CISO Sales: DOs and DONT’s

I’ve been asked by many folks on how they should sell to CISOs and I thought I’d just make my thoughts public. All in all I’d say don’t try to sell to the CISO, try to sell to their team and focus on that relationship. Often we are just reviewing what the team wants to implement, they are our trusted advisors and we are just the final sign-off.

If you are going to pitch directly to CISOs then I have compiled some DOs and DONTs that may help you be successful.

DOs

• Be Unique — We get hundreds of pitches per month, you need to stand out so make your pitch personalized and unique. Know about my org, what it does and how you think you can help me solve a problem I most likely have because we are in X category. I’ve seen Whiteboards, Drawings, Custom Videos, etc. all of those may get you a meeting because you put in the effort, if I think your product is a good fit.
• Be Precise — Be very precise in what problem you think there is, how you solve it, how you solve it better than others and how you are going to make my life easier/better. So many folks make large nebulous statements and will quote things from Gartner around Security/IT problems leaders are facing. This is just noise to many of us that is to be disregarded.
• Be Genuine — The best salespeople are the ones that try to sell the least. They have a product they are passionate about, they know it well, they think they can solve X problem my company is likely facing because they have done their research. You aren’t selling to me, you are problem solving for me.
• Demo Demo Demo — If we are having a meeting for me to learn about your product please make sure you can show me a demo the first time we meet. Our calendars are often hectic so we don’t have a lot of spare time so being able to see the product actually work helps form my opinion on the product and reaffirms my team’s decision to buy. Some sales leaders have put in multi-touch meetings for you to even see a demo (intro, requirements gathering, presentation and product overview and then demo) which I think hurts companies greatly (and I’ve seen companies lose business because of this) because they are trying to validate the pipeline.
• Know your product — You the salesperson should know your product in and out. You should know the navigation, the features, the integrations, etc. Nothing is worse than watching someone stumble through their own product which they clearly don’t know well. Obviously there may be technical questions where you need SA/SE but for the most part you should be able to get through a demo without them. If we have follow up questions please get them answered.
• Let me try it — Sometimes products are just so easy you know they will work and you can buy them without trying them. However a lot of times we need to see if a product will work in our environment or within our company culture. Often, sales leaders will want to establish a clear POV criteria list that says if they meet x, y and z you’ll buy it , which will likely be used against you if you don’t buy it (please don’t have this conversation).
• Close the deal — Don’t play games with pricing or features at the end. Give me your best price the first time and ensure the features we discussed are included in that price. Nothing is more frustrating for both sides for a deal to fall through at the end.

DONTs

• “Our product would have prevented <insert last major security issue/breach in the news>” — Most likely it wouldn’t (the fact you don’t know that bothers me), you as well as fifty other sales people just emailed me the same line and what if I don’t even have that issue.
• “I’d like to learn about you and your team’s goals for the year” — No you really don’t, you want to sell me <product> so be honest, be precise, what problem are you solving, why are you the best at solving it and how does it make life easier.
• Call our cell (especially at 6 am), our partner’s cell or send us pictures from our kids soccer game — You would think this goes without saying but it needs to be said because it happens all the time and yes the last one is a real example I’ve heard of from a CISO.
• Try to go above my team or myself — Nothing is worse than a salesperson who starts emailing me when they should be communicating with my team or worse emailing executives in our company. I instantly don’t want to deal with you because now I have every executive coming to me asking why so and so is bothering them.