1 hour 12 minutes
This course is powered by Sai Buri for teams. Security leaders encounter new workforce challenges daily Cyber A for teams helps organizations build a cybersecurity enabled workforce to tackle new challenges, handles security incidents and prevent data breaches. If you'd like to learn more and see how other security leaders like yourself
are utilizing Sai Buri for teams,
you can schedule a free demo in the link below or search business in the navigation bar.
Okay, Thanks. Um you know, this is a controversial piece here. This is a little different than we usually do in a leadership course.
Um, one tell a little story. When I was a kid, I remember there was somebody into my neighborhood
who seemed to know how to do like magic tricks. I don't know how he learned, but he's pretty good at it
and he would show us how they worked. And I remember being fascinated that I got to see how these tricks worked. Like I could see that there was a trick inside the trick
and it actually made me enjoy magic more. I mean, I don't know magic, but but I I liked knowing how they worked on the magician's hated that
they don't like anybody telling the tricks.
In a sense, that's what this next hour is going today. So I know most of you
don't sell and market cybersecurity for living. Most of you are
on the practitioner side. We've looked Onda a good chunk of you. Really? Don't you have this more done to you?
And I thought long and hard thought Do I want to include this module? Because we could include anything.
It occurred to me that this is done to most of you so much
that it would be
on the on the weak side, a little useful on the strong side, Very cathartic, very useful to see how it's done and what the tick tips and techniques are. I actually train and teach
professionals on how to do this. Um,
weird as it sounds, I actually pretty good at
selling. I used to be a fuller brush. It was a little kid. I've had businesses my whole life of own retail businesses. Um
was a developer at 18 t but rose to be one of the 100 people running the whole place. I'm really, really good at selling,
so I've been ableto learn how this works. And it's one of the things that I do with clients. So I thought you might enjoy this. This is different if you do sell on, and then there's a lot of a dual effect. Maybe they'll find some tip here. That is useful. Aziz, you go off in South.
I suspect that's how this is like one of these. Uh,
there's 26 tips here.
But if you're somebody, this is done to,
like always having people call you and you wonder what in the heck is going on. This might help you because it is a big part of our lives having vendors,
commercial vendors, you know, market to us and try to sell to us. You like Leo DiCaprio here, you know, with pen,
you know, sell me this pen.
so I thought it would be useful. I hope it's a good hour for you that I I find that these things to be very fascinating on. Like I said, if you're on the other end of it having it done to you, then this should be useful. Remember this all sort of started like
selling security and selling on the Internet with Canter and Siegel. If you haven't seen this book,
it's a good one to go buy on eBay or Amazon or something. This was the book
that introduced kind of spam selling to the Internet.
Um, I have, ah, original copy of this book because I remember when it came out I bought it. But I was really mad at them that, you know, in the early nineties that they'd even suggested
that are beautiful. Internet could be modeled by somebody selling. There's just so interesting at the time, and now it's historically pretty significant. So just annoy Artifact here might be worth going, and buying yourself copy is really, really, really historically significant. Thio. Look at the
how these two attorneys were out marketing, you know, first used that and
and eventually the email. But you know, really quite interesting. Now this is the, I think, the patron saint
of how to market and sell. And that's Dale Carnegie, who teaches all of us that
we should learn
to look at things from the other person's perspective.
And when you have a sales person calling on you, they're probably trying to do that about you. Like they probably looked you up on LinkedIn. They looked and read some of your posts. They've watched you on some video trying to think through. Who are you and how can I win you to my way of thinking
that is being done to you?
You've never thought about this?
Um, if you're c So a deputy CSO in charge of something, you're on a lot of sales list somewhere. And people are trying desperately to win you to their graces. Take advantage of that. What the heck? You could make some nice friends. I've I've been sort of in a more of, ah,
a teaching and advisory and consultation of role since leaving Telkom.
