Most people in cybersecurity know that marketing and selling to today's Chief Information Security Officer (CISO) is not easy. They have an unprecedented amount of work and conflicting priorities on their plates, making it extremely difficult for anyone, let alone a vendor trying to sell them something to grab their attention.
To reveal how B2B cyber security companies can better reach elusive CISOs, Merritt Group partnered with Tech Exec Networks (T.E.N), an information security networking and relationship marketing firm to survey leading CISOs to find out what influences their buying behavior and triggers the sale.
In our latest Lay of the Brand podcast, Sujeet Bambawale, CISO of 7-Eleven and Marci McCarthy, CEO and president of T.E.N look into our survey results and tell us what CISOs really want to hear from marketers.
Here are highlights of our conversation. Click below to listen to the podcast or visit layofthebrand.com.
Michelle Schafer, Lay of the Brand: So as you know, our survey showed that 64% of CISOs rely on peer to peer communication to make buying decisions, but what are some other sources that are important to CISOs, and how do you find them?
Sujeet Bambawale, CISO of 7-Eleven: Sources of information, and I think that your report called these out very well, that I certainly look at are blog posts. I'd like to take a minute to describe my workflow on how I get to that blog post. The most popular kind of blog post that gets my attention is the threat intelligence blog post, which means there is a threat hunting team or some sort of intelligence team within perhaps a vendor organization or a security vendor organization that has found and contributed to finding malware or finding and busting some sort of cyber criminal group.
Abstracting that and stepping a few steps back, I think what influences me the most, and leads me to a blog post is something that is done for the information security community as a whole. I have found that I have been more and more interested and attracted to community based posts like threat intelligence, women in security, and other community engagements like that, which then say hiring has gone up, diversity has gone up, and just adding to the intelligence value within information security. Those are the kind of blog posts that get my attention, and then if they lead me to that solution provider’s specific solutions, specific product, that happens organically.
Michelle Schafer: That's great to hear. For the longest time we've seen many vendors put out their own threat intel blogs, and I think that information sharing aspect has been so huge for the cybersecurity community for a very long time. So it's really good to hear that that's what you're looking at very closely.
Marci, did you have any thoughts on blogs or different types of marketing materials that you're seeing CISOs really like or pay attention to?
Marci McCarthy, CEO and President of T.E.N: I think there's also an aspect of peer networking and not having peer groups out there, whether it's through your professional network, and I know we're a little limited right now being in COVID, but the value of getting together for informal meetings on Zoom, like ISE Cocktails and Conversations, is a great example of how people are still staying connected, learning about the latest technology, sort of bouncing ideas off of each other, and staying top of trends.
I'm also hearing a lot on social media. There seems to be an uptick of activity on LinkedIn, for example. People are posting their own articles and thoughts and not necessarily always bringing everything to a blog page. If they are putting a blog out there, they're using social media to bring eyeballs and conversation to it and using LinkedIn, for example, as a way to have that conversation in a more public forum. Otherwise, finding that blog post might take a little bit of art form in locating it and you might not have heard it, but optimizing it and creating a social media brand and presence for yourself can definitely help extend your peer network in a way to bounce ideas. And then leveraging that without having to exchange true contact information, but in a conversation type of mode, you could have set up some group chats within LinkedIn messenger, for example, to sort of have that informal conversation.
I've found over the years that informal references and conversations are the strongest way to build a professional network and a total value add of building a professional network.
And again, we're having to be a little bit more creative now because our in person events are limited, but taking to social media platforms, building a brand, and making an investment of time to engage is definitely how I'm seeing a lot of people staying connected, as well as learning new trends and technologies.
Michelle Schafer: Absolutely, and I couldn't agree more. Social media has been such a game changer for so many folks to connect and really help amplify whatever it is that you're trying to get out there and really just be part of the conversation.
I want to shift gears a little bit to news sources, in terms of where CISOs are getting their information. Obviously the news landscape is flooded every day with lots of different headlines of breaches and threats. How much are you relying upon just general news sources or are you going to vendor websites or white papers?
