I’m curious to hear if Jack is running into the same situation, but I’m just going to throw it out there. My email is worthless to me. I don’t mean that in the sense of you emailing me is a bad idea. I mean I get so much inbound email that I can’t use my email most of the time in a reasonable way. I literally have to filter off all external email to a separate inbox and then manage the things I want to get in my main inbox through an allow list. That is not a great way to use my email, and it is largely because I get so much cold outreach. So, what I would really like to do is I would love to respond to everybody and do a quick little like, “Hey, thanks. I’m not interested. I’m not looking for this right now.” But if I did that, I would literally…and I’m not being hyperbolic here…I would write about a hundred emails a day. That’s not a reasonable thing for me to do. I’ll say… And this is somewhat self-serving. It is much easier for me to do this on LinkedIn because on LinkedIn there’s an option for me to say, “No, thanks.”

Or just click a button that says I’m declining interest. That’s more workable for me, but I get 30 of those a day. So, I completely understand as Michael Donnelly has pointed out that reps are in a no situation. They are under incredible pressure from their leadership to make contacts, and drum up and build new business. And people like Jack and I, we do our jobs but also deal with the fact that we have an incredible amount of cold outreach coming to us. I’ll tell you the really hard thing for me…and then I’ll turn it over to Jack here…is I probably want to hear from some of these companies, but it is very difficult for me to do that based on the volume of outreach that I get to make a decision about which one of these new things am I going to read that I need to contact. So, I do think we need to talk about new ways to reach out to people because email is definitely not working anymore. I don’t know. Jack, what do you think? Does any of that resonate with you?

[Jack Kufahl] Yeah, I agree with that. I come from sort of the school of thought that email is quite evil, but we just can’t seem to get rid of it. I agree – the volume is insane. If you do take on the goal of managing your inbox, which quite honestly a lot of my peers have just given up… They just declare email bankruptcy and just dump tens of thousands of messages at the end of the quarter without ever touching them. If you do manage that inbox, what are those internal versus external sales versus non sales…those filters, they don’t even hit the radar. I also agree with you though, some of my strongest partners in building a cyber security program have been our vendors, and our sales engineers, and our sales reps. So, there is just missed opportunity time and time again because the cold call mechanism is just so easy not necessarily just to ignore but to be indifferent towards. That you can’t use it as a sorting mechanism to figure out what you could possibly be interested in. Or even what a company does and if that’s a market that you’re looking for.

[David Spark] This is going to come up also later, but I get this question all the time. There’s this theory that there’s some magical combination of words to put in a subject or in an email that gets a CISO to open the email and respond. I think what you’re both saying is we just have to be thinking about this a completely different way because there is no answer to that question. What do you guys think?

[Jack Kufahl] I agree. I don’t know if it’s a completely different way. Certainly sales was occurring before email, before cyber security, successful sales. So, it could be reexamining successful sales techniques, which probably all go back to what I often refer to what is that network of networks. Some of the most powerful sales conversations I’ve ever had with a vendor have come at the invitation of a respected peer or colleague, not necessarily a cold call. And knowing who has the best kitchen knives hasn’t come off an informercial, it comes from somebody who also has those good kitchen knives. So, building that network of networks I think is critical to how we build those relationships between vendor and consumer.

[Geoff Belknap] Yeah, I’ll respond to this and say I think the volume is so high. I really don’t get a chance to do anything but skim these things. I’ll give you an example. It is about 10:30 in the morning. We’re recording this podcast. If look at my inbox that’s external emails, I already have 48 new emails that I haven’t read yet that are all external that are almost exclusively from vendors. There’s no reasonable chance for me to actually read through those. And it’s only 10:30 in the morning. I’m going to get more of those. I think my take is there’s no magical combination of those emails. It’s going to have to be email plus some soft expectation that I should be looking for that.

How do I start?