But I made some lifelong friends, you know, really sincere friends. Sales people go figure right. I know most people don't do that. They have them put these shields and antibodies to sales people calling on them almost a ziff. They're doing something mean, but they're not. They're trying to share with your solution they believe in,
and they're trying to win you over to their way of thinking by maybe becoming your friend. And it is usually sincere. Salespeople
are extroverts developers. Um, you know, firewall administrators you know, people like me, you're usually not extroverts. You know, we're probably a little bit harder to get a hold of, and that creates a bit of a communications gap. But recognize that this book, how to Win Friends and Influence people, really is the most
sales tool. And anybody doing selling is handed this book and shown that you better look at things from your customer's perspective. If you're just a manager, you just want to be a nice person. I think it's one of the greatest books ever written, so you should get one. There's a
a post I made a couple of years ago about it three years ago. Here's the sales process that's done to you or that you do to others, and I say do in a more active and congenial sense. I don't mean this in a violent way. We're doing something to you but recognize that there's canvassing that goes on
people always looking for lists of names and so on. So when you join something or go somewhere, attend something, your name is being logged. It's not a bad thing, but recognize that others are keeping track of who's doing what?
And that's where they then in phase two will engaged to see if your potential buyer And if you are great, they're gonna, you know, send Cem solicitation and try and get you do PFC or something. Phase three is customizing that to a deal, you know, convincing you that
what they do, because cybersecurity is very customized thing.
There are too many off the shelf solutions that air just sold, as is very few. Um, then they're going to try and close the deal with you, and then they're gonna build a relationship. They're going to evangelize you within company within their vendor. There you are. Now there,
their customer. This goes on all the time. Andi, understanding it
will make you a better security executive. And again, if you do this than this should
totally resonate. So what I want to do is I've got these 26 tips. I think we'll spend something like a couple minutes on each one and then doing math
that gets us to the top of the hour. So I'll yak about each one a little bit.
Try and talk the purpose. The pros and cons and also present the selling perspective and also the being sold to perspective. Okay, And if you do sales, take out your pencil paper because out of these 26 maybe one or two or three of them are things that you you feel like you're not doing, and it might help
increase your sales support.
And if you're on the other end, also take out your pencil paper because if you see it coming inbound, it helps to understand where it's coming from. And it's not sinister. Well, if there's one thing I hope that comes out for all of you on this call in this hour,
it's that the selling process really is about someone who sincerely wants to help you solve
and believes in their solution would like to share it with you and feels like the engagement can result in you having a better career system life
on for them. It za livelihood.
So I do hope for those of you who may be dislike the sales process that may be a little bit of insight here will lead you to perhaps,
um, dislike it less eso. Let's see what let's let's go through it and you guys tell me what you think.
First thing is
a great place to market
is to auditors.
Now, nobody does this. Um, you know properly, I think there are a few vendors that dio I think there's some people on this call.
You know, we've got about 120 or so who are listening here.
Pretty sure there's a least 10% of you that would call yourselves part of the audit community,
and you should recognize that you have great influence. There is not an enterprise security practitioner on the planet
who has not been pushed to do a particular thing. Put some sort of separation into a data center for PC I or introduce some sort of software security tool because of the CS controls. Or, you know, have to go out and do business with a privilege management company because they've got deficiencies in nest or thes air
related issues that become findings. The findings have to be closed, and those findings, in many cases air pretty subjective. If you're an auditor, you know darn well that, just like an NFL referee could call holding on every single running play,
you could probably
find deficiencies and weaknesses and almost everything you look at, You know that's true.
And what happens is you pick the ones that are a little bit more important are the ones that you have more familiarity with. So let's say you're somebody selling breach and attack simulation continuous validation.
You know that auditors have not typically included that in their findings. That's rare.
So how do you get them to do that? You market to them. You teach them. You explain, you provide collateral. You join Isis, aka you offer to give free seminars. You don't so it. When were coaching cyber security teams toe have more influence? We always start by saying, If you don't know what auditors dio
and if you're not taking some time to help them understand,
you're probably not doing it right. That's a that's important. Let's see a real quick one. Is anybody having trouble with poor sound? There's a couple of people saying they're having some sound if you just go into the chat and Iran is having a little issue. But hopefully,
um, the other I see some others were seeing Okay, sounds good. Let me know if there's an issue, but I think I've got my headset on. I've learned not to talk into my computer, but rather to use
physical wires. It's usually a little better. So so again, the audit community, if you're part of it,
recognize that for you to say, Well, nobody audits to me because I mean I mean, nobody markets because I'm in order That is false. The better organizations understand that you have great influence now. Similarly, boards have influenced boards, don't manage boards, provide governance. But here's where aboard has influence.
