I challenge the argument that the best targets for security marketing are CISOs and CSOs.
Sure, CISOs are making business decisions, but are they the influencers you want?
Since all the security companies I talk to want to market to CISOs, I have to assume CISOs are subjected to a lot of direct pitches from security firms.
One CISO friend of mine says he ignores most direct pitches from security vendors and leans on his team members, who he’s hired and already trusts, to come to him with recommended solutions that they’ve researched, tested, and vetted.
He doesn’t test solutions. That’s the job of his support staff.
If other CISOs operate like this, wouldn’t it make sense for security vendors to ignore the C-level employees and focus their marketing efforts on those at least a level below, the directors?
Marketing to security directors is not a new strategy. Vendors are well aware that the CISOs’ security staff are responsible for choosing, testing, and recommending security products.
I argue that, in general, the people who operate under the CISO have greater influence to select security products for review. For many IT vendors, not just security, the major sales problem is, “Are they even a consideration?”
At the consideration level, CISOs might actually have less impact as to which security firms/products are reviewed. Yes, there are plenty of caveats. Most notably if a vendor or an employee with that vendor has a pre-existing relationship with the CISO or the CISO simply has pre-existing knowledge of a company and its products.
For example, a CISO may know they need a firewall solution, will make the final decision on a firewall, and will purchase a firewall, but they might not be in a position to determine what will be the firewall options. They often leave that decision up to their staff to do the research and give them advice on the best firewalls. The CISO’s staff will be the ones who create the consideration list.
This behavior is the result of a four-level information hierarchy in IT, explains Bruce Barnes (@bbarnes84), co-founder of CIO Solutions Gallery. Technology can only manage the first two levels. The first of which is creating or acquiring data, and then from that data security vendors can produce information. It is up to directors to derive knowledge from that information, which is then brought to the CISO or CSO who now must gain insight from that knowledge. And if they can’t gain any insight, is the problem that they haven’t garnered the proper knowledge?
It appears to me that the trusted employee network just below the CISO is a far more valuable audience to influence. They are not receiving nearly the same number of sales pitches as the CISO, they already have their boss’ trust, and they’re the ones responsible for vetting the products. They are the ones closest to the knowledge.
One security vendor I spoke with didn’t agree with that sentiment because they claimed their sales cycle was cut by months if they can get to the CISO first.
“It’s easier targeting the folks that influence the CISO, but that’s always going to be more of an uphill battle and longer sales cycle,” admitted Adrian Sanabria (@sawaba), director of research, Savage Security.
In some cases, given the nature of your product, you probably don’t want to pitch the CISO.
But that’s not true for all security solutions, added Farnum, “If you have across the board products that you market as a solution, then the CISO can often help drive that.”
“Targeting the actual users of the products/services is what makes sense,” said Mike Johnson, CISO, Lyft. “In 99 percent of the cases, that’s not the CISOs. In 75 percent of the cases, it’s not the directs of the CISOs.”
It’s wishful thinking that your decisions will be that black and white. Often the decision of who to market to will be made for you.
“In many cases marketing to the CISO won’t be possible. The CISO is so pestered it’s pointless. So marketing to those under the CISO is all you’ve got,” said Sanabria.