Marketing to the Elusive CISO: 8 Tips from Former CISO Steve Ward
Knowing your buyer is not a significant challenge in some industries, but one persona that we repeatedly see ScaleUps struggle to crack is the Chief Information Security Officer.
CISOs are particularly challenging to sell to because of the complex tasks they oversee and because their role is fairly new. Unlike CEOs, CMOs, and COOs, CISOs don’t have rock-solid roles and responsibilities, and if they do, they’re not consistent across the board. They often straddle the lines between core app development, security ops, and infrastructure, and sales teams need to consider this nuance.
But with so much to keep track of and customize, it’s tough to make meaningful headway with CISOs during the sales lifecycle. As the former Chief Information Security Officer at The Home Depot, I experienced my fair share of sales pitches, and want to give you the inside scoop. Below, I cover my top eight tips for sales and marketing teams hoping to target the ever-elusive CISO.
1. Know who you’re selling to
It might sound obvious, but you need to know who you’re selling to. Every CISO has different goals, a different budget, and a different level of influence. Today, go-to-market teams still think of the CISO as a security expert. But CISOs are leaders above all else. Even if they have a technical background, they still rely heavily on input from the app dev and infrastructure folks who are peers of theirs. And these teams are concerned with the day-to-day metrics like uptime, speed to market, and agility – not the latest breach.
So, be very deliberate about your delivery. To get your messaging right, you’ll need to tailor every presentation. You can’t give the same pitch to a Head of Security Ops that you do to a CISO. Know who you’re talking to ahead of time, what they care about, and explain how you’ll remove stress from their plate, specifically. Don’t know what matters to them? Ask! That way, you’ll know how best to be a helpful resource, rather than just another meeting they have to get through that day.
2. Don’t lead with the threat
Starting your pitch with a reference to recent cybersecurity attacks is like rubbing salt in an existing wound. Nine times out of ten, CISOs already know about the particular threat you’re bringing up and have spent a lot of time stressing over it. So if they know what the risks are, why lead with the negative?
Instead, focus your audience on the positive. Explain what you bring to the table. Assuage their worries with your product’s features and the care and service they’ll get from your support team. You’d be surprised how much you can impress someone by saying, “This is what I’m going to do to make your life easier.”
3. Capitalize on the first 20 minutes
CISOs are busy executives. Don’t waste their time (and yours) doing round-robin intros and rattling off your bio, which can easily shave off 10 to 15 minutes of a 30-minute meeting and stall your momentum before you’ve even started. When I meet with people, I tell them upfront to leave their bios for the end of the presentation. And if they can’t get to it, I politely remind them that I can read their follow-up emails later.
But not everyone is that candid, and some may just ignore you when you start with fluff. So, proactively capitalize on the first 20 minutes. Hooking the CISO in by getting your point across early will make you memorable. Even if you don’t end up winning the deal now, that CISO may call on you in the future when a new project arises.
4. Show what you’re made of
As a rule of thumb, I don’t take risks on software; I take risks on people. Remember, sales is a human business – you just happen to sell tech. CISOs are more likely to put trust in passionate founders and salespeople who take the time to get to know, respect, and connect with them on a deeper level.
Take Wiz, for example. I met with the Wiz founders early on in their journey. At the time, I didn’t think their idea was big enough, but I could tell they were going places. The Wiz team took the time to listen to my comments, and when I advised them to think bigger, they did. Six months after our first meeting, they reapproached me with a far superior product. Although Wiz wasn’t necessarily Home Depot-ready, I felt I could trust them and signed a deal. Seeing that the Wiz team would be open to growing their solution meant more to me than nailing a demo because then they proved themselves to be a long-term partner to the company’s needs.
5. Do your homework (really, do it)
Most sales and marketing teams do at least a little research on their ICP. But when it comes time to present to a CISO, you have to go beyond typical LinkedIn stalking and think about the big picture. What’s going on in the prospect’s environment?
For example, approaching the CISO of Abbott and approaching the CISO of The Home Depot should look very different. Right now, the CISO of Abbott is obsessing over the launches of new COVID tests and drugs, and she doesn’t know what next month will bring, let alone next year. Talking to her about your solution may not make sense at all right now.
The CISO of The Home Depot, on the other hand, is feeling great. He has a huge budget to roll out new apps or fix things he may have been putting off. He might even be willing to work with a startup.
Taking the time to acquaint yourself with the CISO’s situation can pay off in terms of how you frame your opportunity. And if you’re not sure about the CISO’s long-term plans, there’s no harm in asking. You’ll be doing everyone a favor.
6. Determine your target CISO’s maturity level
As much as possible in your research, note how long a CISO has been in their position and the tools they’ve purchased in the past. With that information, you can piece together their personal policy on buying software. It's also advantageous to understand the maturity of the organization: Are they maintaining a program, re-building, building, or recovering from a breach? All of these factors will help you approach the problem with the right set of solutions they need to solve their problems. For example, I considered myself a 90/10 kind of guy. Ninety percent of what I bought needed to work out of the box, while 10% could be early-adopter material.
But every CISO has their own threshold, so it’s worth asking how many startups they have in their vendor lineup, and what their appetite for more is if you’re a startup.
Take a scenario where you predict a new CISO to be risk-averse. Good guess, as newly hired CISOs, tend to be afraid of making a mistake, and you don’t want to spend time strategizing on a futile deal. Then again, this person may have been a founder in a past life, enjoys angel investing, or is happy being a patient development partner. In that case, getting face time would be worth the effort. Loosely make your prediction, find a way to confirm it, and use that to inform your next steps.
7. Watch how much you work the deal
Sales and marketing teams tend to work a deal from every angle, which usually bears fruit. But not with CISOs. The three fastest ways to get a CISO not to buy something are: (1) going around them or someone on their team, (2) pestering them, and (3) lying about your product’s capabilities. All three tactics are highly irritating and memorable in a bad way. CISOs talk to each other more than you might think, so doing any of those things will probably ruin more than just one deal.
A better way of “working the deal” is to start from the bottom. First, find out what projects are on the docket for the next year or two. Then, pinpoint a few employees who might want ownership over those projects – ideally ones that have the CISO’s ear. If you get in good with them, they’ll likely make a proposal to their boss. And if you can tee them up with a sample business case with clear ROI, even better.
8. Foster relationships – they lead to recommendations
When it comes to evaluating software, Gartner isn’t always every CISO’s go-to. When I was a CISO, I paid far more attention to the founder, CISO, and global SI recommendations. I knew these people cared deeply about their reputation and wouldn’t tarnish it in the eyes of the security community.
So think of ways to weave in these types of recommendations. Of course, they have to be organic. If someone is on a company’s cap table, is trying to win more business, or has another underlying motivation, that doesn’t count. Sales and marketing teams should find ways to develop strong relationships with people who influence a CISO’s opinion, whether it be attending conferences, taking clients to dinner, or building out a partner program.