I can't tell you how many times I've been presenting the boards, and I bet if there's like a Guinness Book of World Records category for presenting cybersecurity two boards. I'm putting my name in there. I think I've probably done a ZMA much any any of those present, because when I worked in Telkom you
I was out doing it for free. So it was either pay somebody
or you call your carrier in demand. I had to get on some plane and go talk to the board of you know, X y Z or and I always did it.
But what I found was it was always like these sheets of paper that were ripped out of like, You see this magazine sitting here that happens to be New Yorker, but maybe Forbes behind it, where there be an article on cyber and the board member rips, tears it out and says, Hey, have you ever heard of, um, silence
and you go? Well, that's its silence. And yes, they haven't blah blah.
And then immediately, you better have an answer. You better have done a POC or, you know they are whatever. When boards mentioned specific companies, it reverberates through the security team.
It almost becomes a prescription that you better be doing something because it was mentioned. I know that sounds insane,
but it's true
when a company is brought up at a board meeting, there better be something going on. So that means so that the idea of having board members know who you are
and maybe mentioned it to the security team
and maybe have some learning around that is important. So, you know, uh so joining N a. C d. Finding ways to get your message to board members thes air all marketing techniques that are used when a board member mentions a company. It's because they were exposed to that company,
which means the company put their name in a place that would expose to the board, which means somebody had the idea that they ought to do that.
And if none of it is by accident, 100% plan and when you hear it, you know that somebody's done it and they knew what they were doing. This is called marketing and selling, so you should know that these things were not serendipitous. It's not by accident. There's no such thing as accidents in this business. It's
marketing toe aboard, and similarly, there are the analysts. This is my little team, you know, we have influence. You know Gartner and Forster. God, God bless them. They have a lot of influence,
you know, when they put you in their quadrants or waves or whatever. So you really do have to get the analysts agree. When you go to a movie
and you're you know you're standing in line and you're picking what movie and your your wife from spouse or looking?
What we'll do is we'll look at some reviews, and if the reviews were terrible, we don't go, and I understand social media has more of sort of a proud effect to that. But there are some critics that I listened to, and if they hate something, I don't go.
So the analysts, in some sense they're sort of like the critics
in cybersecurity. My team, we try not to be negative, but when were very positive,
Um, that that stands very much in contrast when we're more silent.
So we've just moved the scale up. We never saying mean about anybody, but we will be a little bit more silent when we think something is not, for example, rooted in the correct belief structure.
I have a bias personally toward businesses that are run by by those who've committed their life to to cybersecurity. I like toe do business with that, and you'll see that coming up a little bit. But again, marketing to sort of analysts is important. And then the last, the fourth of the influence, uh, is a students like it always amazes me
cybersecurity vendors actually go and talk to graduate students. You guys all know that my whole life I'm teaching it Stevens and why you were essentially full time the last four years. Um and and and rooted in the academic community. We have meetings and group
like student group activities.
There's no vendors there. We have to chip in to buy pizza. There's nothing your little vendor or something. And there's a 40 or 50 person I Tripoli group and they're looking at, you know, ah, hacking and and how you do offense and your let's see your bug bounty vendor. Would you explain to me why you're not buying the pizza for that?
Maybe you're just ignorant to the fact that it's happening, but it's not hard to find out.
You know, there's computer science departments all around the world
that would love
to have a relationship with a vendor, just buys the pizza for a party, and then they'll put the logo up and everybody will remember that you bought the pizza blah, blah, blah. You get the point.
So the first four of my 26 tips here are things that you should recognize are not by accident. When they're done properly, and when you're on the end of this,
it can actually feel pretty good. Like I mentioned, auditors not typically marketed do boards, usually often Luddite, and it's a little hard to market to them, but I'm suing a little better A ZAY said the analysts and students, these air I get that you're gonna market to the sea. So I get that I understand it to the security team.