Marci McCarthy: I'm seeing an overwhelming aspect of news overload and then the aspect of some people just turning it off, with the onslaught of COVID and the depressing nature of it. I know I had to turn off all new sources for quite a while, to stay sane and focused. I would just put on music for part of my day, just to stay sane and stay focused on what I was doing. I certainly realize that’s sort of isolating and cutting yourself off, but I think what I also learned to do during this time period, and what I've seen our customers do, and other security executives out there do, is tailor how they're getting their news and timing it to when they want to receive it.
So being a little bit more creative, if you have an iPhone or an iPad or your LinkedIn or anything like that, you can actually customize what news sources come to you and subscribe to them overall, and then you can opt out of new sources that are just not appropriate, or not your appetite overall, and then limit the amount of breaking news that is blowing up your phone. It can be very distracting and overwhelming.
I also see that people are consuming news through social media as well, and not necessarily watching or reading it. So as a publisher, you have to be a little bit more creative, of how you're going to get your content out there and how it is consumed, overall.
I've seen a lot of folks turn to salacious headlines, so you have the click bait kind of happening, but you also have a lot of people upset over paid walls that prevent you from seeing a lot of the content. I know that the news providers out there have to make their money, advertising is one way and certainly having a paywall is another. If you're going to put your content behind a paywall, it better be some really good content because there's alternate ways to get it or people will just move on because they're not willing to do the paywall.
Sujeet Bambawale: I’ll tell you what tracks with me. I'll break it down to some very tactical examples. When I see social media or when I see videos on social media, I'm attracted to and use the videos that have closed captioning at the bottom, because then I can see them, even if it's news, I can consume them. Let's say when I'm walking around, when I'm on the treadmill or something like that, it becomes very portable. It doesn't want me to be at a certain place.
When I look at social media articles or any other kind of articles, what gets my attention is the articles that take the time to say “TLDR” (too long, didn’t read) and “so here's what I'm going to talk about.” There's the long form and I really look for the summary at the top, to see if this is something that's worth my time.
But to answer your question more pointedly, the group chats to Marci's point and other closed forums, perhaps within peers, that send out links saying “have you seen this?” or “does this affect you?” Those are the two that will get instant eyeballs. So if I were to put them together, if I were to put these few things together, what typically happens in a news consumption cycle for me is, I learn about something via a referral from the peer group or from the peer fabric or it will be a website like Threatpost or something, which is kind of breaking news.
Information security is very tactical, but breaking news and information security, then the discussion about solutioning will be more organic because you can't trust just one source. So you're bouncing off a few sources, the minute you establish relevance, so the minute I think, “Oh, this could be relevant to me,” now I'm bouncing off of three or four or five reputed sources that I use regularly and perhaps at least a few peers to say “is this relevant in our context?” Then to take it and bridge this to a solution, what I do is look at the narrative that is built by even a vendor, quasi marketing whitepaper that says “we address this problem at scale”with this technology. See that is very important because I'm not necessarily looking at point solutions for point problems. I'm looking for solutions being solved at scale. I’m not disparaging custom development, but you can have custom development built to fit or tailored to fit your own small problem that is caused by a vulnerability, that is caused by an exploit, that is caused by a weaponized whatever, right?
What really attracts me is when someone says, “Okay, I understand it and I have solved it at scale and it's available because the key problem is on our roadmap.”
When it's on the roadmap, it's hard to determine at first glance, whether it is available immediately or it's going to take another three or four months to get to market. And sometimes I know in the back of my head that I'm going to be asked for a sustainable solution before those three months out.
So the best communication is, there is a new problem or a new variant of a problem that comes to me via a new source, a credible news source—we have some sort of tactical escalation or from the peer group fabric. Then, an existing vendor or existing set of vendors says “the way our solution is built already addresses this or can address this at scale with minimal changes.” That is a great way to go from finding news to digging into news and then reaching a specific vendor or multiple vendor solutions that could be a snap fit.
Michelle Schafer: That actually sounds like a great approach and I'm glad that that's been successful for you, and it's a really good segway into my next question around how vendors should or should not approach a CISO like you Sujeet. I know this is top of mind for a lot of sales and marketing folks, so I would love to hear your thoughts or any advice that you have.
