“I’ve never met a harder sale than cybersecurity to the IT team,” admitted a security vendor. “The challenges are unique at each firm and they are reluctant to even take a call let alone share real concerns.”
In the security products market, cybersecurity vendors simply want to be considered, and that often requires compelling a prospect to test the darn product.
But getting a response from a prospect, let alone a product test, is often a Herculean task. One vendor I spoke to said he would often have to initiate ten contacts with a prospect before he’d even get an acknowledgement.
Companies whose primary objective is to test products can’t even keep up with the volume. As of last December, 451 Research was aware of more than 1,600 security vendors.
“Those were only the ones we had time to write down,” said Wendy Nather (@WendyNather), formerly of 451 Research and now director, advisory CISOs at Duo Security. “That wasn’t even the total number of products!”
1,600 security products X 10 attempted outreaches = NOOOOOOO!!!!!!!
This isn’t healthy for anyone. Vendors don’t want to harass, and security professionals don’t want to keep batting away InfoSec suitors.
There’s got to be a better way.
Here are some suggestions.
Catch lightning in a bottle and fill an immediate need
Unless you’ve got a mole inside the company, it’s difficult if not impossible to know what that immediate need is. Companies are reticent to tell you their security concerns.
In addition, do not assume because a certain breach just happened that every company has that specific need. InfoSec professionals do not respond kindly to the alarmist method of security sales.
Be unique and prove it
A far more realistic technique is to differentiate your product from the rest of the crowd.
This method has its own challenges.
“Uniqueness has a small window in a field solving the same problems over and over,” said Ottenheimer. “Security vendors that promise to show something novel, new, or differentiate in solving a need that will be coming up soon, are the ones that get time on my calendar.”
Be straightforward and have the goods, not a salesperson, to back it up
InfoSec professional Marcus Ranum (@mjranum) wants to know about your security product, but he doesn’t want the sales pitch. A simple message from a vendor that states what their product is and what problem it solves is enough. No need to push for a sales call. Instead, just leave an open request to “contact us if that is interesting.”
If interested, Ranum will start to research.
“That means their website had better have clear, crisp, hype-free non-deceptive information that is technically useful. If there’s a form that keeps me from learning anything until I give a sales rep my number, I never look at them again,” said Ranum.
From there Ranum will ask colleagues who use the product for their opinion. If they give the thumbs up, Ranum will contact the company and ask for a rep who can talk tech, provide pricing, and a chance to test the product on his own.
Solve a future business need, not a current security need
The problem with many security pitches is they’re focused on solving today’s problems.
“If you start with ‘fear’ I’m already not listening,” said Elliot Lewis, president and chief architect, Lewis Security Consulting. “That’s a ‘flash in the pan trying to capitalize on current fear mongering in the press rather than providing an intelligent solution to challenges that I’m going to face as I grow my business.”
The best vendors understand this model said Lewis: “They start with ‘we understand your business issues and here’s how our security solution can help enable your business.’”
If they want they can later explain their product solves a current threat, but that’s a nice value-add, not the primarily sale.
Product test should be self-driven, not sales-driven
“For me, the best method is to provide a self-trial test drive of the product at my convenience,” said Andrew Hay (@andrewsmhay), co-founder and CTO, LEO Cyber Security. “I don’t require a salesperson on the phone to walk me through something. I’d much rather take the time to turn the knobs myself.”
I need to see it in action before I test anything
One simple solution to get interest in testing is to show your product in action. Avoid the animated explainers that don’t show the product. Instead, an easy-to-produce screencast video can show very clearly how your product operates. Show alternative solutions and how your product differs. The goal at the end of the video is for the viewer to contact you to request an evaluation unit. Make sure that “how to contact you” information is in the video.
Build a relationship with the community first
As mentioned at great length in a previous article, CISOs want relationships with security experts first before they want product pitches.
Reiterating what I’ve heard multiple times, CISOs and other cybersecurity professionals want vendors to be part of the “we’re all solving this together” security community.
“Network with us, make us aware of what your organization or product does, and then be of value to our community in some way,” said Randall Frietszche (@rfrietzsche), CISO, Denver Health. “If and when the time comes that we need to solve a problem their solution addresses, they’re going to be one of the first ones we call because they have built some trust.”
Don’t just think about targeting the prospect.
“[Security vendors] build long-term relationships not just with one CISO but with the CISO community,” added Frietzsche. “That’s important because part of our due diligence is to ask our colleagues about a vendor’s solution.”
CONCLUSION: Just be an awesome company
If you’re a security vendor in a sales rut, don’t think you’re going to be able to market your way out of it. That may work in some industries, but a marketing-only sales pitch doesn’t have the same effect with InfoSec professionals.
Of course that’s what you hope to be doing, but if that’s hidden in marketing speak that makes outrageous “we’re the first” or “we’re the best” or “we stop the most” claims, then skeptical security people are going to tune you out.
Simply explain what you do and participate as much as you can in the security community. Security professionals talk, and if your solution is one they like, and a company they like working with, that’s the best possible marketing any company could hope for.