[David Spark] So, one of the things that I’ve heard again and again is that people buy from people and that process of cyber security is built on trust, and CISOs also need trust in their vendor relationships. I hear the comment of always wanting a partner. Here’s some quotes on just this topic. Jillian Kronfuss of Maple Street said, “Persistence is what pays off and building trust.” Neil Saltman of Sotero said, “Warm intros is the key. Number one way CISOs validate solutions is by talking to their peers.” That one we hear all the time. Ben Griffith of Tufin said, “An email sent without some sort of context of a previous phone call, conversation with a peer, known business need, etc., should never be sent.” That’s an interesting end to that. What do you think of that? If you are sending an email that doesn’t have a connection to something else, never send it. What do you think about that, Jack?

[Jack Kufahl] Nah. I don’t agree with that.

[David Spark] Okay.

[Jack Kufahl] I think persistence and some of the other references and where those connections, sort of what is the multichannel communication that you’re leveraging. But to say an email should never be sent… But I do think with credit to Ben, the idea that it should then be particularly customized or particularly appropriate… There aren’t five uniform magic words that are going to make a CISO open mail. But understanding where that personal connection might be or a toehold in understanding the problems that that CISO, that sector, that industry may have is probably enough to have that cold email that has no other connection to be read. If it is just a form email that could be sent either to my industry, being healthcare, the same one they send to finance, the same one they send to manufacturing, that comes through pretty clear. It also comes through that that is not a cold email. That’s a frozen email. Frozen emails probably should never be sent.

[Geoff Belknap] I think we’re probably getting a little too good at pattern recognition that people like Jack and I can recognize a form email or a template email a thousand yards away. I really feel like Neil was onto something here, but I want to highlight warm intros is the key. I almost always when there’s a warm intro…it’s because someone that knows me, whether it be Jack or somebody else…is like, “Oh, you know who’d need this? Geoff needs this. I’m going to make this introduction.” It is almost never, “I will introduce you to this person, and I have no idea whether they need your product.” They know me. They know what I’m doing, going on. And that’s why it works. But warm intros can’t be the only thing. We have to be realistic. Nobody can build a business just hoping to build warm intros. That’s why I think warm intros works. I think getting yourself out there so that there is the ability for me to contact you and know that you exist in some way that’s not email is good. I think, again, LinkedIn messages work really well for me and some of my peers.

Although I think the problem is a lot of business development reps sometimes treat LinkedIn messages like form emails. I think honestly if we just boil it down, that is where this all fails. When it’s a form email that’s written and there’s no idea of who you are and what your business is and what you need, it just doesn’t work. It just creates that animosity. But if you get the idea that this is something I really need and not just because you could imagine I need it, that is when that connection works. I think what we really need to do is flip the BDR industry on its head and like how do we build those warm relationships, how do we build those connections, how do we make more CISOs available to get pitches. I don’t know if it’s like I just need to make an hour on Fridays available for people to give speed pitches or something, but we have to break the cycle of this.

[David Spark] Allan Alfred did that.

[Geoff Belknap] How did he turn out on that?

[David Spark] I don’t know how he’s doing it now, but he once a year put a post out saying, “I’m setting aside an hour, two hours every week to listen to pitches.” I think it was even more. Maybe three hours or so. And he had like three things. He goes, “Go ahead and pitch me. This is how exactly I want the pitch.” By the way, when he said this, every salesperson was like, “Oh my God, I wish every CISO explained how they wanted to be pitched to.” It was like, “Tell me what is it you do, how you differentiate it.” I can’t remember the third one but very quick and things you could put in three bullet points and be very quick and easy for him to scan, and know, and also listen. Because one of the things he said that I think is really, really critical is that if CISOs only get recommendations from other CISOs, what happens is you get an echo chamber. It’s very hard for a new player to come into the market. And so what he said… He goes, “Part of my job as a CISO is just to know what’s out there and to be educated.” He gets a lot of education from doing this process. So, he thought it was critical for his own knowledge and edification as well.