Sujeet Bambawale: I like the empathetic approach. And what I mean by empathy is, I respect the sales cycle, I respect that the sales, the marketing, and the revenue cycle. I understand it, it pays most of our paychecks. So, mad respect to sales folks. I don't think I could do what they do, honestly. You know, it's just a lot of really hard work. On the flip side, we are humans as well as in the CISO community. We have the same 24 hours in a day and we have the same human responsibilities and human things to do with those 24 hours in a day.
The interests are somewhat a problem in which you know they want us to first share our time and then our money and we, on the other hand, want to apply it most to safeguarding our interests, but that said, I think the empathetic approach is the best.
So, in the current conditions where people are sitting for literally days on end from morning to late in the evenings, just because there is no need to go to another meeting room, there is no need to go to another conference room, there is no need to go to another office. It's all here and I have found myself sitting down for the complete day and in such cases, an empathetic approach would be a salesperson saying, “Hey, I'm going to take only 45 minutes of our 60 minute session” or “I'm going to give you 15 minutes back.” Now those 15 minutes at that point are far more valuable to me than any tchotchke or any gift or whatever it is that comes, t-shirt or whatever that comes along with it, soI think it's just the empathetic approach.
I think that when people call us at like 8am in the morning or 7pm in the evening, they have to understand that we have to keep our phones open because security without an open front door is bad security. I know that's hard because security should be “closed doors,” but we have to partner with the community and I can’t just turn off my phone because anybody could be calling. It could be a customer with a problem, it could be an employee with a problem, it could be a bug bounty hunter or responsible disclosure person who's calling me to say, “Hey, I found this with your company’s security posture.” So just because it's an unknown number doesn't mean that I'm going to ignore it, but that on the other side should not be abused. So, if you have my cell phone number, just text me ahead of time and say, “Hey, I'm going to call you about this.”
Catching me by surprise doesn't help you or me.
So, I think these are small empathetic human things that can change the tone of the relationship and better the new ones.
My final suggestion is to build on the social fabric. If you tell me that I've already talked to CISO A, B, C, D and E, that's the person I know you kind of converse with or hang with on a regular basis. You've kind of solved that part of my problem already because I'm going to reach out to them and you already kind of name dropped them to me, in a good way to say, “Hey, check with them. We just had a conversation or whatever.” You're kind of building and going into my workflow already, which is then saying, “Okay, this guy or gal has taken some time to do research on how I work, has recognized that I'm a nerd and I like data or whatever it is, has taken the pains to research how I speak, how I talk, how, what kind of data I typically need from vendors and it's coming prepared with it. So I think that really helps. I realize a lot of cold calls are just the nature of the industry, but those three things are what I would do in my ideal world to have that conversation be more positive.
Michelle Schafer: And I think that actually lines up really well with what we found in our survey which was that 34% of CISOs said that vendors have a better chance of success by doing some homework and really understanding the CISOs problems. I really like that you mentioned having an empathetic approach, because right now we all need to have that, no matter what field you're in. We are in unprecedented times and I think understanding that time is valuable for everyone, and your point about giving you those 15 minutes back really helps.
Marci, I know you're on the front lines with a lot of CISOs. What are you hearing in terms of just how vendors should or shouldn't approach a CISO?
Marci McCarthy: So I’m hearing a myriad of different things. First and foremost, the work life balance has really been challenged for a lot of folks. So while we thought we have eliminated the commute by working remotely, we're actually working in a lot of instances longer hours and we've also discovered that a lot of people are not necessarily in the location in which their company headquarters might be, so they might have already been commuting or they found another alternate location that would be more amenable to their families. They could be, let's say in one time zone versus another time zone, so tap the knowledge. If you are going to do some outreach in terms of calling and having a meeting request, be respectful of the time zone of the person that is going to be on the other end and where they're located. Don't request a meeting at nine o'clock in the morning East Coast time and expect six o'clock in the morning to be an acceptable time on the west coast. Take the time to ask, don't just assume that because a company is headquartered in XYZ that the person might be in that location, so take that extra step to ask.
