Select Page
Selling to a CISO? Practice Empathy, Not Salesmanship

Selling to a CISO? Practice Empathy, Not Salesmanship

Alan Levine

The cyber security marketplace is hot. Ask any candidate for a cybersecurity role. Better yet, ask any supplier to CISOs. The supplier audience is especially vast, and it’s continuing to grow. Just three years ago, there were estimated to be less than 2,000 cyber security vendors worldwide. Recent best guesses point to more than 3,000, and that’s just in the U.S. Who knows how many other vendors provide some discrete part of IT controls that indirectly supports cyber security? Regardless, it’s clear that CISOs have a broad and deep array of potential suppliers, and the universe of offerings is ever-expanding.

Still, most CISOs would probably prefer just a handful of suppliers who really understand what CISOs really need.

Cyber security suppliers talk about what they do, what they’ve made, and what they have available for sale. They develop new offerings or enhance existing ones and, when they meet with CISOs, too often they speak about those offerings as if no CISO would ever want to be without them. That’s a one-sided conversation, unfortunately. The CISO may try to interject, to make the product pitch more relevant to his or her organization’s needs, only to be talked over by the supplier. Why?  From the supplier’s point of view, a CISO couldn’t possibly survive without the supplier’s product or service. What’s missing in most sales presentations is an appreciation for what’s on a CISO’s mind at all.

Suppliers should always focus their talk on how they can help CISOs. They need to begin by understanding that CISOs and their needs are not all the same. What a CISO needs is directly and completely informed by the challenges they face, how well they face those challenges, and what they want to achieve.

Every CISO has an individualized language. A supplier should listen to the language a CISO uses and learn to speak it.

The nouns in a CISO’s language are the technologies and processes they have in place or may be contemplating as part of their cyber security strategy. Their verbs are the actions they have taken or plan to take to close identified controls gaps, to improve existing processes or add new ones, and the concerns they have for the mitigations they can’t seem to address. Let your imagination fill in the adjectives and adverbs but know this: CISOs can be colorful, especially when they are stressed and vendor interactions may cause stress.

Listen, and you will hear a CISO speak from experience. Is this their first rodeo or have they been around the block several times? How long have they been in their current role? How long do they plan to be in it? Answers to these questions can help a supplier understand literally where a CISO is coming from, and where they are going. If a CISO has recently been brought into an organization, they are likely addressing pressing and immediate challenges, even while a new strategy is being developed. Parts of the cyber security program are probably in flux. This may not be the time for pitch new, standalone offerings as much as consolidated solutions that combine previously separate capabilities that make the CISO’s job a little easier. For a new CISO, less can truly be more. Fewer critical suppliers generally translate to simpler control of marketplace interactions.

It’s also important to know what sector the CISO operates in. A CISO in the defense industrial base for example will have very different priorities, and more of them, than a CISO in another sector. If the organization operates globally, the CISO’s focus will be different than if the organization’s operations are confined to the U.S. Global privacy regimes alone can impact a CISO’s programs and perspective in significant ways; privacy concerns can in fact compete with security priorities.

Suppliers should also know whether the organization must comply with regulatory regimes. Privacy is likely one regime, but there may be others depending on the nature of the organization and the sector in which it operates. Some regulations for example will impact the way a CISO conducts their cyber security program, what they choose to focus on, and what they put on back burners. Much like budgets themselves, CISOs are guided by their ‘musts.’ These are not CSF practices. They are instead red lines that can’t be crossed.

Most CISOs choose a cyber security framework with which to align their program, because frameworks ensure all the bases for a successful and practical program are covered. The most popular frameworks are NIST CSF and ISO. For suppliers, it may not be relevant to know which framework a CISO is following, but it is relevant to understand where the organization is on its road to framework alignment; knowing an organization is currently emphasizing identify or protect or detect can help to steer CISO conversations directly toward value-add topics and particular offerings.

Knowing the size of a CISO’s cyber security organization may matter, too. Most CISOs don’t have unlimited OpEx budgets, which means their programs don’t have unlimited personnel assigned to them.  Understanding where a CISO places the bulk of their people can clarify what matters to the organization.  It can also be very helpful for a supplier to understand what parts of a cyber security program have been outsourced to third parties. Are those outsourced roles solely project-based functions, or are they regular functions of normal operations?

It’s always pivotal for suppliers to understand whether recent cyber security assessments have been conducted, and what those assessments concluded with respect to the state of controls. Identifying gaps in controls is always the first step to closing those gaps. Ignoring obvious gaps in controls, in favor of some new project for effort and investment, is a non-starter for CISOs who need to tackle and solve the basics first.