[Geoff Belknap] I feel like this is something I should do or more of us should do is set aside time to do this and open it up. I think Allan is onto something. I don’t know. Jack, what do you think? Have you ever done something like that?

[Jack Kufahl] I’ve done creative calendar blocking where I’ve said, “Oh, hey, this is how I’m going to use this time.” If I’m passing forward these vendors to be scheduled at this time, this time, and this time, they sort of get time boxed, so this takes it to the next evolution of actually telegraphing to vendors like Shark Tank style, that there’s an opportunity here, but it’s got to follow our rules. So, I think being transparent and negotiating basically with your vendors or your potential vendors about how you want to be engaged has got to be half the battle for a vendor.

[David Spark] I will also throw out, we’ve had Hadas Cassorla on the show, who’s the CISO over at M1. When she does set up a meeting she sends out a letter saying, “This is how we want you to engage with us,” and explains, “There’s a reason we’re talking to you. Just get to the product at hand. We do not want to be introduced to the whole team. We do not want a backstory. We want to know about the product.” I think that’s another critical thing…a job on the practitioner’s side they can do – explain clearly when the meeting happens how they want to be engaged. Again, vendors would love that.

[Jack Kufahl] I think another thing that vendors can really bring to the table is even though in a CISO community or even a subsector, like a manufacturing CISO community… They’re a dime a dozen. They’re all over the place. One thing that does bridge us together is vendors have more lateral access to people like us and can help contextualize our different business needs and our problems in ways that we haven’t thought about before.

[David Spark] Good point.

[Jack Kufahl] So, I often look at vendors as that matchmaker to be able to say, “Well, the way you’re approaching this is where healthcare system A was two years ago. They used one of our products. They also used this product, this product, and this product.” So, another way to navigate… There is never too much of that, that sort of collaboration. It doesn’t have to come from just colleagues. In fact the most powerful connections are coming when they’re brokered by vendors. What I was going to mention similar to that is however you get that first meeting is one of the first barriers, but it’s not the only barrier. So, it’s also a question of what do you do – what happens when the dog catches the car. And so, okay, what happens when you get that meeting. I’m far more inclined to join a meeting with two other CISOs that I know than I am to take an individual call with a vendor because the conversation and contextualization there is critical. I think that’s good for us and good for the vendors to get that type of interaction, sort of a force multiplier.

[David Spark] I will close this segment out with a plug for our new show, Capture the CISO. What you just described there, Jack, is exactly the reason we created that show. Season two to be in development.

Sponsor – SolCyber


[Steve Prentice] In the mid-market, complexity seems to be a challenge for organizations who often don’t really know how much security they actually need. This is why SolCyber providers a solution called Foundational Cover, as CEO Scott McCrady explains.

[Scott McCrady] Foundational Coverage allows you to get a really robust security program stood up in 30 days in a very easy and cost affective manner. And because of that, you can pivot that into cyber insurance and get preapproved on your cyber insurance policy while at the same getting up to a 30% discount on that same policy. And so we help solve two different problems, which is 30% of policies are getting knocked back, getting rejected, and policy increases are 15% or more for most organizations. And so we’re trying to help solve those two problems as well, by using SolCyber.

[Steve Prentice] Their mission, he says, is to solve a big problem by bringing it down to a manageable scale.

[Scott McCrady] There’s dozens of different service acronyms. The combination of sorting through those to get to a good security program is incredibly difficult, time consuming, and relatively financially painful. So, we try to solve that by bringing something that we know works, and that is the minimal affective amount of security you need to have a very resilient operation that can actually withstand a variety of different types of attacks.

[Steve Prentice] For more information visit

What aspects haven’t been considered?


