Selling to a CISO? Practice Empathy, Not Salesmanship
The cybersecurity marketplace is hot. Ask any candidate for a cybersecurity role. Better yet, ask any supplier to CISOs. The supplier audience is especially vast, and it’s continuing to grow. Just three years ago, there were estimated to be less than 2,000 cybersecurity vendors worldwide. Recent best guesses point to more than 3,000, and that’s just in the U.S. Who knows how many other vendors provide some discrete part of IT controls that indirectly supports cybersecurity? Regardless, it’s clear that CISOs have a broad and deep array of potential suppliers, and the universe of offerings is ever-expanding.
Still, most CISOs would probably prefer just a handful of suppliers who really understand what CISOs really need.
Cybersecurity suppliers talk about what they do, what they’ve made, and what they have available for sale. They develop new offerings or enhance existing ones and, when they meet with CISOs, too often they speak about those offerings as if no CISO would ever want to be without them. That’s a one-sided conversation, unfortunately. The CISO may try to interject, to make the product pitch more relevant to his or her organization’s needs, only to be talked over by the supplier. Why? From the supplier’s point of view, a CISO couldn’t possibly survive without the supplier’s product or service. What’s missing in most sales presentations is an appreciation for what’s on a CISO’s mind at all.
Suppliers should always focus their talk on how they can help CISOs. They need to begin by understanding that CISOs and their needs are not all the same. What a CISO needs is directly and completely informed by the challenges they face, how well they face those challenges, and what they want to achieve.
Every CISO has an individualized language. A supplier should listen to the language a CISO uses and learn to speak it.
The nouns in a CISO’s language are the technologies and processes they have in place or may be contemplating as part of their cybersecurity strategy. Their verbs are the actions they have taken or plan to take to close identified control gaps, to improve existing processes or add new ones, and the concerns they have for the mitigations they can’t seem to address. Let your imagination fill in the adjectives and adverbs, but know this: CISOs can be colorful, especially when they are stressed and vendor interactions may cause stress.
Listen, and you will hear a CISO speak from experience. Is this their first rodeo or have they been around the block several times? How long have they been in their current role? How long do they plan to be in it? Answers to these questions can help a supplier understand literally where a CISO is coming from, and where they are going.
If a CISO has recently been brought into an organization, they are likely addressing pressing and immediate challenges, even while a new strategy is being developed. Parts of the cybersecurity program are probably in flux. This may not be the time for pitching new, standalone offerings as much as consolidated solutions that combine previously separate capabilities that make the CISO’s job a little easier. For a new CISO, less can truly be more. Fewer critical suppliers generally translate to simpler control of marketplace interactions.
It’s also important to know what sector the CISO operates in. A CISO in the defense industrial base for example will have very different priorities, and more of them, than a CISO in another sector. If the organization operates globally, the CISO’s focus will be different than if the organization’s operations are confined to the U.S. Global privacy regimes alone can impact a CISO’s programs and perspective in significant ways; privacy concerns can in fact compete with security priorities.
Suppliers should also know whether the organization must comply with regulatory regimes. Privacy is likely one regime, but there may be others depending on the nature of the organization and the sector in which it operates. Some regulations for example will impact the way CISOs conduct their cybersecurity program, what they choose to focus on, and what they put on back burners. Much like budgets themselves, CISOs are guided by their “musts.” These are not CSF practices. They are instead red lines that can’t be crossed.
Most CISOs choose a cybersecurity framework with which to align their program because frameworks ensure all the bases for a successful and practical program are covered. The most popular frameworks are NIST CSF and ISO. For suppliers, it may not be relevant to know which framework a CISO is following, but it is relevant to understand where the organization is on its road to framework alignment; knowing an organization is currently emphasizing identify or protect or detect can help to steer CISO conversations directly toward value-add topics and particular offerings.
Knowing the size of a CISO’s cybersecurity organization may matter, too. Most CISOs don’t have unlimited OpEx budgets, which means their programs don’t have unlimited personnel assigned to them. Understanding where a CISO places the bulk of their people can clarify what matters to the organization. It can also be very helpful for a supplier to understand what parts of a cybersecurity program have been outsourced to third parties. Are those outsourced roles solely project-based functions, or are they regular functions of normal operations?
It’s always pivotal for suppliers to understand whether recent cybersecurity assessments have been conducted, and what those assessments concluded with respect to the state of controls. Identifying gaps in controls is always the first step to closing those gaps. Ignoring obvious gaps in controls, in favor of some new project for effort and investment, is a non-starter for CISOs who need to tackle and solve the basics first.
Assessment results are also indicators of an organization’s current maturity levels, but these data points can be misleading. Knowing the maturity level of an organization’s cybersecurity functions is most useful in how it relates to an organization’s maturity targets. If an organization’s current maturity levels map to a normalized average of “3,” is that good or bad? What elements of the program score below and above? Most crucially, what are the organization’s own targets? Has the CISO determined that, for some controls, “3” is sufficient? Knowing the answer is critical for any provider looking to support a CISO.
Lastly, NDAs are wonderful instruments to facilitate a candid conversation between the CISO and the provider. A CISO does not want to be asked “have you had a cyber event?” any more than a supplier wants to be asked “has your product or service ever failed?” CISOs far prefer to look to tomorrow rather than dwell on yesterday. We collect lessons learned, fix what we can, and hope to live to fight another day.
Working with a CISO means listening. Think of almost any learning activity: we hear, we absorb, we retain, and we react. That is the way to work with a CISO and give them what they need. Learn where they are on their cybersecurity journey, and learn where they are going. Think about how a new solution might support that journey. Store this in your GPS, because it represents the coordinates of the CISO’s true north. And then, only then, respond with suggestions that make the journey better defined, easier to navigate, and safer to traverse.
Yes, CISOs will always require new technology products and services. As cyber risk grows, solution sets need to keep up. Prepare to offer them.
Just remember that first, CISOs need to be heard.