How to Vendor/Sales in the Security Industry

I’ve been on the receiving end of sales pitches for years now. Ever since I took on senior leadership roles the constant trickle of various sales pitches just kept increasing.

These vary from completely out of the blue “cold calls” that attempt to push some solution, through the slightly better informed ones that take into account some of the business context, to highly relevant and targeted ones (not too many of those unfortunately).

This discussion recently came up during a conversation with one of my friends (who happens to be in sales), and we were comparing notes on the atrocities that we’ve seen as far as those pitches go. So I brushed up on one of my favorite Vendor Rebuffs courtesy of Andy Ellis, and was pointed to an interesting post by Mike Johnson from Lyft.

Both provide a good approach to dealing with vendors, but I found that there’s something missing, so here’s my additional take on it:

  1. Don’t pitch me. I’m probably not the right first contact for you. In every organization I’ve managed or built, I had subject matter experts (security architect, managers, etc) who were provided with the responsibility, autonomy and budget for their domains. You are looking for them.
  2. Don’t try to skip over. Skipping over my SMEs and going directly to me will result in the best case you being re-routed to them. Skipping me and trying to go to my CEO/CFO/etc will result in your company being blacklisted.
  3. Context is king. Trust me to do the minimal amount of work required to get my job done – which means I’m well aware of areas where we need products/services. There’s zero chance of you educating me of a completely new domain where I need help with (if there was, I’d be fired, or quit before that). Then you’d need to trust me to know the market enough to have conducted due-diligence and find the relevant providers in that domain. From the well-known names, to 5 people startups. We do not discriminate, and I always make sure to cover the market properly (I personally prefer to work with startups where we can have better control over the product features and roadmap actually…).
    If you aren’t in the running, then it’s one of two options:

    1. Your solution is known, but isn’t good enough for us or doesn’t fit our requirements (we work based on our requirements, rather than on what the vendors have to offer).
    2. You have an opportunity to educate us on your solution and we’d love to hear about it and see whether it fits our needs or not.
  4. As per the vendor rebuff from Andy – you don’t need to follow up again on your email. Not even once (definitely not 3 times). I do read all my email, and yes – I’ve been ignoring yours because I reached the conclusion that this is the best way to get rid of you. Past experience have shown that “unsubscribe”, “don’t contact me again”, and “this isn’t relevant” responses end up being perceived as “sure – reach out again in 6/12 months to see if my memory is shoddy”).
    Absolutely do not try to actually call me on my phone. You are wasting my time (and compoundly so, since it requires me to shift my multitasking and deal with your analogue call continuously).
  5. I maintain a black-list of vendors. It’s not easy to get into it (I do provide the benefit of the doubt and best intentions to everyone), but it’s impossible to get out of. You can ask vendors who have suddenly saw an immediate halt on all orders from my organization once I started working there.

So here you have it – a roadmap on how to get the 15 minutes of attention. Yes – it means you need to do your homework first. No – “clever” pitches to grab attention will not result in getting it (unless you were fortunate enough to be the one who caught me on a bad day, in which case I’ll probably post your egregious sleazy pushy email anonymously somewhere).

And even when you do your homework, you need to remember that you are dealing with a market that’s pretty mature and educated (or at least, my organization is such). Your attempt to “educate” us on a need is likely to be ineffective. Keep to the above and you might have a chance to get thrown into our POCs where we evaluate solutions for our needs.

Update: found this gem of a post – sadly I’ve ran across each and every item listed there. Go study it and figure out how to avoid getting into the blacklist 😉

6 thoughts on “How to Vendor/Sales in the Security Industry

  1. What resources can one utilize to learn about your current environment and figure out if you do actually have a real need for something? Or even a pain point you may not even be aware of yet? What resources can one use to figure out that information before reaching out to your organization?

    1. Good question, and probably not mine to answer as I’m not in sales.
      But in general I’d start with just going through the website, and trying out the service/product offered.
      There are basic tools such as and to give you a good idea.
      As far as identifying pain points that the organization is not aware of – I’d like to give CISOs/CSOs some credit to identify the basic things they should care about. If there’s really a completely new and unexplored threat that the organization is absolutely unaware of and you are the only vendor that sheds lights on (and the threat somehow hasn’t materialized in the past yet) – reach out. But again – I’d be highly doubtful that there is such a case.

      1. What about innovative solutions that are threat agnostic, change paradigms, or impacts across all corporate functional domains, or perhaps works through a central channel? Rather than having a vendor work through every silo, does the CISO possess more of the big picture sensibility to participate how to assess and direct?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.