• United States



Seven things government security leaders expect vendors to address

May 28, 20158 mins
IT LeadershipTechnology Industry

Ignore these items at your peril

Finally, the meeting has arrived.

After many months of phone calls, e-mails, a WebEx demo and other prep work, you walk in the room and sit down with the government security leader and his or her team. Your hand-picked group of rock stars has been waiting for this moment. They even flew in early to practice the PowerPoint presentation.

Your pitch is flawless. The scheduled one hour provides enough time for the perfect balance of fresh content and an open discussion with next steps.

Everything is ready to go.

But, after starting six minutes late because the conference room was fully booked and the last meeting ran over, you go through the formalities of walking around and shaking hands. Your entire team exchanges business cards with a half-dozen government staff, three of whom you don’t recognize.

Polite introductions take eight minutes while also explaining that the Security Operations Center (SOC) supervisor and deputy were called away to an emergency, so Sarah the student intern is sitting in for them.   

Your mind starts racing. You think to yourself: There goes our closing pitch for the new ‘xyz’ product for the SOC. 

Worst of all, something happens next that really throws you off your ‘A’ game. Just before your team really gets started, the CISO announces that he needs to leave ten or fifteen minutes early to attend to an urgent budget matter.

“Can we get this done in about 30 minutes?”

While your team is mouthing, “no” somehow “sure” comes out of your mouth.

At this point, you decide to ditch the plan and go with your instincts. You turn to the government security leaders in the room and say, “So what’s on your mind?”

The meeting goes downhill from there.

An hour later you’re standing outside with your team, scratching your head and wondering what happened. What seemed like a perfect opportunity now appears to be a misguided adventure. The team looks at you and says, “Where do we go from here?”

Fiction or fact?

The scene depicted above should be historical fiction. Nevertheless, it happens way too often to be a coincidence. I’ve been there in hundreds of meetings with vendors as a Michigan Government CIO, CISO, CTO and CSO, as well as in federal situations as an NSA employee. I’ve also seen similar things from the vendor’s side of things with companies like Security Mentor, ManTech and Lockheed Martin (formerly Loral Aerospace).

My experiences are not unique. Almost every private sector company that sells to or supports government enterprises has experienced frustrations with the way business is conducted in government.

But frustrations abound on the public sector side of the fence as well.  I have heard too many CxOs share stories about vendors who “just don’t seem to get it.”

Occasionally, personal friendships, career experiences or “tell all” books allow us to walk a mile in the shoes of the other side. Nevertheless, easy answers to bridge the vendor—enterprise CxO divide often remain difficult to implement in practice. 

So what are common gotchas that can hinder security and technology vendor professionals when relating to government clients? What is on the minds of government leaders that rarely, if ever, get discussed with vendors? And, most importantly, what are some potential solutions and back-up plans that can help strengthen relationships and prevent misunderstandings from becoming a major train-wreck? 

In a previous post, I described why it is so hard for security startups to get government customers. This time, I would like to offer some thoughts about the things government security pros expect top-notch security vendors to already know—even though these words remain unspoken. I’ll include my advice and suggest some ways to address the issues.

Seven government security leader thoughts – and practical advice to help you read their minds

Government security leader thought #1:  “Do I really know you or your company?”

Most CISOs have a strong network of professionals and companies in the industry that they know and trust. If you are not on that list, or even if your company is on the list but you don’t know the specific person or team, don’t act as if you are life-long pals.    

My advice: As you meet for the first time on the phone, present a WebEx demo or walk in the room for an in-person meeting, be genuine and don’t misrepresent mutual contacts, friends or experiences. Building trust takes time, and you probably won’t do it in a first few meetings.

Government security leader thought #2:  “What are we talking about? Is this a waste of my time”

I never cease to be amazed at the number of vendors who walk into meetings that took months to arrange and ask, “What are your priorities? What’s on your mind?” Of course, they were trying to be good listeners, but what typically comes next is, “We have solution for that!”

