How to Sell Security to a CISO
Updated: Jul 2, 2019
We had the pleasure of sitting in on a speaker session by Levi’s CISO, Steve Zalewski, who gave a unique and inside view of the real life of someone in his role. If you’re interested in learning more about this role and want to be better equipped to sell to a CISO, keep reading to find out the good, the bad, and the ugly.
Selling Security to the CISO
When it comes to selling technology solutions to a Chief Information Security Officer (CISO), many salespeople may not realize what they’re doing wrong in the pitching process. For Zalewski, the wrong pitch is bent on politeness and doesn't cut to the chase. He said, "Please don't be polite with me. Perhaps you come from telecom and are used to working with IT organizations – but you are likely not used to reaching into the security department at an organization trying to sell security. You're pushing a rock up the hill if you lead with politeness. We need to get past the polite part. Be upfront: What is it that you want to ask?".
How you approach a CISO will impact his/her decision to either stick with you or move on. Therefore, it’s crucial to understand what a CISO is looking for and what he/she needs in order to make a successful sale. For Zalewski, that's a direct, upfront approach because he doesn't have time for more than one potential vendor call a week.
CISOs are protectors of the environment who are often stressed and overwhelmed by the number of technology options and solutions they’re considering or looking to implement. Therefore, for vendors who want to sell security to a CISO, there are a few crucial things that they must know:
Don’t throw tools at them: CISOs already have a lot on their plate. They don’t need vendors to throw tools at every problem they have. Instead, you have to find the metrics of the business in order to really figure out what the CISO needs and how to reach him/her.
Step up your game: If you’re selling security, you must understand it and be an expert. You must know your subject matter such as who you’re going to attack, and position yourself against the bad guys.
Make your business propositions resonate: As a vendor, it’s more than making your technical proposition resonate. You must be able to communicate why and how security services can help CISOs mitigate risks and translate business value.
When approaching CISOs, advisors must know the difference between security and protection: In order to deliver what the CISO needs, vendors must know the difference between these two elements of a solution. As protectors of their brand, CISOs are already forced to look at potential threats to their company. “For me, it’s a junior person who is simply talking in terms of ‘security’. Really it is ‘are we protected? Are we safe?’ That is what needs to be addressed” said Zalewski. And as a result, the head of information security needs trusted advisors who will understand those risks and offer the right solutions to keep them protected.
Address visibility: “Often the greatest threat is between the keyboard and the screen,” said Ivan Paynter, National Cyber Security Specialist at Intelisys. To this, Zalewski agreed and added that the bad guys are constantly doing “social engineering and will find a way past you. You will click. You are human.” Addressing the need for visibility into the network, and into what the users are doing, is speaking the language of the CISO.
Talk in terms of risk: As Zalewski said, "My job is to protect the brand. We are the Coca-Cola of jeans. Instead of talking technology, you might want to talk in terms of the risk for various scenarios so that if these events occur, you are able to get through it. When you get to the CEO, the board, and executive level, you have to talk about risk – business risk."
In summary, when presenting security solutions to the C-level, and specifically the chief of information security, you must be able to communicate in a way that convinces them of your security knowledge and expertise. CISOs would much rather have vendors and salespeople shift from an IT perspective to a business perspective when selling them security services.
If you found this recap useful and would like to learn more about how you can address the needs of the CISO, reach out to us at Effortless today.