Also good communication skills, first and foremost, certainly we don't have a lot of chances right now for small talk, but taking just a minute to ask how somebody truly is and what's going on will go the extra mile because some people just want to tell you that their day iss going well, or maybe not going well, or that they just miss something about being in person.
So just have that little bit of what Sujeet talked about, empathy. A little bit of small talk can still go a long way and it's not a waste of time. So when you're communicating with somebody, be thoughtful about how you communicate and be empathetic as Sujeet talked about, but also be a very good communicator.
You’ll want to almost over communicate a little bit in that using time zones and meeting expectations. A lot of us are tethered to our desks right now and on Zoom calls. So put an agenda forth and as Sujeet talked about, giving 15 minutes back of your call. Even think about making the calls shorter to 30 minutes. Do you really need a full hour of somebody's time if you can accomplish something in 45 minutes? I would challenge you to be able to accomplish the same thing in maybe 30 minutes or even less, but that's because you’ll be prepared for the call and not try to wing a call overall. Actually have a clear cut agenda of what's to be expected, and who should be on the call.
Like we all should be in the real world, try to be on time, because there's nothing worse than sitting there on Zoom by yourself or that you're the last person on the meeting. I certainly understand that there's exceptions to the rules, but be respectful of other people's time. There's nothing worse than having a 30 minute call, whether it's a conference call or on Zoom and it starts 10 minutes late. So you really have to be thoughtful and respectful overall, and limit calling of people on the phone because most times people are going to be in a meeting. So if you happen to have the cell phone number, perhaps, think about using text and being very clear with what you're texting about. “Where's my PO?” is not going to really cut the mustard; “Can I get an hour of your time?” is not going to cut the mustard. Be very prepared and thoughtful of what you're asking somebody, be specific, from the time period, what's being expected of them and be concise and precise.
Michelle Schafer: That is so important. It is difficult in this atmosphere because we are sitting on the phone, Zooms all day long and like I said, time is valuable. So, really being prepared, in terms of materials that you like to be prepared with. Just for your vendor interactions, Sujeet, is there any one particular type of content that you like best? If a vendor sends a white paper or a video, what do you prefer?
Sujeet Bambawale: White paper means something very important to me. (Those with) engineering degrees and people who wrote a lot of whitepapers in college, we cherish white papers. I think that the vendor whitepaper has now morphed into something slightly different. I'm not against whitepapers. I’m very much supportive of data and customer case studies and insights. I really like infographics because they tell a long story in a short, easy to consume way.
So with regards to materials, long slide decks have never helped, whether it is sent ahead of time or used during a presentation. What I have found is a good approach recently, is people have done a very creative way of packaging a small video file. I don't know if I can mention the product, I think it's called Loom or something like that. What it does is it really puts a bubble with your live camera feed and you're navigating the interface and that becomes a video file and they send it. It was very interesting because it was a person literally using the interface of a security solution. It's almost like a tutorial way of saying we could do this. It was a very short sound video clip and that really worked for me because it answered the question, it gave me the detail that I was looking for and it said “okay, if this is mature, to the point that a video file can be created and shipped off to a person, then it's really well made.”
So if you must write whitepapers, try to summarize at the start and then give the data at the end. If you must give case studies, we don't want names, most people or many companies are hesitant to give their names, that's fine, but try to give a good sense of their vertical, revenue and employee count. I'm not trying to insinuate my way into knowing who they were, but you see, we have to map them to us. Benchmarks are very helpful.
Benchmarks are extremely helpful, so if you can lead with that, that’s good. If there are specific things in your solution that you think are amazing and exhibit that passion—say that “we created a competing platform in A, B and C respects, but this specific thing is what we are really proud of.” Passion is very powerful.
I would really like it if somebody said “I want to show you this. These three small things from our offering that we think are awesome, new and unique.” So just let the passion come through. Don't kill us with slides because it's really counterproductive.
Michelle Schafer: Yeah, it's difficult to sit through 50 slide presentations, which actually leads me to another good point around webinars. Obviously with COVID and the lack of being able to meet folks in person, we don't know when that's going to come back in terms of face to face events. How are webinars doing? Are you feeling like those are pretty useful and I’m sure Marci you've been doing them and you've been on them as well. So I'd love to hear your thoughts on it as well.
