How to Get a CISO to Buy Your Product

To keep an organization safe, a CISO depends on as many as 50 to 100 different products. This presents a huge opportunity for startups. However, this means that a CISO sees a LOT of pitches in their role. Securetech Managing Director at Dreamit, Mel Shakir, talks to CISOs every week. He knows how to drive a CISO’s emotional response and draw attention to your product. In just five minutes, Mel tells you the five ways to get a CISO to buy your security product. 

1. Highlight or Fulfill a Need

CISOs are looking for products that fulfill the needs and address the vulnerabilities of the organization. Some examples include discovering or blocking a new exploit or malware, or the massive move to working from home following COVID-19. Other needs may be driven by strategic priorities. For example, reducing the cost or complexity of security operations or projects driven by macro or micro-trends, including new privacy regulations or a company’s move to the public cloud. 

Keep in mind, this spending is planned and budgeted.

It is possible, though, they may not know they have that need. This is your opportunity to highlight it for them. As a startup, you may be ahead of the market with a next-generation product. As a result, there may not be any defined category for the product or analyst report to indicate a clear need for the CISO. 

How can you overcome this? Demonstrate ROI. Demonstrating ROI can make your product that was previously perceived as a “nice-to-have” a “must-have.” This leads us to our next tip. 

2. Demonstrate solid ROI

Demonstrated ROI defends the money that the CISO would put towards your product. To demonstrate ROI, you have to quantify the outcomes of using the product as a metric. There is a quote that “You can’t justify what you don’t measure.” This is especially true in the security operations center (SOC). Here are some metrics that we recommend: 

1. FTE (full-time employee) gained from automation - This helps with the cybersecurity skills shortage every professional in the security industry is well aware of. 

2. MTTR (mean time to remediation) - Lower MTTR improves analyst productivity and response. Faster threat detection due to automation or improved integration or workflows can result in lower MTTR. 

These metrics will indicate high value to any CISO and make your product stand out amidst the many products they see every day. 

3. Build credibility with peers

The security community is a tight-knight one. CISOs frequently talk to other CISOs. Your success with another CISO will get you instant street credibility. If demonstrated need and ROI don’t seal the deal, a referral from another CISO likely will. As a startup, you may not have enough customer references, but referrals from peer CISOs who have signed up as design partners or completed successful PoCs are just as valuable. Including logos in your deck is important but at Dreamit we emphasize that you should be clear on what the logos represent (paying customers? companies in trial?).

4. Consider timing

The good news is that budgets are becoming more flexible. Micro-budgets are created several times a year so CISOs can react to threats on an as-needed basis. Thus, the budget is not the only, or main, factor impacted by timing anymore. This means there are other factors you should consider, like: 

1. Product renewal 

2. Product end of life

3. Product depreciation

“CISOs are always looking to consolidate tools and vendors, so proposals to replace legacy tools nearing end-of-life with your next-generation products in a budget-neutral fashion, or with no added costs, are always received favorably.”

5. Figure out their vision 

To grab a CISO’s attention, your story should clearly establish how your solution will fit into their broader vision and roadmap. This works in your favor. If a CISO is considering your product versus a larger company’s more established product, CISOs recognize that:

1. Innovation lives with startups, not large companies 

2. It’s much easier to influence a startup’s roadmap to fit their requirements

3. They can get a better bargain from a startup 

Additionally, CISOs are happy to discuss their vision and how they could incorporate your product.

Mel says, “Every CISO I know will gladly share their priorities and vision with you; all you have to do is ask.”

Now you understand what the CISO is looking for and factors they are taking into consideration when they hear your pitch. However, how can you cater to their organization specifically? Do your homework. 

1. Find internal champions and prep with them before meeting with the CISO. 

2. Gather intel from direct reports, vendors, and service providers.

3. Discover their needs? What projects are in the pipeline? Be prepared to discuss your ROI and how it relates to the answers to these questions.

4. Include success stories with CISOs they are likely to know.

5. Find out how incumbent products you are likely to replace are performing.

6.  When pitching to a CISO, preparation is key.

Follow our five tips, do your research on the organization, and you will be set to get a “Yes” from a CISO. 

By Alana Hill, Securetech Associate at Dreamit Ventures

Subscribe to Dreamit’s Podcast on Apple, Google Podcasts, or Spotify

Learn more about Dreamit Securetech, a growth-focused program for cybersecurity, fraud, compliance, and physical security startups.