But these air indirect
ways of influencing the purchase decisions. So these air things that go on right now at every cybersecurity vendor, when you are wandering around RSA and you see those thousands of vendors, they're thinking through these things and if they're doing it right, they're not ignoring these first four influence groups. So I hope that's something
you know, again, I suspect that some of you, you know, do this for a living, and I think it would be a big mistake.
Not Thio. Not not to be doing this. I see a couple of the comments here in agreement. Let's now let's look at what
a couple of other things here that I think are important
if you are a cyber security company
and that means you have I t infrastructure and you have threats and you see, this is somebody eating their own dog food here.
It amazes may
when I don't see a security team
working at the security vendor. Now it doesn't have to be 100 people,
but, you know, when I found that they don't really have a security team, what do you believe in this or not?
Especially it's a bigger company.
The last who's you see something they don't have one. You think really,
you know, isn't the whole point here believing in what you're talking about or like not using their product. There's one very large company I used to buy a lot of cybersecurity stuff from, and when I went to go visit their see So
to compare notes on how she was using or not using the products, I found that they were not using them.
So their vendor
and they weren't using their own products. That didn't reflect very well on the sales and marketing process.
So you slip your own your vendor or if your buyer
asked to meet the chief information security officer for the company selling to you
and chat with that person, a person should understand their own product. It should be running in their infrastructure should be something that they depend on, and I understand that if you're a cyber security company selling you know, some big government thing in your little company. It may not be applicable. There's not always perfect.
But if you sell a tool and you have a team and infrastructure, there should be somebody who's actually curating and using that tool you can chain and the beauty that is part of the whole selling process. Here, having internal person Who's the expert
who knows how the tool works. It's crazy not to do that. So I hope if you're part of a vendor,
then you don't have a seaside, go higher one and and have that person really learn your product
that the next thing is that if you're in selling
and where if you're being sold to,
you should recognize that this is not an exchange. We're not selling party goods here,
right? We're not creating entertainment.
This is we're building
infrastructure products, systems, platforms that stop threats that potentially can cause safety or in life critical events to occur.
This is this is an important thing we're doing here like think about all this concept of hacking again anybody in like in the in our public discourse, we would all reference hacking is this thing is very present in our lives as this threat that can cause problems. Well, all of you
and May and anyone in this industry, plus the people selling,
we're the ones who stop that.
So how is it that if I put on an offensive helmet to play football, I'm cool and hip and everybody knows? But if I put on a defense of helmet to play middle linebacker, suddenly
it's just not that interesting. And it's kind of boring, or it's what it's what we do, give me a break. The defense's Justus important, and the thing that really stands between our world
and some really calamity. Cyber climate is what we dio,
and the sales and marketing teams are providing us with them. Some sense the munitions or the protections or the preventive gear
in the form of firewalls and to factor and crowdsourced security and Sims and GRCs and sores all that stuff there, providing that so that we can be effective.
So everybody is working together to accomplish
an objective that should be viewed a somewhat noble again. We're not selling coconuts here. This is This is consequential activity. It is very present in our lives, and it always amazes me that people can't get,
you know, very excited to be part of this industry.
So if you're selling, marketing or being sold or marketed, Thio recognized, it's not some evil thing. Let's say you work over Lockheed Martin. You work a Raytheon, your work at the General Dynamics, and you're gonna meet a company that wants to sell you something that helps you build, say, weapons systems or some you know, some D o D related thing.
That's all part of the ecosystem. It's not considered.
Oh my gosh, Get these vendors away from me. No, they're enabling your business. They're giving you the things you need to be successful. So, please, if you're on the selling side, recognize
that this is about threat. This is not about you know you're not selling entertainment here. And if you're on the other end of it,
take the time to recognize that that person selling you may have something you need.
And you should respect that because they're bringing something that helps to complete the equation.
number seven here is there's a more whimsical one. E. Think a little break here. I have no idea what your presentation is if your sales person but just get rid of the verse three charts because I know they suck.
Um, and I don't even have to know. I don't have to look at it. I know your first three charts suck.