Marci McCarthy: What we have learned is that with the digital side of things, there's costs associated with it. Certainly eliminates your venue and your travel costs, but there's a whole production side that a lot of people don't really realize that goes into it and it's almost similar to what a TV show might go into terms of production. So you have to have both the financial resources as well as to plan ahead if you're going to go into a full scale production of a conference type or an awards gala type of program format.
To have it be interesting and meaningful and we also learned is, you've got to go quick, so your panel is only 15 minutes, your showcase presentation is only 15 minutes. People have to keep changing and moving much like they do in person, but the format has to be stimulating so that they're just not static. You cannot expect somebody to sign on for Zoom for two days straight and be engaged and they even want to participate in a program. So really be thoughtful about if you're going to do an extended program, you've got to really make it interactive, engaging and change the format overall.
We're looking at 2021 with some hybrid approaches. We actually had a webinar, just a little while ago and we talked about doing even some hybrid dinners, where we started to take the cocktails and conversation format and project that to those with an UberEats kind of function where they're eating and drinking with us and participate in the conversation. Then for those that are comfortable in person or the locations ideal for them, they can come and be with us in person. So we can still be collectively together, but there's still some challenges for people to come in person. They may have family members that are elderly or they have compromised health or pre existing conditions, so we want to be really sensitive to the different challenges that people have, but we're certainly committed. We are a relationship marketing company and we want to bring two people together again to connect, collaborate, and celebrate.
Michelle Schafer: Absolutely, I'm hopeful that in time, we can all get back together in person. For the time being, one other question I have is demos, product demos and how those have been going with vendors doing them remotely and if that's something that has been going well, Sujeet, in your experience.
Sujeet Bambawale: I think so. I think product demos have been going well. My preference for beta product demo or beta webinar has been that it tracks best for me if there is a collective set of data, experience, or expertise. So Marci's events bring together a lot of very smart people into one event and it's really good to learn from the conversation.
Similarly, whether it's a product demo or any other kind of related event, when they're unpacking an aggregated report or something like that and you want to understand the trends and the insights. It's a very lean-in engagement for me.
For product demos, it's very good to see it up close, almost without the other person in the room. It's very good to see the screens up close and be able to ask those questions up close, I will admit though, that the more screens that you have the less your attention spans.
Michelle Schafer: That is actually really great advice. And I think it's just part of the world we're living in right now. It's information overload. So, simplifying being clear, being passionate, as you mentioned earlier, about product features that you really want to point out I think are really good tips for vendors who are looking to get your attention and talk to you.
Any other thoughts about the relationship between CISOs and security vendors or any last minute advice or something that we didn't touch on?
Marci McCarthy: Remember that both sides of the equation are people too and be sensitive to both sides of the equation. So certainly salespeople and marketers, especially salespeople who have quotas to fill. But you also don't know what the challenges are on the other side of the coin. For the CISOs I know you can't talk to everybody and be amenable so really the true value of relationships comes to rise to the top, especially in our industry, because trust is tantamount.
Sujeet Bambawale: I'd love to add to that, if I may. I have seen that like wine, these things get better with time. So, a vendor rep who may have known me five roles ago starts knowing exactly how I work and what solutions I'm looking for and what's the interest with which I'm looking for a solution or asking for a solution, kind of married with their own career arc. (This) leads to being excellent with phone calls from role 3, 4, 5 onwards. So perhaps they were younger in their career then, as well as I, and now they've known me, they know what works for me.
They know if I'm calling in and in a certain tone of voice, that this is something I need very quickly, and they've also got trust with me to say “Sujeet, the company I'm working with right now that will address only part of your solution” because they know that they don't want to sell me half a solution and lose that trust, but much rather keep that trust and when they get to that snapshot solution. They have that relationship with me to say Sujeet, you've got to take this right now and I'll take them seriously. I think it does mature with time, so you should let that breathing room be there.
Want to learn more about how to influence and market to CISOs and other security decision makers? Listen to this podcast and other episodes at layofthebrand.com or your favorite streaming platform.