[David Spark] Thomas Freese of QBS Research said, “I would assert that how best to follow up on cold calls completely misses the point. Most of the challenge for sellers today is creating compelling reasons for potential buyers to want to engage with you the first time rather than racking your brain to figure out how to recover from ineffective outreach tactics.” Very good point. Leif Eric Fredheim of Currys PLC said, “Sales in this day and age should be more about making oneself visible and attractive, and less about pushing oneself onto potential customers, less direct and more indirect.” Now, Geoff and Jack, I don’t know if you know, Andy Ellis has this very well known vendor rejection letter. He’s got it open as a blog post. He sends it out automatically when he’s rejecting vendors. The bottom line of why he’s rejecting… He just says, “If you want me to know about your product, be awesome. I’ll hear about it.” Geoff, you’re nodding your head back and forth. You don’t quite agree.

[Geoff Belknap] I’ve seen Andy’s thing, and I think it’s great. I think the challenge…honestly the challenge for me as I’m going through this episode and I’m trying to think of ways to be informative and helpful for our sales partners is… So, it’s very easy, and I immediately personally and professionally identify with Andy’s intent here of, “Be awesome. I’ll hear about you.” Well, I’m not going to hear about you if some other CISO or security person doesn’t respond to your cold email. I’m not going to hear about you if you don’t get the attention of some critical mass of people. So, it’s sort of like chicken and the egg. You have to do cold emails, and cold phone calls, and cold voicemails or whatever because at some point you have to get somebody that’s going to talk on your behalf and advocate to the CISO or security community. That doesn’t happen if you just sit on your hands and try to make… You could make the world’s most awesome product. And maybe I’ll date myself, Beta was better than VCR. People didn’t just gravitate towards Beta. I think I just lost all of the listeners.

[David Spark] I’m with you. Actually not Beta versus VCR. VCR was the category.

[Geoff Belknap] VHS. Sorry. Thank you.

[David Spark] Beta and VHS.

[Geoff Belknap] But the point is you can’t just be awesome. You have to also take your destiny into your hands and get out there and sell your narrative and communicate your value. So, I think what we really have to do is maybe get inspired by what Allan is doing. I also think CISO Series adds a lot of value. Even the bumpers here, we’re letting vendors talk about the value they add. There just has to be more and more new ways to communicate the value that you as a vendor offer without it just being an email to me. So, I think really that is over with. The email at this point is the follow up. If we’ve had a good engagement some place, you can send me an email. I’ll probably reply to it. If I’ve never heard from you, an email is not the way to build that new relationship for me. For a certain class of buyers.

[Jack Kufahl] Right.

[David Spark] Yeah. And also everyone is different. Jack?

[Jack Kufahl] Yeah, I try to look at myself and say, “Hey, I’m just an average CISO.” I don’t know. But if it’s only an email, like Geoff was talking about, it just doesn’t resonate. It doesn’t matter what that email is. I joke… I work for an institution where it is verboten to take any sort of sales tchotchke or pens.

[David Spark] Because I know that others have a $50 maximum or something. You can’t even take a pen?

[Jack Kufahl] Can’t even take a pen.

[David Spark] Wow.

[Jack Kufahl] I think we used to have a five dollar limit, and now quite honestly though it’s also don’t tempt fate. It’s how do you set an example and so forth. So, the enticement of a steak dinner or the enticement of a really good nerf gun… I get it. You’re trying to be creative with the tchotchke, but it’s also telling me you don’t know who you’re selling to. So, how you get past that…

[David Spark] Have you received things and had to send the back or just give them away?

[Jack Kufahl] Because I’m in a position where it’s not just the CISOs that are being assertively marketed towards, it’s the whole CISO staff… I have risk associates, or cyber operative associates, or even project managers that get these things. I have the director of my program office, which is a nontechnical role, got a video game setup the other day in the mail from a vendor. Sort of cold call.

[Geoff Belknap] Good Lord.

