Security leaders are tired of aggressive sales tactics, and cybersecurity companies must change the way they go about acquiring customers. Thankfully, more and more people are becoming vocal about this problem, so I am optimistic it will get better over time. I have been reading a lot of great advice about how cybersecurity startups should engage with security leaders. Some of the best ones, in my opinion, are CISO Manifesto: Rules for Vendors (I would call this one by Gary Hayslip a required read for any security vendor) and 63 CISO Buyer Insights Carefully Curated for Cybersecurity Marketers.
The topic that doesn't get any attention, however, is how security leaders can make the lives of cybersecurity vendors easier. You see, a market is a two-way street, and only when both parties do their best to treat one another well can we make security a better place to be in. I previously discussed how security leaders can accelerate innovation in cybersecurity. In this piece, I will examine how chief information security officers (CISOs) should approach cybersecurity startups.
Start From a Place of Curiosity
Although some startup founders are in it exclusively for the money, most of the ones I meet are genuinely passionate about solving hard problems. Cybersecurity companies are started by security practitioners and CISOs, and they don't typically quit their jobs so they can make the industry a terrible place to be in (at least, not intentionally). While you may not agree with a founder's view of the world, recognizing that it has the right to exist and being curious about it is a great start. Without innovative founders willing to take risks, our industry would not have been able to evolve.
Articulate the Problem You're Trying to Solve and Provide Context
When asked, "What does your product do?" the only right answer is often this: "It depends." Without understanding the context and the problem you are looking to solve, vendors have no choice but to offload the list of features instead of explaining how (and if) their offerings can address your needs. This doesn't make it easier for the buyer to understand how all of these features can be useful for their particular need. Conversations that start by clearly articulating a problem instead of listing abbreviations a customer is looking to buy, tend to be the most productive for everyone involved.
Remember That People Who Work for Vendors Are Also Trying to Feed Their Families
Sales development representative is one of the lowest-paid and hardest occupations, and it's not uncommon for companies to hire fresh graduates and entry-level workers for these roles. Companies that use aggressive sales tactics should be held accountable. To do that, it's a good idea to leave a review online, call out the vendor on social media, tell your peers, and don't buy from the company. However, there is no need to tell the poor person trying to put bread on their table what you think of them, their family, and their life. Remember: They probably hate their job anyway and do it to survive; cold-calling is a soul-crushing grind.
Proactively Offer Transparent Feedback
As someone who works in product, I know firsthand how hard it can be to get users to provide feedback and ideas, or even report gaps. Most people, even those working for companies you don't agree with, are genuinely trying to do work they can be proud of. Hearing new ideas and perspectives helps startups innovate and prioritize solving the right problems — the bug that has been annoying your team could probably have been fixed a year ago, if it had been reported.
Recommend Companies You Trust to Your Peers
Early-stage startups are struggling to get the word out about their work. To discourage companies from using unethical, aggressive sales methods, it is important to not only bring attention to the bad in the industry, but also to evangelize the good. If there is a company you believe in, tell your peers about it, make an introduction to someone who may benefit from their work, publish a good review on social media, or even give them a testimonial they can put on their website. Best of all — you can do all or some of this even if you aren't able to adopt the product at your organization.
Say It How It Is
It is painful to witness security leaders and their teams ghost vendors after spending time going through demos, and even doing a few weeks-long proof of concepts. Managing expectations should be simple: If you see that you won't be able to implement the solution within the timelines you've initially communicated — just say so and provide a new target. This will help the vendor to update its forecasting and plan capacity of support teams. If you decide to not go ahead with the solution — send the people you spoke with a brief email — "Here is what we decided and here is why." If you want to be extra helpful, you can also share some feedback about the experience, what went well, and what the vendor can do better.
Both parties — vendors and buyers — have the power to help make the industry a better place. What we need is more collaboration, mutual support, and respect. At the end of the day, we are all fighting on the same side.