As I mentioned in the first issue of this series on the CISO/security vendor relationship, almost all B2B security vendors want to reach CISOs and CSOs with their marketing efforts.
Take a step back and think about the receiving end of this equation. How are CISOs and CSOs supposed to manage their business if they also have to constantly manage all the security marketers vying for their time? They’ve got a tough enough job within the four walls of their organization in addition to dealing with the endless barrage of intrusions from all over the world. How are they supposed to entertain pitches from EVERY SINGLE SECURITY VENDOR ON THE PLANET?
Should “15 minutes of your time” be a security vendor’s first request?
Recently, I had lunch with a CISO who I had previously interviewed on camera for one of my clients. We’ll call them Company X. My video interview with the CISO appeared on Company X’s blog. It just so happens that someone at Company X, who I didn’t know, was pitching the CISO through a barrage of emails asking for just “15 minutes of his time.” With the continued non-response, the person just kept following up, sometimes with attempted jokes, trying to poke fun at the CISO’s non-response.
Annoyed by the constant ‘pay attention to me’ intrusion, my CISO friend showed me the emails and dejectedly said, “This is my life.”
My CISO friend is a nice guy, but you can’t count on that to get a meeting.
“If you are in sales and request 15 minutes of my time, I request five minutes of yours first. Take five minutes and do a little external research on my company before you send over a note,” said Mike Johnson, CISO at Lyft, in a post on LinkedIn.
In this case, the security vendor didn’t spend five minutes. If he had, he would have known that this CISO was actually on Company X’s blog.
I asked my CISO friend, if the salesperson had mentioned his appearance on Company X’s blog, would he have responded.
He said, “Of course.”
This salesperson’s request for time and the constant follow up begs two obvious questions:
- When has chronic pestering, especially with a C-level employee, ever worked as a sales technique?
- And when has “can I get 15 minutes of your time” truly only been 15 minutes? The person who is asking for the time should set the clock and end the conversation at 15 minutes. That NEVER happens. Don’t try to take up as much time as possible to make the sale. It puts the onus on the CISO to awkwardly cut the meeting at the imposed time.
“Fifteen minutes of your time,” the nuclear option
Some vendors are so desperate to get a CISO’s attention they’ll just show up at their place of business, hoping for a quick meeting. In other industries, such as entertainment, we’re sometimes pleasantly delighted when we hear stories of hopefuls stalking big executives for a “chance” run in and finally getting their big break.
That method doesn’t play so well with security-minded CISOs who won’t appreciate being ambushed. Such was the case with Peter H. Gregory (@peterhgregory), executive director – CISO advisory services, Optiv. Here’s his tale:
One day our reception center called to tell me that a vendor was in the lobby for our meeting. I checked my calendar… no meeting. It was a busy day but I figured I’d see who it was.
I met the vendor – there were three people, and they thanked me for our meeting.
I replied, “What meeting?”
They answered, “We sent you an invite!”
I said, “I never responded because I have auditors here this week.”
They responded, “But we sent two people on flights to meet with you.”
I responded, “So sorry, but you should have confirmed this. I’ve got to go, nice meeting you.”