Attention Sales Reps: The CISO has emerged from the shadows of IT

by in Sales

man-person-fog-mist  There’s no disputing the fact that B2B selling has become more and more complex. With the increasing number of technology tools at our disposal, it has become more difficult for decision makers to make purchase decisions. Decision makers take time to evaluate feature sets, costs, security, ability to integrate with current solutions, ease-of-use, and more. It’s not surprising that there’s a growing number of decision makers involved in process. A recent article by Harvard Business Review found that an average of 5.4 individuals are required to formally approve each technology purchase.

These days, a key player at the decision table is the Chief Information Security Officer or “CISO.”

The role and responsibilities of CISOs are often confused with those of the Chief Information Officer (“CIO”). The CISO is primarily responsible for planning for security breaches, performing risk assessments of existing and new technologies, responding to incidents, and putting security policies in place. The CIO, by contrast, is responsible for purchasing technologies to solve organizational problems. After the CIO pinpoints new innovative technology solutions, the CISO must then evaluate the solutions and assess the likelihoods of data breaches or other incidents that may jeopardize the company.

With the rise in global cyber criminals as well as security breaches, the role of the CISO has rapidly gained importance. Companies are increasingly feeling the pressure to prove to customers and the general public that security is a priority. The CISO helps accomplish this and has, as a result, emerged from the shadows of IT to be granted a seat at the IT purchase decision-making table. Not surprisingly, the companies that have been publicly victimized for security breaches have been quickest to hire a CISO. Sony hired its first CISO in the aftermath of its 2011 PlayStation breach. Target hired its first CISO after its 2013 payment information breach. And JPMorgan only hired for the role after the company was breached in 2014.

Nonetheless, despite having a seat at the decision making table, it’s an uncomfortable one for many CISOs. CISOs have not been a welcome guest. They find themselves unable to influence purchasing decision. Their contributions tend to be discounted. Yet, they find themselves more and more responsible for the outcomes (especially the negative ones) of purchase decisions. Ironically, according to a report released by ThreatTrack Security, almost half of C-level executives believe CISOs should be accountable for organizational data breaches, yet more than half believe CISOs should not be responsible for cybersecurity purchasing decisions. C-level executives belittle the leadership credentials of the CISO, with 61% believing that their CISO would not be successful in a leadership role outside of information security.

In light of the negative stigma associated with being a CISO, it’s not surprising that turnover among CISOs is extremely high. According to the Ponemon Institute, the average tenure of a CISO is only 2.1 years. Turnover is especially high in financial services industries (which tend also to be most susceptible to security breaches).

It’s time the CISO be given due respect and attention. Despite not usually feeling welcome, the reality is that CISOs are being involved in more and more IT purchase decision.  As you are crafting your sales strategy and pitch, you’ll do well to cater to this new demographic. As your personal sales analyst, Node is here to help by shedding light on four strategies to help you gain the support and backing of the CISO:

  1. Demonstrate your knowledge of, and appreciation for, security practices. The best strategy for connecting with CISOs involves voicing your understanding of, and concern for, data breaches, cyber-attacks, identity thefts, etc. Unlike most C-level executives, CISOs tend to lack experience in business It’s best to connect with them by speaking their language. According to Digital Guardian, only 8% of CISOs started their career in business roles, whereas 59% started in IT or IT security and 19% started in a military or government role. When strategizing and developing your pitch, bear in mind the fact that traditional business jargon is unlikely to impress. Do your research, demonstrate a solid understanding of security terminology and top-of-mind security issues, and impress with your unbiased knowledge of threats, risks, and compliance issues, rather than your smooth talking.
  1. Address security at the onset. For CISOs, information security is always top-of-mind. When in conversation with CISOs, address security first. CISOs bear most of the responsibility for any sort of security incident. They are, understandably, laser-focused on protecting company data. To save face, they’d much prefer prioritizing security over product features and specifications. Sales reps need to acknowledge that security is tantamount. When selling to CISOs, it’s important to first sell the security benefits of your offering – not the “shiny” features. Demonstrate that you understand the threats associated with similar offerings and convey how your solution mitigates or eliminates them.
  1. Address features second. Once you’ve demonstrated your appreciation for security and how your solution prioritizes it, you’ll be poised to effectively discuss product features.  CISOs are often seen as a barrier to innovation. More often than not they find themselves at odds with the CIO, who tends to advocate for more innovative solutions that improve efficiency and solve organizational problems. To the extent that you can help the CISO convey the business value of your offering to the C-level executives also involved in the decision, the closer you’ll be to swaying and winning the conversation.
  1. Empathize and appeal to emotion. Navigating the risks associated with today’s online world is daunting and frustrating. CISOs bear enormous responsibility in preventing security-related incidents. It’s a tall order. CISOs can’t possibly implement every single security initiative (they are often thwarted by the budget that IT determines). As well, they often feel bullied by their C-level executive counterparts as they are constant targets for finger pointing in the event of a data breach. Demonstrate your understanding of the inherent difficulties of their CISO role. Convince the CISO that you also prioritize security and care about protecting the assets of a company so that the potential for security breaches and other crippling incidents are minimized.

As a sales rep, it’s your responsibility to accommodate each of the stakeholders involved in the decision to purchase your solution. When “wining and dining” the CISO, you’ll do well to demonstrate your knowledge of, and appreciation for, security compliance. Address security and due diligence at the onset of the conversation. Product features should follow. Above all, empathize with the CISO – it’s a role that is severely undervalued.



About The Author

Rebecca Hinds
Rebecca Hinds - View more articles

Rebecca Hinds graduated from Stanford University in 2014 with a M.S. in Management Science and Engineering. In 2013, Rebecca co-founded Stratio, a semi-conductor company developing infrared sensors. The company was selected by the Kairos Society as one of the 50 most innovative student-run businesses in the world.