The focus of the cybersecurity leader has evolved. Previously, this role was tactical and very focused on specific technical issues.
To be successful today a cybersecurity executive must drive strategy that is based on sound risk management concepts, understand changing technology to adopt and integrate the appropriate security controls, and also be an influencer across the organization to surface and escalate dangerous risks so partner teams drive them to resolution.
However, the job has become increasingly more challenging with the rapid pace of technology adoption, the movement of data across data centers, cloud services and business partners, and the expectation of detecting/preventing every attack, security misconfiguration, or mistake across a wide range of systems.
As former CISO of Twitter my goal was to build a solid security and risk management program that identified the most crucial risks to the company, develop security programs to drive down such risks, and to build or buy effective security solutions to securely enable the business. The job was heavily focused on marrying together the right mix of technology and the right team of individuals. I learned many lessons along the way but in the space of security solutions, one item that particularly stood out is that most infosecurity vendors do not sell to CISOs effectively.
Unfortunately, the process of identifying and selecting security solutions is much more challenging than it should be. There are two major problems contributing to this challenge. First, with the explosion of investments in the security space it’s nearly impossible to keep track of which solutions are available for particular needs and which ones are good. Second, the vendors all appear to be watching poorly written hacking movies. The amount of FUD and buzzword overloading severely obscures what a product is actually doing. Together this makes it very challenging for a CISO to hear through the noise to find the right solution.
Is Self-Service Selling the Key?
The way security vendors are selling their products is broken. CISOs are tasked with sifting through emails and signing up for and sitting through intro calls or onsite meetings just to learn what the product actually does. A CISO and their team has more work than time available and this whole process is cumbersome. As a result, I shunned all sales pitches and only relied on word-of-mouth recommendations from my trusted network of peers. This worked, but feels like a larger failure of the industry.
The infosec sales process can - and should - be easier if vendors learn to better address the needs of today’s CISOs:
- Outline the specific problem, then provide the solution: Consider that the average CISO likely has a list of 25-50 known security problem areas of varying risk and priority. The top five to ten may be getting focus each quarter. Sometimes it's not whether or not 'X could be better' but whether that's the current focus based on risk prioritization. Vendors should outline the problem they are solving and seek alignment to priority, rather than claiming they are a “silver bullet” or just touting “interesting” security features of their tool.
- Omit buzzwords and FUD from your vernacular: Most CISOs are already inundated with newspaper headlines, “sky is falling” claims and misinformation. Instead of using scare tactics, use clear, descriptive words to illustrate the value proposition. Clearly outline the problem solved, the method of integration, and how this product serves as a function of the organization’s risk management processes.
- Offer a self-service model: Allow potential customers to try out the product, ideally without even an intro meeting, to see if it fits their needs. Then let the prospect come to you with questions. A demo environment is the most efficient approach to connect with a CISO and their team. Plus it lets your product to do the talking!