I think it might be safe to say that the majority of a security vendor’s time is trying to avoid being a roadblock or running into roadblocks. As part of the CISO/Security Vendor Relationship Series, I called out to security vendors to tell me their tales of overcoming hurdles in security sales. Here are four stories I really liked.
One Person’s Needs Don’t Speak for the Whole Company
Getting to the “right” person within an organization is never clear. Most vendors default is to target “CISOs.” This technique is so darn popular it’s driving the popularity of this very series.
“We were dealing with IT management which traditionally was to be thought as the correct point of contact,” said Santora. “But we kept getting pushed off the radar.”
Even though he got radio silenced, he knew the company and knew that they had the need their product could solve. He persisted by going after a completely different VP within the company.
“Although not the perfect contact, they got it right away,” said Santora.
That was key. Having a champion inside the organization get their value was what was most important. Now that he was communicating with an insider, a person of trust within the organization, they were able to get in front of other executives to demonstrate their fit.
“Just goes to show just because one person’s need might not be there, the company’s needs are a whole different story,” said Santora.
Brute Force Gets You … Nowhere.
“Any intuitive security vendor learns pretty early on in their career that CISOs are just about the busiest and most well-informed prospects on the planet,” said Kevin Walsh, account executive, Comodo.
Early on, Walsh admitted to making the critical mistake of thinking he could just power his way through to connecting to the right person within an organization.
“I targeted one prospect who was considerably outside the parameters of my initial role. I made it my mission to get his attention. I cold called. I worked the gatekeeper. I sent cold emails to staff. All the stuff you shouldn’t do, I did,” confessed Walsh. “It got me approximately nowhere.”
Ultimately, Walsh turned to his father, a high-ranking tech executive, for advice. He said to his son, “People who need to reach me know how to reach me. It doesn’t matter if you’ve got the best tech in the world, people buy from people they like, people they trust.”
Walsh switched to a tactic of just building awareness of himself and his company. He jumped on LinkedIn, connected with the ‘must reach’ target and only said, “If you’re ever interested in partnering with my firm on a cybersecurity initiative, I’d love the opportunity to throw my hat in the ring. Hope you have a great week.”
The target replied “Thanks, Kevin. I appreciate your approach. I’ll be in touch.”
About 45 days later Walsh and his team closed the deal and Walsh got a promotion.
Nobody can count on results like this every time, but you improve your odds just knowing that brute force will never work.
We’re the Best At … Oops!
Threat hunting tool Infocyte takes pride in promoting its key differentiator, hunting threats within volatile memory. Since product release they claimed to never fail at identifying a fileless in-memory implant during a test, said Christopher Gerritz, co-founder and CPO for Infocyte.
That perfect record came to an abrupt end while pitching a prospect that ran their software against the well-known pentest tool, Cobalt Strike. Infocyte failed. As they were trying to figure out what happened they soon discovered that someone from Cobalt Strike had seen a talk Gerritz gave at BsidesLV on threat hunting and specifically designed a new mitigation to short circuit Infocyte’s in-memory detection.
Gerritz pleaded with the prospect: “The adversary advances every day. We’re not here to solve the threat once and for all. We’re here to do the research and help you stay ahead. Give us a chance to show you how we do that.”
Gerritz’s team went to work creating a proof of concept and within 48 hours they claimed to not only find a solution for Cobalt Strike’s new implant, but had created a new way to overcome an entire class of in-memory manipulation that might attempt to hide malicious code.
The Roadblock of Being Young and Inexperienced and Having No Contacts
When you’re new to the business of security, it’s rather disconcerting to discover that your mere presence alone is seen as a roadblock.
One young security professional, who wishes to not be named, realized this when she was working with a group of ex-government contractors.
“They tended to look down their noses at me as a newbie to the field,” she said. “They would only engage in conversations when our head of product or CTO were on the line.”
The young security professional realized she had to prove herself. She took the time to learn their business, the unique security challenges they faced and began asking questions of security professionals she had built a repertoire with on LinkedIn.
“From that, I was able to gain the knowledge needed to mostly hold my own in the conversations, gain their trust, and eventually their business,” she said.
Conclusion: Roadblocks Are Only Detours, Not the End
Sales can be frustrating, especially if all the techniques you’ve learned from one industry no longer work now that you’re selling security products.
The point of this series is to examine why the buying and selling of cybersecurity products is such a different beast and what can be done to improve the process. Whether you’re a buyer or seller, there’s plenty of frustration to go around.
This article introduces just four tales. I will definitely be revisiting this topic again and again. So if you have a good story to tell that would help buoy some disgruntled salespeople, go ahead and send it to me.