[Jack Kufahl] It’s one of those things where not only do we say, “Hey, we shouldn’t accept these. We talk about not accepting these.” But we typically will also call the vendor and say, “Look, I don’t want you to waste your money on us. You shouldn’t send us these things.” But more importantly, most universities are probably in the same boat. So, there’s that sort of aspect to it about tactics that just don’t work. I don’t know about Leif’s comment about less direct and more indirect. I go back to this idea that Geoff was talking about – if it’s only an email. Email is really a secondary protocol. But if you’re at the conferences I’m going to, if you’re in the media streams I’m paying attention to, if you are being used by peers that multi vector sort of engagement is really the only reason why different brand names and different products are even recognizable. But I also want to point out that to a point you had made earlier, you don’t want to get into this echo chamber and only use what other CISOs are using. That comes to the idea about how especially smaller companies market themselves.

We try to do a vendor portfolio that is not just all the big security brand names. We use a lot of big security brand names. We use a big part of their catalogue. But we also reserve certain portions for those innovative companies if for no other reason to be engaged on wherever the market is. But hopefully also give our staff who are implementing these technologies the exposure and the variety. So, some of the things that are real market differentiators for smaller security organizations are things they’re not even talking to us about. “Here’s how we can engage your staff with a different type of variety than you’re getting from maybe one of the big box sort of security shops.” That variety is an important talent engagement strategy for us, and talent retention is not just about compensation. It’s about all these different factors. I think vendor involvement is key to that.

Who has a solution?


[David Spark] Here’s a good quote from Tiana S. of AWS. Stay with me, it’s a long one. Tiana says, “There is no clear guideline on how to reach out to people, and many who start in sales will begin their journeys generating conversations with prospects and customers. It is a trial and error for most in this field. Sometimes we have to let people learn what would work best. So, instead of posting a disliked email, why not email them back with some thoughtful and valuable experience that you have had with a salesperson so they can better understand what you value and how to approach their future prospects? I’m a strong believer in sharing knowledge and instead of something being a negative experience turning it into something positive for both sides.”

I will echo something that Mike Johnson said. He put up a post entitled “The Post That Wasn’t” where he did get a negative response from a vendor. And instead of posting, and ranting, and complaining about it, he said, “Wait a second.” He mentioned it on a Slack group. And someone said, “Oh, I know the marketer over there. Or the head of sales over there. They’d like to know that this was going on.” So, he reached out to that person’s boss first to just explain and get the situation worked rather than making it a public nuisance. I thought that was kind of a good way… It wasn’t a design like, “They were doing this awful. Fire them.” But it’s more like, “Hey, do you know this is going on? This needs to be retrained.” Geoff, what do you think about that tactic?

[Geoff Belknap] I have thoughts all over the place on this. I think first of all, I remember that conversation in the Slack group with Mike about that, and there were a bunch of us that were on all sides of the issue. I generally think the number one thing we need to avoid as security professionals is… And I’m guilty of sort of falling into this trap. Is venting publicly or overly venting publicly. Because, look, your job is hard.

[David Spark] Also naming names. I get really annoyed when people start naming names.

[Geoff Belknap] Yeah.

[David Spark] It’s cruel.

[Geoff Belknap] Well, I’ll say I think it’s okay to name names when it’s especially egregious. I’ll say there have been cold outreaches that I’ve gotten that have been like, “You’re breached!” And then you go into the email, and it’s like, “Wouldn’t that be a terrible email to read?” And I’m like, “Don’t ever send an email again.” For somebody in my role to send an email like that, it’s just unreasonable to do these gimmicks. But, look, if you’re sending an email… I think what is very fair and with the benefit of some time and distance from whatever the emotion is that that email made you feel that is probably unrelated to the person that sent an email and probably more related to whatever is going on in your day… But with the benefit of emotional distance from that email, I think it is actually really useful to post the email. I don’t think it’s helpful to post the company or the name of the person who sent it because you’re not trying to make them feel bad.

