This blog is part of an ongoing Q&A series with CISOs on preferred marketing and sales techniques, leading up to the RSA Conference, taking place March 4-8 in San Francisco – where cyber professionals from all over the country will come together to make connections and keep the digital world safe.
As an industry veteran, John Masserini has gained widespread recognition across multiple verticals in information security, especially in providing a more business-focused approach to information risk programs for today’s security challenges. In his current role as Global Chief Information Security Officer (CISO) for Millicom (Tigo) Telecommunications, Masserini leverages this extensive background to drive the company’s information security and risk management strategies, including security architecture, security operations, regulatory compliance and business continuity for all global business lines at Millicom.
In an interview with Merritt Group’s Security Practice Lead, Michelle Schafer, Masserini shared his views on what it means to be a CISO in today’s landscape and what security vendors should know before trying to market and sell to him. He will be presenting his views at the upcoming T.E.N. & ISE® Sales and Marketing Breakfast during RSA 2019.
How long have you been a CISO?
In total, I've spent almost 15 years building and developing information security teams. I’ve been a CISO at Millicom for the past year and a half. I’ve also previously served as CISO for MIAX Options Exchange and Dow Jones/The Wall Street Journal, where I oversaw security, risk management and business continuity.
What are your top vendor challenges when it comes to securing your enterprise?
One of the biggest challenges is finding vendors out there who are ready to be partners, instead of just “vendors.” To me, this means working with people who care about both our organizations’ success, and who call me more than once a year – not just to see if I got the annual invoice. They work with my team to provide the full picture about a solution, sending details on relevant industry topics and what’s going on locally. Finding partners who are interested in our mutual gain, and who I can trust, can be pretty hard to come by in today’s market.
What turns you off about security vendor sales?
Too many solution providers fail to understand the operational complexity they will introduce into the enterprise. No matter how good a solution is, it’s going to be disruptive to my organization because the vast majority of security solutions are inherently disruptive. Posing questions like, “How do you support hot/hot failover in geographically disparate regions?” often results in complexities when working to implement a new solution, which more often than not is also operationally intensive. I’ve seen many potentially amazing products crash and burn because the product team had forgotten about one of these three aspects of the process.
Any marketing frustrations?
I’ve noticed a serious lack of messaging from companies these days. When businesses try to approach me with a “silver bullet” solution, try to scare me into a purchase, or claim themselves as a leader in the space, it doesn’t do anything to inform me about how exactly they are going to address my organization's specific needs or reduce risk in my environment. Instead, start with how to solve one of our pain points and you’ll get my attention instantly. However, if I have to hear about the CEO’s 30-year tenure of running a Fortune 1000 company, or whether the solution has worked at countless other organizations, my attention will be lost within seconds. Another major turn off is the cold call/email that starts off with “As a CISO, are you worried about application/network/email risk in your company?” It’s lazy and absolutely demonstrates your lack of understanding of the industry and what you are selling. You could boil down industry verticals into less than a dozen, so make some effort on understanding each industry and developing your message accordingly. Your healthcare email template is not going to work very well in the telecommunications space, so don’t be surprised if you automatically get labeled as junk.
Any tips for security marketing teams to improve their approach to you?
To address the “lack of messaging” problem, I’ve suggested a sort of Mad Libs approach to pitching a product to folks like me. We don’t want to hear a life story, about the decades of experience running companies, or the brilliance of the organization’s algorithms. Instead, advise on how to address an actual problem we have. Here’s an example, “My name is John and I’m the CEO of X Company. Our company’s goal is to help you gain control over XYZ problem by managing XYZ. If you are dealing with XYZ problem in your environment, we would love to demo our XYZ solution and see if this fits.” Fill in the gaps with your own story and voila!
What do you plan to highlight to sales execs and marketers attending the T.E.N. RSA breakfast event?
I realize that some of this may come across as gruff or hard-nosed, but at the end of the day, most of us do not have the time or desire to wade through countless emails from dozens of vendors trying to figure out what your solution does. Wouldn’t it be better for both of us if we could quickly and easily understand your approach and solution so we could determine the best way to move forward? Hopefully the dialog during the breakfast panel will provide some insight into what consistently works and what doesn’t.
You can read more about Masserini's thoughts as a leading CISO on his blog, "Chronicles of a CISO."
Please join John Masserini and a panel of top CISOs at the T.E.N. & ISE® Sales and Marketing Breakfast during RSA 2019 on March 6, 2019 at Oren’s Hummus San Francisco located at 71 3rd St. To register for this event, please visit: https://www.ten-inc.com/rsa_ten2019.asp