Selling Cybersecurity



Q2 2017 is a special quarterly feature devoted to cybersecurity sales and marketing professionals. Selling cybersecurity is different than selling other IT products and services. There’s a lot at risk for the buyers, and we aim to help you do a better job at selling to them.


RSA Conference: Where the world sells security

Elevator pitches, private parties, and selling FUD at the world’s most popular cybersecurity event

Max Cherney, Contributor

Menlo Park, Calif. – Apr. 7, 2017

After a nearly two-month long hangover from the partying at RSA 2017, Cybersecurity Ventures reports…

Thirty-nine floors up and overlooking a stunning panorama of San Francisco’s glittering night skyline inside The View lounge, a couple of executives from Moneris — one of North America’s leading payment providers — and Herjavec Group — a leading global information security advisory firm and Managed Security Services Provider (MSSP) — talked about email security software over drinks.

One was pitching the other on the merits of an email security solution — his firm had recently adopted it, and upon doing so abandoned its previous vendor. After the brief conversation, it looked like the recommendation was going to stick, and the solution provider might gain a new customer.

The party, hosted by the Herjavec Group, featured an open bar, finger food and about 50 hand picked security professionals, many of which were Herjavec clients. Not to mention the elevator pitches on the way up and down.

The next morning, 39 floors below the lounge about 50,000 men and women descended on the Moscone Center, named after famed San Francisco mayor, George Moscone. RSA 2017 was probably the largest to date, several attendees said.

With Moscone under construction the normally crowded conference was even more claustrophobic than usual, with thousands of attendees streaming through one section of sidewalk that was barely able to accommodate two people side-by-side — a veritable human traffic jam formed on either side with people waiting to get through the choke point.

Once inside the ark, it didn’t let up. Forget about walking quickly, or finding a quiet place to sit, or, in some cases stand.

To get a sense of the number of firms attending RSA, it’s worth pointing out that the conference takes over the entire Moscone Center which includes two massive exhibit halls as well as a multi-floor building steps away that houses the talks, keynotes and hundreds of temporary meeting rooms on the ground floor.

Inside the north hall of the conference was home to many of the largest security companies in the industry. RSA, Symantec, FireEye, for example, all constructed massive booths. And by booth, it’s safer to say exhibit — these are not humble structures, and many towered 30 or so feet above the floor. Others had multiple levels, and even mini-meeting rooms built in, often requiring a human operator to keep the exhibit running smoothly.

This year there were more flat screen TVs blaring announcements, first-come-first serve talks by miked-up executives giving talks and in branded lounges. There is a constant din that forces anyone speaking, even in close quarters to almost shout. And if swag is something you’re interested in, it’s nearly impossible to take a stroll down between the booths and not have a marketer attempt to shove something in your face, or harangued for a business card.

The south hall is where the smaller firms typically set up booths — with the notable exception of the National Security Agency (NSA), among others — and this year, some, seeking to make a splash took over more space in order to emulate the ostentatious exhibits of their, in many cases, larger peers in the North Hall.

But away from the din and frenetic intensity of the exhibit halls is where much of the real business takes place. Some call it “hall-con” and others half-joke about well-lubed after hours talks — downtown San Francisco’s night scene is awash with RSA conference badges for the show’s week-long duration.

There are invite only parties where c-level executives mingle with clients. For example, Intel hosts a reception at a speakeasy-themed bar.

While such parties are not on par with the glitz and glamor of an after-Oscar’s bash, invitations to the right RSA party can lead to discussions with executives that may never be possible with a cold call or formal office meeting.

The lobby of the hotel W, located across the street from the conference center serves as kind of an unofficial and ongoing after hours networking event. Voce Communications, a public relations firm, has in the past hosted a cocktail hour within a roped-off VIP area with an exclusive guest list in the W’s lobby.

But as some time honored traditions of after-hours RSA remain constant, the conference itself evolves — reflective many say of the rapid expansion of the industry itself — and so do the strategies security firms use to market and sell.

In prior years the conventional wisdom in the industry was when marketing and selling security to deploy the unholy trinity of fear, uncertainty, and doubt, several executives told Cybersecurity Ventures.