[David Spark] Yeah, and I’m fine with that. I’ve done things like that before, too. But yeah, don’t expose the company or the person.

[Geoff Belknap] Yeah, but post the email. Then give a little comment of like, “I thought this was good.” Or, “I thought this part was good, but this didn’t resonate with me. Here’s what we could do better.” Because I think to Tiana’s point, I think it’s exactly right. It is helpful to build a broad knowledge of where this kind of approach landed or didn’t land. I think it’s more helpful to do that in a broad place like LinkedIn, or Twitter, or wherever you’re going to do it. Because more people can learn from that, and it’s accessible to more people on a broad platform like that as long as you’re intent, and you’re very careful that you are not excoriating the person who sent it. Because frankly, they probably didn’t write it. It’s probably a template that they were assigned to send out, but it is… I think that’s more helpful than just a direct reply to the sender that’s only going to help that one person.

[David Spark] All right. Jack, I’m going to let you close this out. Also just the other comment that Tiana said… She said, “Look, this is trial and error. You’re not going to get it all right the first time.” I was like that’s one of the big things I always say also producing media. Allow yourself to make mistakes. Don’t beat yourself up too much. Jack?

[Jack Kufahl] What Tiana is talking to, I’m with her there for two-thirds of this quote. There are no clear guidelines. It is a trial and error. The whole tenet behind sharing knowledge, a lot of times our first interaction with a vendor is aggressive, is a, “I’ve got 30 seconds of your attention, maybe…” Probably less. “15 seconds of your attention through an email, through a LinkedIn chat. I need to tell you about the product, and I need to tell you what it does.” But that’s not really ever going to be useful information. Something that… And it could be a midwestern thing. But something that I’m more interested in is having that discussion and that commitment about how we’re going to communicate. I’m sure you’ve got a good product because it’s obviously good enough you’ve hired sales staff, and you found me. So, you’ve done a little bit of research. You found me. But don’t hit me over the head with it.

Let’s actually talk about how do you want to engage. And most important, CISOs are probably in their jobs longer than the sales rep are. Sales reps, they’re building their careers themselves. They’re moving up and moving out. And then we’re setting an establishment with that company for more of a strategic relationship where we can say, “Oh, here’s how it worked best with Suzie or Phil before you.” That makes something a little bit more sustainable because that’s one piece we didn’t really talk about here is what do you about sustainable sales vendor and consumer relationships. Those tend to be my most successful ones, even though I’ve been through maybe two or three generations of sales staff with a vendor. The relationship is strong, and it’s productive. So, it’s an eye towards what do we want that relationship to be and not just, “Hey, here’s this great product. Gee, don’t you want it?” I think there’s space for that. It’s a close second follow up. But to me, the first thing is how do we understand who we are and how we’re going to communicate first. Then we’ll start communicating whatever content, product, services, needs you have.



[David Spark] Excellent point. And a great spot to close out this discussion. This was really, really good. This summarizes a lot of the stuff we’ve been talking about for the past four years. Well, we’ve come to the point of the conversation… And, Jack, I’ll have you go first. Where I ask you which quote was your favorite and why. Let me know, which one was it?

[Jack Kufahl] I’m really going to stick with that final quote from Tiana because it captures the problem pretty well, and it leaves a lot of green space for sales staff to get creative but also depart from the bag of tricks. If you’re just hitting your head against a wall and you can’t get through to an important vendor, change your tactic. Sending seven cold emails or seven cold LinkedIn the same way, that repetition is not going to help. But changing tactics and figuring out a warmer way of getting there or an indirect way of getting there, a direct way to link to an earlier quote, is important. But that trial and error is critical, but I also respect it a little bit more when somebody is talking to me. If they’re switching up their tactics, okay, there’s a mind at work behind that screen, behind that keyboard. They really are trying to communicate with me. They’re just not spamming me.

[David Spark] Geoff, your favorite quote?