Assessment results are also indicators of an organization’s current maturity levels, but these data points can be misleading. Knowing the maturity level of an organization’s cyber security functions is most useful in how it relates to an organization’s maturity targets. If an organization’s current maturity levels map to a normalized average of ‘3,’ is that good or bad? What elements of the program score below and above? Most crucially, what are the organization’s own targets?  Has the CISO determined that, for some controls, ‘3’ is sufficient? Knowing the answer is critical for any provider looking to support a CISO.
Lastly, NDA’s are wonderful instruments to facilitate a candid conversation between the CISO and the provider. A CISO does not want to be asked ‘have you had a cyber event?’ any more than a supplier wants to be asked ‘has your product or service ever failed?” CISOs far prefer to look to tomorrow rather than dwell on yesterday. We collect lessons learned, fix what we can, and hope to live to fight another day.

Working with a CISO means listening. Think of almost any learning activity: we hear, we absorb, we retain, and we react. That is the way to work with a CISO and give them what they need. Learn where they are on their cyber security journey, and learn where they are going. Think about how a new solution might support that journey. Store this in your GPS, because it represents the coordinates of the CISO’s true north. And then, only then, respond with suggestions that make the journey better defined, easier to navigate, and safer to traverse.

Yes, CISOs will always require new technology products and services. As cyber risk grows, solution sets need to keep up. Prepare to offer them.

Just remember that first, CISOs need to be heard.

RELATED POSTS

Stagehand: S1 Episode 8

Stagehand: S1 Episode 8

Carl Timmons was given 24 hours to decide what he wanted to do. This was a tactic. Twenty four hours to sit alone and think about all the money he could want and the price he’d pay for it. And 24 hours to also contemplate what Andre Savin might do to him before...

Stagehand: S1 Episode 7

Stagehand: S1 Episode 7

Andre Savin and Lincoln Palmer had met on several occasions and had the type of relationship you’d expect between two men of their standings on the billionaire scale. Contemptuous but also understanding. They were both driven by the same desire—access to...

Stagehand: S1 Episode 6

Stagehand: S1 Episode 6

Belfast, New York - 1889 They called him The Boston Strong Boy—arguably the first real boxing star and one of the highest paid athletes of his time.  He’d always been good at school. He attended Boston College where his parents thought he might pursue...

What Is Zero Trust Anyway?

What Is Zero Trust Anyway?

About three minutes into planning this post, I had one of those “god, I am old” moments. Here is why I had the moment. I have worked in cybersecurity since 1994. My first job was at a big 3 working for the U.S. government through one of the world’s...

Stagehand: S1 Episode 5

Stagehand: S1 Episode 5

Kuwait, 1990 I’m launched out of a submarine a few miles off the coast of Kuwait City. When I swim to shore, I quickly change into my dry land clothes—a full burka. I was a six-foot-one Marine posing as a good Muslim woman. The catch, beneath the modest...

Ransomware: When Policy Matters Most

Ransomware: When Policy Matters Most

Most CISOs divide their approach to cyber defense into three pillars: people, technology, and processes. These pillars define a cybersecurity program’s defensive architecture and arsenal, available assets, and policies and procedures that together inform...

The Risk of Measuring Risk

The Risk of Measuring Risk

Automated measuring of control effectiveness is a very good idea conceptually. When you can combine control gaps with relevant threat information, you get a very good picture about the actual technical cyber risks your business faces. If done correctly, it provides...

Stagehand: S1 Episode 4

Stagehand: S1 Episode 4

Keith and I left the scene like we found it: the two kidnappers dead on the floor, their shotgun up against the wall, and the rope used to tie up Carl Timmons sprawled out on the floor. We tipped off local law enforcement and were gone before they arrived, leaving no...

SecOps Needs More Democratization, Not Less SOC

SecOps Needs More Democratization, Not Less SOC

An increasing complexity of technologies, as well as an increasing number of failures and attacks followed by an increasing dependency on business goals is changing the way we run Security Operations Centers. I previously discussed the concept of a Fusion Center as an...

Measuring a Cyber Awareness Culture

Measuring a Cyber Awareness Culture

Until recently, cyber awareness metrics have been treated by many as a tick-box exercise driven by regulations. The regulator requires x number of hours of cyber awareness training per employee per year, and once that is done, the organisation ticks a box and waits...

Good Enough Isn’t Good Enough Anymore

Good Enough Isn’t Good Enough Anymore

The cyber risks we face today are more than we faced previously but also fundamentally different in several respects. Our adversaries are more adept and their tools and tactics more protean in capability.  In light of these increasing challenges, our cyber defenses...

Stagehand: S1 Episode 3

Stagehand: S1 Episode 3

Cyprus ~ 2006 Ali Hassan was a low-level operative in Hezbollah, but we had it on solid authority that he knew where three high-level leaders of the terrorist organization were hiding. Keith arrived fifty-seven hours into Hassan’s interrogation and by the looks of it,...

Mitre Disrupting Advanced Persistent Threats
Share This