But that’s recently shifted and security firms are re-focusing their efforts on clearer, simpler messages now often spread with glitzy web ads with A-list celebrities such as Christian Slater, and Jeremy Piven.

“We don’t sell out of fear and I think a lot of people in our space have done that for years,” said Erin McLean, SVP Marketing and Communications at Herjavec Group. “It was easy, it was factual …today it’s really about business requirements.”

The turning point may have been comedian Stephen Colbert’s appearance as a speaker at RSA in 2014, around the same time the firm was tied to the NSA in a Reuters story. “It was the first year we added levity to the story,” said Alex Bender, who at the time was General Manager for the RSA Conference.

Broadly, Bender, now SVP of Global Marketing at Mimecast says that the ads starring Piven are part of a larger effort to address the issues customers are facing without using jargon, and moving beyond the echo chamber of a marketing office. “We have to talk about [customer] problems the way that customers talk about those problems, as opposed to coming up buzzwords.”

The series of web ads fit into that philosophy. And Piven, the actor, helped the company explain the potential threats and solutions in language that would capture attention. “We’re doing it in a way that it’s simple English, plain English so even my mother can understand,” Bender said.

HP, which hired Slater for a series of web ads, did not return several requests for comment.

Another example of celebrity marketing — albeit not an actor — is founder and CEO of Knowbe4, Stu Sjouwerman engaging infamous hacker Kevin Mitnick to put together security training packages. Once the most notorious hacker in the world, and a wanted criminal, Mitnick has exchanged his black hat for a white one, and has been consulting for years.

More than just celebrities and famous hackers getting put on the payroll to sell security products and services the shift away from “fear mongering” has left marketers with new challenges. Forcepoint VP, Corporate Marketing and Federal Marketing David Howell says that he believes that coupled with moving away from selling based on fear, the industry has, in general, honed its pitch and is specific and clear about how a given tech can address a specific need a company has.

Howell also says that marketers have taken a broader view to shows like RSA. “Trades shows are important, but it’s a moment in time,” he said.

Product integration came up with several executives: most large firms use a bevy of offerings from a range of security vendors to protect themselves, it’s critical that the products can work together. As a result marketers have begun to point that out when talking to customers and making sales.

“Customers are telling me I’ve got 30, 40, 50 vendors I work with on security solutions and I really need them talking to each other,” said Ryan McGee who leads security product marketing for Microsoft. “Because otherwise it’s just this cacophony of alerts and events.”

At the Herjavec Group party, their CTO Atif Ghauri made a similar statement. “On the sellers side, you can’t buy one thing,” he mused. “You need them all — it’s kind of like a football team because each product fills a specific need. There are layers in security.” He went on to add that much of selling at RSA is “classic sales 101 stuff” — referring to the importance of wining and dining clients, but conceded like many of the executives Cybersecurity Ventures spoke with that “fear, uncertainty, doubt” had run its course.

Even the National Security Agency has stepped up its marketing efforts. At this year’s conference the agency had its booth stocked with glossy brochures, one-sheets and pamphlets touting its open source security tools such as Unfetter — a tool billed as helping private companies “discover gaps in your security posture.” Though NSA staff at the booth declined to discuss the products on the record with reporters, they were more than willing to pitch its tools to the attendees.

Despite the fact several executives believed that the era of fear, uncertainty, and doubt sales is over, not everyone agrees. Sjouwerman says that since it’s largely difficult to prove that a product will function — say an end-point system or network solution — marketers will always resort to such tactics, to some degree.

“I would still think the number one, quote unquote successful marketing tactic in the security space has been and probably always will be FUD,” he said.

And of course, handshake deals over drinks.

But considering KnowBe4 is one of the fastest growing cybersecurity companies in the world right now, it may be worth listening up to Sjouwerman. In the world of security, FUD may very well be the truth.


Q4 2016

Selling Cyber is a special quarterly feature devoted to cybersecurity sales and marketing professionals. Selling cybersecurity is different than selling other IT products and services. There’s a lot at risk for the buyers, and we aim to help you do a better job at selling to them.


Why cybersecurity companies fail at selling to CISOs… and what to do about it

One CISO is so fed up with cybersecurity vendors, he wrote a manifesto for them.

stevemorgancvheadshotSteve Morgan, Editor-In-Chief

Menlo Park, Calif. – Dec. 5, 2016

This article originally appeared here in CSO.

