Why You May Not Sell Your Product to a CISO

A few months ago, we did a blog post on how to get a CISO to buy your product. But, what will instantly make a CISO say no to your product? Mel Shakir, Securetech Managing Director, talks to CISOs every day in his role at Dreamit. He coaches companies to get them ready to sell to a CISO. However, he also coaches them on what to avoid. In this Dreamit Dose, Mel gives you 5 reasons a CISO may NOT buy your product. You can watch the whole episode below:

1. Potential to DISRUPT business

CISOs are accustomed to constant innovation. AI and SecOps offer significant value that will allow analysts and SOCs alike to identify threats faster and streamline workflows. CISOs don’t underestimate the value these next-generation security solutions will add to their organizations. However, they are skeptical of solutions that claim to make changes in real-time. This can result in loss of data, blocked network traffic, or configuration changes that could be detrimental to an organization. Be prepared to tell the CISO how your solution can be deployed alongside existing technologies without causing disruptions. If you can’t answer the CISOs questions in regard to ease of deployment, you will get an instant no. 

2. Missing key integrations and certifications

The next point emphasizes how important ease of deployment is. Since most CISOs use 50-100 products, you want to make sure that your product can easily be integrated with the tools the CISO is already using. Additionally, make sure your product meets essential requirements. What are these requirements?

Your product must:

  1. Have key security solutions or applications used by the firm

  2. Have APIs that can be used to integrate with homegrown tools 

  3. Support industry standards that are applicable to your product category. For example, Mitre Att&ck framework for classifying threats and alerts

  4. (If it’s a SaaS offering) SOC2 certification

There are many other certifications such as Common Criteria that provide assurance your product meets minimum requirements. 

3. Creates vendor dependency

Your solution must prevent vendor dependency. What do we mean by “vendor dependency?”

Your product must: 

1. Be built on a well-accepted technology stack that has been standardized within the company. For example, say your solution requires Hadoop Big Data stack, but the company has little to no experience with it. This will not work for the CISO. 

2. Not require your own professional services for implementation and ongoing management 

3. (If it’s a SaaS offering) Provide confidence that the content created within the platform can be easily exported should they decide to switch vendors 

4. Difficult to evaluate solutions

If you have a security product, you should be well aware of the staffing challenges that CISOs face. Using and implementing the product should be an effective use of time. If your product requires an extended pilot, for example, to generate training data for your AI to work and demonstrate value, you probably won’t be able to appeal to the CISO. You must be ready to accommodate the CISO’s staff’s tight schedules and be able to demonstrate value without their assistance. So, how can you demonstrate value? 

protip2.png

Demo or mock data is better than no data. 

When startups present to the Dreamit team, we love to see use cases. It is no different for CISOs. When you have a limited window of opportunity to prove your worth, you should commit to two to three use cases you can successfully showcase during the POC. This will help establish the ROI of the product for the CISO. The products that CISOs love are those that enable their team to easily test drive and see the value. 

5. Complicated pricing or contracts

The CISO should not have any questions regarding pricing. This means you must clearly present the information needed to understand the cost of deployment. This includes cost per user, desktop, or server as opposed to cost per event, alert, or API calls. The former are easier numbers for the CISO to obtain, and easier to budget.

Dose+21+Graphics+%28%233%29.jpg

What are the five reasons you may get a no from a CISO?

  1. You can not adequately communicate how your solution can be deployed in phases without causing disruption. 

  2. You are missing key integrations and certifications that will prevent your solution from going live. 

  3. The proprietary nature of your product creates a dependency on your product and pro-services team. 

  4. Your solution is hard to test drive in a reasonable time.

  5. Your pricing model is hard to budget. 

Remember, most CISOs detest typical sales-oriented pitches. They want to have a stimulating conversation and easily see the value of your product. Send your well-prepared A-team and keep these tips in mind to avoid getting an instant no. Before they speak to a CISO, maybe also have them take a look at our 5 tips to get a YES here.

By Alana Hill, Securetech Associate at Dreamit Ventures

Book Office Hours with the Securetech team.

Alana HillSecureTech, cybersecurity, dose