Understanding the sales pitch
Having been in the CISO role for several years, I have been pitched products and services hundreds, if not thousands of times.
They follow a familiar pattern: First, an overview of the company and how great they are. This pattern is supposed to establish some trust. Second, the salesperson will attempt to differentiate their company from the competition. This is to build credibility. Then comes the presentation of the offering. Hopefully, this garners some degree of understanding of the offering. Lastly, the value proposition, or why this offering is essential or needed, ideally generating a desire to acquire.
Merriam-Webster defines fear as ‘an unpleasant often strong emotion caused by anticipation or awareness of danger.‘ It is an emotional response, not a rational response. In the cybersecurity space or any security sales, fear is often leveraged by salespeople as the critical factor in trying to prove the perceived value proposition. It is usually cast in terms of the fear of the unknown.
I believe using fear as a primary driving for decision-making is a mistake.
Having the cornerstone of your offering’s value proposition be something akin to “if you don’t buy my stuff, the boogieman might get you” is inadequate and does a great disservice to the industry.
I see the cyberspace maturing beyond this as the only argument.
Instead, decisions should be articulated and anchored in business value terms like risk reduction or avoidance, productivity, cost, or other improvement indicators. Not in terms of emotional rhetoric of hyperbole intended to manipulate decisions or facilitate illicit responses.
Selling through fear comes in a couple of different flavors:
- Elicit fear of adverse outcomes for the organization. This is the general concept of selling the offering based on the notion of ‘You don’t want to have bad things happen, so you need to buy my stuff.’
- Personalized fear and uncertainty. The weakest of any fear argument. The ‘You don’t want to be that guy’ argument. I have seen this tact used by very seasoned and knowledgeable salespeople, very experience practitioners, or other very credentialed individuals with perceived authority. In this case, you are asking the customer to think of his or her personal or professional wellbeing and consider the personal impact of not buying the offering.
The cybersecurity industry has matured beyond spending money simply because we don’t want anything detrimental to happen. CISOs are beginning to demand a more mature understanding of value from cybersecurity partners. They want to know how the money spent is being used and how they will individually benefit. Not so much in terms of profits and losses, but in terms of risk reduction, mitigation value, or some other return metric for cybersecurity investments.
- How can a prospective client know that they are receiving a worthwhile ROI?
- How do they determine the most appropriate level of investment for the perceived value?
- How will each cybersecurity investment drive the mission or objective?
Since CyLumena’s launch in 2017, we have seen many instances where prospective clients had poorly fitting cyber solutions where more money did not provide improved protection or better outcomes.
Here are four realizations to help ensure cybersecurity solutions are the best fit for your needs:
Tip 1: Look beyond the fear
Professional salespeople like fear. It is visceral, compelling, and has been a tried-and-true method to sell cybersecurity. See through it. Keep emotions in perspective and look at the real, intrinsic value in the decisions you are making and the products or services you are buying.
Tip 2: Get buy-in with value vs. fear
When selling up to leadership, executive committee’s board members, or investors, it’s easy to fall into the same habits I am critical of salespeople for employing. Understand your ask and position from leadership’s perspective, and express them in real value terms. Avoid an emotional argument based on fear.
Tip 3: Replace thoughts of ‘fear’ with facts of ‘risk’
If you remove the emotional component of fear, you’re left with the desire to manage risk. This is the foundation of what we do. Replace emotion with qualitative and quantitative data points. This enhances understanding and support.
Tip 4: Stay on top of business and industry movement
Infuse information-gathering benchmarks into your annual calendar. Use these to understand your industry, business, threats, and effect on your plans and priorities. The antidote to fear is understanding and rational thinking. The more we know and understand, the better equipped we are to handle and articulate risk. When we don’t know, we fear.
Cybersecurity is growing up. And, as cybersecurity consultants and experts, we must lead in positive change by demonstrating to our clients the effectiveness of the strategies and tactics behind how we use their budget and quantify how our efforts benefit their organization. Clients should expect more from sales teams who may need to adjust their practices to align with a more mature approach to cybersecurity solutions.