Why cybersecurity companies fail at selling to CISOs... and what to do about it

One CISO is so fed up with cybersecurity vendors, he wrote a manifesto for them.

 Why cybersecurity companies fail at selling to CISOs... and what to do about it

Gary Hayslip is deputy director, Chief Information Security Officer (CISO) for the City of San Diego, the eighth largest city in the U.S. During his career, Hayslip has been pitched at conferences, in his office, on webinars, on the phone, and by email, by hundreds of security and technology companies.

Why is Hayslip, who is also author of the book 'CISO Desk Reference Guide: A practical guide for CISOs', ranting on vendors? He likes them, he wants to help them do a better job at selling to CISOs, and he decided to offer them some hard-core advice.

Cybersecurity software companies and solution providers ought to listen up on what this CISO has to say in his manifesto, even if some of it may be hard to swallow. Hayslip tells it like it is. He isn't singling out particular vendors or sales reps. He has no vendetta against them.

To be clear, Hayslip is heavily engaged in the cyber vendor community and he's an Advisory Board Member at the San Diego Cyber Center of Excellence (CCOE), a non-profit founded by local cybersecurity companies dedicated to accelerating the region's cyber economy.

Cutting to the chase in Hayslip's manifesto, there's a few key takeaways for vendors:

Don't trash the competition. It's a waste of time and no matter how much finesse goes into it, the CISO will see right through it. Putting down competitors is viewed as unprofessional, and unnecessary.

Use the precious time you have with a CISO to sell yourself, sell your company, and sell your product or solution.

Keep it simple stupid (K.I.S.S.). The old adage rings true with CISOs. If a security solution requires two or more sales engineers (even if they're called systems engineers) and several hours to demo, then it's way too complicated.

The idea of a 30-second elevator pitch may be an old one, but it's lasted the test of time for a reason - and it's what a CISO wants to hear first. What problem do you solve, and how? Suppose you really did have to pitch a CISO while traveling from the lobby to the 28th floor.

Don't go behind a CISO's back. Don't cave into quarter-end or year-end sales pressure and try to prematurely close. If you try to shortcut the CISO's procurement cycle by 'helping out' with the PO (purchase order) process and talking to others before being told to do so, then you may be short-circuiting your relationship with the ultimate decision-maker (the CISO).

This doesn't mean that a professional salesperson can't engage in a conversation with the CISO around how to move things along more quickly. CISOs appreciate frankness, even if they can't move as quickly as the vendor would like to.

Skip the 'value prop', and deal with the CISO's pain. Value proposition, value smoposition. If CISOs have heard this once, they've heard it a thousand times. Please, skip it and go straight to the pain. Namely, what is the CISO's pain (or hopeful gain)?

The CISO is trying to solve a problem. Savvy vendors will ask questions to get to the bottom of it. While a sales rep may be eager to pitch a new security analytics solution, the CISO is suffering through a severe security talent workforce shortage. The real pain is that the CISO's security team is understaffed.

Get on topic and talk to the CISO's real issue. Empathize, sincerely if you are able to, and then speak to your solution in terms of how it will enable the CISO's team to detect and combat cyber threats with less people.

No cold calls, please. The CISOs phone number is the wrong number, seriously. Cold-calls are unwanted intrusions and interruptions.

If a sales rep is daring and clever enough to cold-call a CISO using a technique they learned at training -- for instance calling after business hours when the CISO is more likely to be alone and prone to picking up the phone... it's likely to backfire. Why? Because CISOs don't want to be cold-called.

CISOs prefer to reach out to vendors. Vendors need to respect that and apply their sales genius to getting on the radar screen with the analysts, media, and associations where CISOs go looking.

Sales training for cybersecurity companies? Hayslip doesn't offer any tips for getting sales teams trained up on selling to CISOs. But after listening to him, sales VPs might want to think about inviting a CISO to their next training. 

Seriously, who's most qualified to tell cybersecurity companies how to sell CISOs? CISOs.

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)