Aug 6, 2020
All links and images for this episode can be found on CISO
"How do I approach a CISO?" It's the most common question I get
from security vendors. In fact, I have another podcast dedicated to
this very question. But now we're going to tackle it on this
this post for the basis of our conversation on this week’s
episode which features me, David Spark (@dspark), producer of CISO Series,
Alford (@allanalfordintx), and
Amit (@iiamit), CSO,
Here also is
my original article with Allan Alford when he first launched this
engage with vendors campaign.
Thanks to this week's podcast sponsor, Sonrai
Identity and data access complexity are exploding in your
public cloud. 10,000+ pieces of compute, 1000s of roles, and a
dizzying array of interdependencies and inheritances. Sonrai
Security delivers an enterprise cloud security
platform that identifies and monitors every
possible relationship between identities and data that exists
inside your public cloud.
On this episode of Defense in Depth, you’ll
- All CISOs are different so any advice we provide will vary from
CISO to CISO. Plus, we have an entire other show, CISO/Security
Vendor Relationship Podcast, dedicated to this very
- We acknowledge that this is tough because to be really on
target you need to know what the CISO has, what their mix of
products are, and how your product could work in their current
security maturity and mix of security products and processes. It's
all a very tall order for a security vendor.
- Vendors must stop thinking of themselves as point solutions,
but rather how they fit into the overall makeup of a security
program. You're not coming in with a blank slate. How do you
interoperate with what's existing?
- There's unfortunately the trend of the people who make the
contact, then initiate a meeting, and hand off to someone else.
CISOs do not welcome that kind of engagement, although it may be
very cost effective for security vendors to hire junior people to
make those contacts and hand offs.
- Lots of argument about the efficacy and the acceptance of cold
calling. Those who claim they don't like it are often working at
organizations that do it repeatedly to great success.
- The pushy salesperson who eventually gets through after
repeated attempts even when they're told no may show success, but
they don't calculate all the people they've angered and the
word-of-mouth negativity that has resulted from that behavior. If
you push beyond a request to stop, the worse that can happen is
your reputation will be destroyed.
- CISOs are more receptive to market pull into your organization.
That can happen through traditional marketing, content marketing,
podcasts, analyst reviews, and word-of-mouth. Problem is these
techniques don't leave any room for salespeople to operate.