An Open Letter to Vendors -- Part 2


November 10, 2015

By John J. Masserini
MIAX Options CISO

In Part I, I gave you some food for thought about getting your message out there in a clean, crisp, and concise way. In the second installment of my Open Letter to Vendors, we’re going to take a trip to the magical and mystical island of InfoSec Land, where sales are based on trust and functionality, and the sales cycle takes longer than the modern day election campaign.

An Open Letter to Security Vendors – Part 2

As the security market explodes with new vendors, there has been a correlated influx of ‘experienced’ sales folks calling on CISOs. More and more, I find myself running across sales executives who came into security sales from other markets. Software sales, hardware sales, outsourced services - you name it and likely we can find a sales person jumping on the InfoSec bandwagon.

Unfortunately, many of them think that selling security products is much like selling anything else - make a better deal than the competitor and you get the sale.

To all of those folks, I have some advice. 

Most of us don’t want vendors – we want partners. We want to work with people who care about both organizations being successful, not just one or the other.

Partners are not people who call me once a year to see if I got the annual invoice and wonder when they can receive payment – those people are called vendors – and they have a very short lifespan.

A partner works with my team to ensure we are getting the full picture – about your solution, general industry topics, or local going’s on. Partners are invested in our mutual success and they are the ones I call first with any new opportunities. Partners have a mutual TRUST that is imperative in this industry.

This is the point most sales and marketing efforts fail miserably on, especially at the beginning of the sales process. I need to trust you, your product, and your company. Security professionals live and die by trust, and if we don't have it in you, your time in this world is limited.

Trust is not defined by whether or not I’ve accepted your LinkedIn invite, or you scanned my badge at some event. Trust begins at that moment when I ask about a feature that may be road mapped, planned, or not even thought of - and you tell me the truth. The second you start to dance around the answer is the precise moment you lose a sale.

There is really no sense in telling us your solution does something it doesn’t. We’ll find out the truth during the product test, so why not just be upfront from the beginning? This is especially true for the startups.

If you roadmap a feature that’s a few months away, be upfront about it. We’ll likely still run the evaluation and look for the feature when it’s released. However, telling us you do something you can't will only get your equipment returned and get you labeled as untrustworthy – not really something you can afford in a trust-based industry.

The second point that most "experienced" sales and marketing professionals miss is that your goal isn’t to sell me a product – your goal is to get me to agree to a proof-of-concept. If your technology is as good as you say it is, it will sell itself. I don’t buy a house without walking through it, or a car without taking it for a test drive, so why would you think I’m dropping seven figures on a product without knowing how it works in our infrastructure?

You’re not selling widgets or bedazzled phone covers – you’re selling a solution that I am staking my and my company’s reputation on. Enough with the marketing fluff and F.U.D. – if you want my attention tell me what you do. Because the reality is... you will go through a thorough proof-of-concept well before I ever decide to write you a check.

Here’s what you need to remember. Every company, every infrastructure, and every security program is different. I frankly don’t care if your solution worked in some Fortune-100 corporation or if my competitor deployed it. I care that it works in my world, with my technology, and satisfies my requirements.

You can package it up as nicely as you want and put a big red bow on it if you need to, but understand that your solution will likely not just drop into my environment and fulfill all the promises of your latest marketing campaign. And please, for your own benefit, don’t put me on a pipeline report just because I’m doing a proof-of-concept, because odds are, it will be a different calendar year before you see a sale.

Oh, and to all the CEOs and EVPs/SVPs of Sales out there? Understand that this is a process - and a long one at that. The truth is, unless it's a Chicken Little purchase, there is a very high probability that I’m evaluating your solution for a strategic deployment and that we will likely have a new President before you can submit an invoice. 

So, based upon the way my inbox exploded with MadLibs following Part I, perhaps a light sales-centric exercise will help you determine if you are really sending CISOs the right message.

If you dare, one morning over coffee, spend some time on your own website and see if you can associate the functionalities detailed on the site to an actual capability in your product. Can you clearly articulate how the functionality is provided? Can you look a prospective customer in the eyes and explain it?

Perhaps this could also be a management exercise - take your newest ISR and your most seasoned sales executive and ask them to visit your own site as a customer does.

Can you connect each piece of functionality detailed on your site to an existing feature set of the product suite? Is the site correct? Is your sales pitch? Are neither? 

Look - it's simple. In today's hyper-competitive security space, you want to give yourself every opportunity to win a deal or, conversely, you want to avoid the pitfalls that will knock you out of consideration.

It really wasn't all that long ago when we had two choices of firewalls, or maybe three IDS vendors and a handful of SEIMs to consider. Now there are countless firewall/next gen firewall vendors who offer onboard IPS/IDS, Proxy, and anti-malware solutions all in a single device.  The point being that our world is rapidly changing and those with the budget have more options than ever. Why alienate yourself by promising a diamond and delivering coal?

Okay, so we’ve touched on Marketing in Part I and Sales in Part II.  In the next and final installment, we’ll touch on the technology that's being proffered as my ‘Solution to root out the evil doers hidden deep within my network….’ or some such thing.   

This is going to be a fun one...

comments powered by Disqus

The Human Factor: Gain new insight into the ways attackers exploit end-users' psychology​​

About Security Current | Privacy Policy | Subscribe to our newsletter