Last week I had the honor of presenting at SecureBoston2015, an InfoSec technology event for buyers and vendors. The event was hosted by the International Information Systems Security Certification Consortium, a.k.a. (ISC)², the world’s largest IT security organization. Sponsors included LogRythm, Cylance, G2 Deployment Advisors, and other security intelligence leaders.
I started my talk by asking the audience how many of them had ever had a miserable experience with an InfoSec salesperson. On the flipside, I asked about unpleasant run-ins with information security buyers. I wasn’t surprised when the majority of attendees shot their hands in the air for one of these opening questions.
Too often, sale professionals and their target buyers are at odds. So in preparation for my (ISC)² talk, I started thinking not just about sales best practices, but about buyer behaviors, too. Because when buyers come to the table with an open mind and positive expectations, it gets a lot easier to discern ideal sellers (and ideal products/services) from the enormous crowd of irrelevant or subpar vendors.
Here are the nine buyer rules and sales best practices I shared:
RULE #1: Don’t paint all salespeople with the same brush.
According to a global survey of 360 senior IS executives, only 13 percent think closer collaboration with vendors could help them prepare for an incident. That’s not exactly a ringing endorsement, in terms of buyers’ perceptions of sales.
The truth is, most information security salespeople actually come from the industry, but we still get treated like outsiders. Personally, I’ve sat on standards bodies and association boards—I know the landscape very well and so do most of my peers. The majority of us have a deep understanding of current and emerging threats. And while we’ve chosen to make a career in sales that doesn’t mean we won’t one day be a fellow executive.
RULE #2: Don’t dismiss sales as a distraction.
According to a Gartner survey of more than 500 organizations, when exploring and evaluating options, 81 percent of B2B technology buyers said they most valued interaction with a technical expert, whereas only 38 percent said their most valued interaction was with a member of the sales team.
Here again, most InfoSec salespeople are industry experts. Buyers should use them as a source of free advice, context and perspective. They should use sales calls as a channel into the market—to understand available solutions and to stay current. Because even some of today’s most seasoned IS executives don’t know what information security looks like outside of their organization.
RULE #3: Don’t assume salespeople are always pushing the sale… any sale.
This point bears repeating. The majority of information security salespeople aren’t the slimy, used car salesman-type—eager to push anything on anyone. Most will quickly self-eliminate if what they’re selling is not relevant to a given buyer.
Sure, there are a few bad apples who are still selling based on fear, uncertainty, doubt (FUD) or misaligned value propositions. Buyers will be able to let down their guard against this (small) contingent if they practice a little proactive screening. Which brings us to…
RULE #4: Adopt a smarter screening process.
I know a CSO who will hang up on prospective sales partners if they don’t know who Kevin Mitnick is. Unfortunately (for the CSO), there’s a whole generation of sales that has gone by since Mitnick was arrested. It’s understandable that time-strapped executives want to weed out subpar representatives, but this is hardly the best way to establish “street cred.”
Instead, buyers should allocate an hour or two each month to evaluate the most interesting vendors that come across their desks. Buyers should research LinkedIn profiles and scout for current customer (“Who We Work With”) lists. Eventually, they’ll only spend time talking to relevant, articulate people.
RULE #5: Ask better questions.
Come up with a consistent set of interview questions. Try asking things like:
- What cool things are you seeing in the market around thread intelligence?
- What have you read lately about SIEM, artificial intelligence, etc.?
- How did I get on your prospect list?
- What makes you think my organization can benefit from your product/service?
RULE #6 (for vendors): Forget the FUD.
Now it’s time to focus on sales best practices, specifically for the InfoSec market. And the first rule involves FUD-free scripts. Sales should avoid any language that could be construed as:
“If you don’t buy my product, bad things are bound to happen…”
“That data breach you just experienced? My product could have prevented it…”
Really? As a sales rep, you would have to get pretty deep into a prospect company’s infrastructure to reliably make statements like these. And even if you were right, no one will be receptive to FUD anymore. In fact, some buyers will be downright suspicious.
I often tell the story of a threat intelligence sales rep whose hypothetical example and FUD-based claims made one organization think it was under attack. Calls from legal ensued. The sale was completely derailed—as was the vendor’s credibility.
RULE #7 (for vendors): Don’t be afraid to name drop.
Just as InfoSec buyers should be asking how they got on a particular vendor’s prospect list, vendors should be direct in volunteering the names of satisfied customers—especially those who are similar in size, scope, etc. Name dropping not only establishes credibility, it can serve as a relevant segue into why your new products/services are a natural fit for the buyer at hand.
RULE #8 (for vendors): Go beyond the “how;” explain why.
Information security is a unique industry in that there are myriad ways to approach a relatively small number of concerns. Success relies heavily on building a trusted relationship. Buyers are more apt to listen and trust if you can explain—not just how you solve problems like theirs—but why you and your company are invested in solving problems using your particular strategy/concept.
After multiple sales calls or product demos, functionality details (the “how”) tend to blur. But a clear explanation surrounding your approach will always be memorable.
RULE #9 (for vendors): Set yourself apart.
In industries where all vendors are selling the same suite of bells and whistles, it might be considered bad form to bring up competitors and their (inferior) bells and whistles. But the information security landscape is extremely crowded. In InfoSec, it’s essential that prospects understand why you architected your products in such a way—and where your approach is a departure from that of other candidates.
Beyond InfoSec, there are of course dozens of sales best practices that all sellers should follow. We often share our insights on sales strategy and sales process; our library of Resources contains general sales advice, too.
Ultimately, I think it’s important to keep working toward buyer and seller relationships that are cooperative and mutually constructive. In this way, good buyers can learn how to identify good sales people and vice versa. And both parties can benefit from their exchanges.