Gary Hayslip is deputy director, Chief Information Security Officer (CISO) for the City of San Diego, the eighth largest city in the U.S. During his career, Hayslip has been pitched at conferences, in his office, on webinars, on the phone, and by email, by hundreds of security and technology companies.

Why is Hayslip, who is also author of the book ‘CISO Desk Reference Guide: A practical guide for CISOs‘, ranting on vendors? He likes them, he wants to help them do a better job at selling to CISOs, and he decided to offer them some hard-core advice.

Cybersecurity software companies and solution providers ought to listen up on what this CISO has to say in his manifesto, even if some of it may be hard to swallow. Hayslip tells it like it is. He isn’t singling out particular vendors or sales reps. He has no vendetta against them.

To be clear, Hayslip is heavily engaged in the cyber vendor community and he’s an Advisory Board Member at the San Diego Cyber Center of Excellence (CCOE), a non-profit founded by local cybersecurity companies dedicated to accelerating the region’s cyber economy.

Cutting to the chase in Hayslip’s manifesto, there’s a few key takeaways for vendors:

Don’t trash the competition. It’s a waste of time and no matter how much finesse goes into it, the CISO will see right through it. Putting down competitors is viewed as unprofessional, and unnecessary.

Use the precious time you have with a CISO to sell yourself, sell your company, and sell your product or solution.

Keep it simple stupid (K.I.S.S.). The old adage rings true with CISOs. If a security solution requires two or more sales engineers (even if they’re called systems engineers) and several hours to demo, then it’s way too complicated.

The idea of a 30-second elevator pitch may be an old one, but it’s lasted the test of time for a reason – and it’s what a CISO wants to hear first. What problem do you solve, and how? Suppose you really did have to pitch a CISO while traveling from the lobby to the 28th floor.

Don’t go behind a CISO’s back. Don’t cave into quarter-end or year-end sales pressure and try to prematurely close. If you try to shortcut the CISO’s procurement cycle by ‘helping out’ with the PO (purchase order) process and talking to others before being told to do so, then you may be short-circuiting your relationship with the ultimate decision-maker (the CISO).

This doesn’t mean that a professional salesperson can’t engage in a conversation with the CISO around how to move things along more quickly. CISOs appreciate frankness, even if they can’t move as quickly as the vendor would like to.

Skip the ‘value prop’, and deal with the CISO’s pain. Value proposition, value smoposition. If CISOs have heard this once, they’ve heard it a thousand times. Please, skip it and go straight to the pain. Namely, what is the CISO’s pain (or hopeful gain)?

The CISO is trying to solve a problem. Savvy vendors will ask questions to get to the bottom of it. While a sales rep may be eager to pitch a new security analytics solution, the CISO is suffering through a severe security talent workforce shortage. The real pain is that the CISO’s security team is understaffed.

Get on topic and talk to the CISO’s real issue. Empathize, sincerely if you are able to, and then speak to your solution in terms of how it will enable the CISO’s team to detect and combat cyber threats with less people.

No cold calls, please. The CISOs phone number is the wrong number, seriously. Cold-calls are unwanted intrusions and interruptions.

If a sales rep is daring and clever enough to cold-call a CISO using a technique they learned at training — for instance calling after business hours when the CISO is more likely to be alone and prone to picking up the phone… it’s likely to backfire. Why? Because CISOs don’t want to be cold-called.

CISOs prefer to reach out to vendors. Vendors need to respect that and apply their sales genius to getting on the radar screen with the analysts, media, and associations where CISOs go looking.

Sales training for cybersecurity companies? Hayslip doesn’t offer any tips for getting sales teams trained up on selling to CISOs. But after listening to him, sales VPs might want to think about inviting a CISO to their next training.

Seriously, who’s most qualified to tell cybersecurity companies how to sell CISOs? CISOs.

This article originally appeared here in CSO.

Steve Morgan is founder and CEO at Cybersecurity Ventures and Editor-In-Chief of the Cybersecurity Market Report and the Cybersecurity 500 list of the world’s hottest and most innovative cybersecurity companies.

Stay tuned for the Q1 2017 edition of Selling Cyber.