[Geoff Belknap] Boy, I’m struggling here. There’s about three here I think are really important. But if I really break it down, I’m going to go with Thomas Freese from QBS Research where he says, “I would assert how to best follow up on a cold call completely misses the point. Most of the challenge for sellers today is creating compelling reasons for the potential buyers to want to engage with you the first time rather than racking your brain to figure out how to recover from ineffective outreach.” I do think that there’s two elements here that I think are really important to highlight. One… And I’ll just say it. Your target of your email does not owe you a response. We’re busy people.

[David Spark] By the way, that came up in the first segment. That’s really key. We are not required to give you a response.

[Geoff Belknap] Yeah, and I know it’s really tough. Look, we’re busy people. You’re busy people. You have a hard job. It is really helpful for you as a salesperson to get a response to know whether your email landed or not. But I think in this day and age it’s like if you don’t get a response, it didn’t land. Or frankly I think what’s worse is it probably didn’t get read. You just have to move on. But the reality is… I think Neil Saltman and Ben Griffith talk about this a little bit. Warm intros are the best way to go. If it’s not a warm intro or a handoff from another CISO, I encourage business development teams to look for opportunities to make connections with people that are not just a cold email and let the email be the follow up to that interaction. I think we in the security industry owe our sales partners and our partners on the vendor side, which by the way are not our enemies… I think Jack said this earlier. A lot of my success that I’ve had over my career in security has been partnering strongly with really key vendors. I think we have to find more ways to build that in a time when there are more vendors than ever, and there’s more need for attention from those vendors than ever. We have to help build that. I think that’s on us to figure out as much as it is on the salespeople.

[David Spark] Excellent point. We did a super-sized episode for today but all solid all the way around. Jack, I’m going to let you have the final word. The question I always ask all our guests is are you hiring, so make sure you’ve got an answer for that. I want to thank our sponsor, SolCyber. Remember, they are Bring simplicity and affordability to your cyber security. Check them out. We greatly appreciate their sponsoring this episode. Geoff, I know you’re always hiring. He’s always looking for fantastic talented people. And if for some demented reason you wouldn’t want to work for Geoff, first please go seek some professional help. See what’s wrong with you because it’s definitely not you, Geoff, right?

[Geoff Belknap] There’s plenty wrong with me. But if we’re not hiring or not hiring something that you’re great at, I’m sure you can find something on LinkedIn that does meet with your delight.

[David Spark] All right. Jack, any final thoughts on the topic, and are you hiring, by the way?

[Jack Kufahl] Yep, we are hiring. We’ve been building this program for about seven years, and we’ve never been fully staffed. We inch up on it, and then more needs arise. It’s a great place to be. Lots of flexible work accommodation, remote work, all that great stuff. And our football team is a lot better than Geoff’s. So, if you had to choose, go with the football team.


[Geoff Belknap] Wait a minute. Who’s my football team?

[Jack Kufahl] Exactly.

[David Spark] LinkedIn has a football team?

[Jack Kufahl] Yeah. Yeah. Go Bills. That’s all I have to say. It’s our year.

[David Spark] All right. Thank you very much, Jack. Thank you very much, Geoff. Thank you very much to our audience. Hey, let me give a tip of the hat. He’s listening to us right now. Aaron Diaz. He’s one of our producers, and he is actually heavily responsible for helping me put together the run down for all these episodes. So, if you like the way that all these quotes come together, and your quoted, and you appreciate it, you can thank me. But really thank Aaron as well.

[Geoff Belknap] Yeah, a tip of the hat to Aaron, and Andrew, and all of our production staff.

[David Spark] Oh, yeah.

[Geoff Belknap] Man, they really make us sound good.

[David Spark] Aces all the way around. Thank you very much, everybody. Thank you for contributing and listening to Defense in Depth.

[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site,, where you’ll also see plenty of ways to participate including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at Thank you for listening to Defense in Depth.