Usually it is either all listen or all talk – not a balanced approach.  This is usually seen as a waste of time by CxOs and hurts more than it helps.

My advice: Do your homework on the government needs and requirements in advance. Read their strategic plan. Offer a meeting agenda in advance and ask if the agenda is ok before you start. Be clear on the topic and solutions being offered at that specific meeting. Understand and respect the busy schedule of the government teams. 

Government security leader thought #3:  “Will I get to talk and give feedback?”

Of course, there’s the other extreme too. Vendors that talk and talk in order to fit in as much as possible. In my experience, the CISO is often worried a discussion will never happen.

My advice: After your presentation, ask for input. “What do you think? Does this meet your identified needs? Where can we improve somewhere?”

Government security leader thought #4:  “This is the wrong time, or the wrong price or the wrong product.”

I love my brother Steve’s perspective on technical sales—It’s all about the right product at the right place at the right time at the right price—with the right person delivering the message to the right decision maker.

My advice: Doing your homework up front should enable you to address timing or competing purchases or related items prior to the meeting. Set realistic expectations for the discussion that can be met or exceeded.

Government security leader thought #5:  “You are talking to the wrong person.”

Far too often, meetings in government with vendors occur because someone knew someone else. Often, the vendor is talking to the wrong technology or security leader, but may not know it based on title.

My advice: Similarly to #4, do your homework on why you are talking to this audience. What does this group truly do? Do they know or influence the other decision-maker(s). Set realistic expectations up front or make sure the right messages are passed along if the government team switches-out the attendees. 

Government security leader thought #6:  “I don’t have enough time for this. I need to get out of this meeting early.”

My advice: Vendors need to have a plan B (and maybe C). Expect the unexpected for situations like the example at the beginning of this article. Be respectful of time allotted and also watch the government leader closely. Are they not interested (leaving early) or are they legitimately being called into some emergency situation?  Ask for more time later, if it is a serious problem.

Government security leader thought #7:  “Are you in this for the long haul or a quick buck? Can I trust you? Do you have a good reputation? Will you deliver?  Will you be around in two years?

My advice: Ultimately, if the government leader is asking this question, you have probably succeeded in your sales pitch (so far). Strive to build partnerships, trust, a positive reputation and a track record of delivering success. Have case studies ready. Show where your solution has worked before.

Final thought: Is there an elephant in the room that no one is talking about?

Good preparation means practicing what might (and often does) go wrong.

Watch out for an “elephant in the room” situation where no one is addressing a specific question or topic. There may be simple reason that the government team is being so quiet—such as they just bought your competitor’s product last week.  While that is not a happy situation, it is better to find out as soon as possible what the issue is.

Perhaps you can salvage the discussion with a related product or service—or next year’s opportunity. 

If you do your homework and prepare properly you can (sometimes) read the minds of the government security executives across the table. 


Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist and author. During his distinguished career, Dan has served global organizations in the public and private sectors in a variety of executive leadership capacities, including enterprise-wide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan State Government. Dan was named: "CSO of the Year," "Public Official of the Year," and a Computerworld "Premier 100 IT Leader." Dan is the co-author of the Wiley book, “Cyber Mayday and the Day After: A Leader’s Guide to Preparing, Managing and Recovering From Inevitable Business Disruptions.” Dan Lohrmann joined Presidio in November 2021 as an advisory CISO supporting mainly public sector clients. He formerly served as the Chief Strategist and Chief Security Officer for Security Mentor, Inc. Dan started his career at the National Security Agency (NSA). He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US / UK military facility. Lohrmann is on the advisory board for four university information assurance (IA) programs, including Norwich University, University of Detroit Mercy (UDM), Valparaiso University and Walsh College. Earlier in his career he authored two books - Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD For You: The Guide to Bring Your Own Device to Work. Mr. Lohrmann holds a Master's Degree in Computer Science (CS) from Johns Hopkins University in Baltimore, Maryland, and a Bachelor's Degree in CS from Valparaiso University in Indiana.

More from this author