Selling to the CISO

Or Matt’s guide to Selling to the CISO ( I only put this in for SEO sorry)

Being a former Global CISO and security leader in the telecommunications, manufacturing and healthcare industries my goal was to build a security and risk management program that identified the most critical risks to the company, develop security programs to mitigate those risks and to build or buy effective security solutions that complemented or augmented the current capabilities of my security ecosystem. These roles were heavily focused on ensuring the right mix of technology and the resources were utilised. 

One issue that always occurs in these roles is that most security vendors face challenges in selling to the CISO effectively.

Within days of me stepping into a new role phone calls and emails start not only through my work number and email, but also my private email, my own phone number and LinkedIn messaging.

If you can’t capture my attention within a few minutes, you’re using the wrong approach. I will admit that some of the messages received via LinkedIn I did respond to. I was actually impressed with one. Why you may ask. This is because the sales guy came to the point and had a solution to my problem or challenge as I like to refer to them.

Do your research

I have to say this is one of my pet hates with sales calls each of the sectors I have worked in has challenges but they are all generic across the sector. For example, sim swap fraud only happens in telecommunication sorry but I have never seen it happen in other sectors although the banking sector feels the result of a successful sim swap.

so on point know what sector your selling to, know what the challenges are and don’t start the conversation with ” tell me your problems” 


Get to the point 

Normally I have a million things going on at any one time during the day and time is precious get to the point of the call or email quickly. I don’t want to hear a sales spiel running on and on or an email that runs on for pages, Dear CISO blah blah blah and at the bottom is what the message is about. keep it short keep it concise keep it on topic.

Also, I will add the number of times a salesperson call me to say their director wants to talk to me, this says to me the call is pointless. My advise if your director wants to talk to me then your Director had best pick up the phone and call, it’s not below him.

Sell me a solution, not a product

As a CISO I have many challenges and many issues to deal with. Come to me with a solution to my problems, security threats change on a regular basis chance are I will have a challenge around those areas. Help me to solve and address that problem with minimal disruption. You may want to provide a PoV(proof of value) trail however if it doesn’t solve one or many of my problems or I have to arrange for hardware and infrastructure changes it is a non-starter. Keep it simple.

Know your competitors, Know your solution.

one of my favourite questions is who is your compensation and why should I use you? I have quite a big network of connections chances are if you talk badly of your competition chances are I know someone who works there and I possibly have a good working relationship with, you don’t need to make your product look superior it can do that itself if it’s that good. Which comes to the next part I will always ask how it works and I want to check to see if you have wrapped a nice interface around a piece of open-source code. Know your product. Do not try to palm me off on another call to an engineer I’m not that interested, at least to know the basics of the functionality. Not knowing kills my interest and inhibited your ability to selling to the CISO.

Build a relationship

I want to build a working relationship with security vendors that will help me solve my challenges come to me with ideas on how to improve my security posture. on the plus side, I may use you in more than one company. The reason this is last is you need to get through the about to be here. 

The last bit of this is don’t go over my head think you can talk to the CEO, CFO or one of my stakeholders this will kill the relationship stone dated. Check before you send out a free gift they could be classed as bribery and returned, destroyed or given away

Download our CISO as a Service white Paper

Matt is a global CISO with 20+ Years of Directing International Security Programmes for Multi-Billion Pound Organisations. With a passion for security and a cybersecurity evangelist.

One Comment

  1. This has been very helpful, thank you, Matt. I also just read your piece on a CISO’s 1st 30 days – very insightful. I am just beginning my career in security sales. Very useful, thanks. Adam

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.