They probably quote the Verizon report
or they're reminding me that you know, the Gartner says you're great or
you're telling me something stupid. Probably that already know. And you see the four people sleeping here because the person briefing is putting threat process for total idiots way. We're not in a lot of industry here. When we're talking to each other, we don't have to remind each other of the obvious
When you when this is being done to you,
it can be very annoying. You know what I mean? And you should speak up. So if you're a security person and they're going through that silly front end,
make time out signal, say, Look, would you do me a favor? My good friend Ed, um, I just took his cyber recourse and he said, Would you please save us all the trouble and start on chart for please? Because chart for us where you say Now, here's our solution.
Okay? I already know who you are. I would have taken the call already. No threats or an issue. I wouldn't be doing this if I wasn't. And I don't need you to reap
Pete back to me that you can download something from the Internet that says that 50 57% of businesses have no response plan or whatever. All right, whatever. Whatever. Show me what you did jump into it that I always find that that's a much more effective thing. So So, really,
if you're on the selling side and you're gonna pick one thing to Dio,
this is the one. Get rid of those stupid, dumb power points up front that just state the obvious. Even better if you don't have any power points, how cool is it when somebody gets on a call or meet you and sits down and talks to you face to face and says, I'd like to tell you about our solution? Here's what we dio we do this Here's what we believe in.
is the thing. What do you think?
And you go. That's it, you know? Yeah. that's it. If you want more, I'll give you more. But I thought I'd just share with you what we dio.
And if it doesn't seem of interest for them, you waste your time any. But I thought I'd share with.
That's amazing. Like I never happens. Like ever.
Um And when it does, it stands out
shows confidence shows respect. So if you can get rid of the *** power points, do it. If you can't, then at least start on chart. For
now, let's talk about these tribes. You guys all know Gary McGraw while ago, he, um what he s doing? The digital business he'd published on the tribe's,
like the different types of CSOs that we encounter. I thought it was really marvelous work.
Um, and I'm not sort of lifting his stuff here, but I'm saying these air sort of the quote unquote tribes that I see
when I'm looking at chief information security officers, but again see, so is being used as a metaphor
for the person who's making the by decision. It could be the head of incident response. It could be the senior director of compliance. It could be the
vice president of network security is whatever it ISS, you know, whatever. The whatever the position,
the person you're dealing with is going to be of a certain type. Now, here's my friend Alex.
A lot of you guys probably know used Facebook.
That's Stanford. Now he's Tech guy.
And when you talk to Alex, if you were gonna pitch on him,
you can try and sell them your SIM or something,
and he's gonna want to know how it works. And he's gonna wanna know what you built it with and whether it connects to this or that,
probably going to be less
inclined to ask you questions about how the company set up or how you support digital transformation or something.
Let's have a feeling Alex wouldn't ask you about that. So if your first three charts air on the role of digital transformation in the design of your product, Alex is gonna be yawning through that. And you should know that in Advanced Jeez, it's not hard to figure out,
right. I mean,
he's every book he's, he says. They're not wallflowers. They do video, they go to conferences. They state their opinion. It's easy to figure out that he's. This guy's gonna resonate with Tech more than more than with other stuff. So that's one of the tribes.
Here's a seconds drag Frohlich amazingly capable executive.
Um, I would think it possible knowing Craig
he could be the CEO of Bank of America. Well, if I was on their board,
I'd be lobbying cause I think it's amazing, knows the company's personable, it's capable, knows cybersecurity. That helps but knows the business. So if you sit down with Craig,
he knows business. He's a financial services executive that you feel Venable similar. You know, guys really smart.
They're not just there as gearheads to hear about your platform. They probably want to understand your business model. Probably want to understand,
you know, their viability. You probably won't understand a little bit about, for example, how you support things like digital transformation. How would your product fit into the overall corporate context? You sit down with Craig and the first thing you do start showing him the underbelly of your product and what's connected to what
but probably isn't the right way to approach him, even though he could totally understand that I just have a feeling you'd be better off showing that you understand business objectives. Totally different meeting there. So does that mean, like, with these first two, Does that mean you have a sales deck now?
Now, when this is being done to you, you notice when it's a mismatch, right when they're telling you something you care about. They didn't take the time to figure out who you are. Here's another one
was my buddy Tom. Tom Harrington, former Citigroup,
law enforcement guy.
And there's a lot of people who come to cybersecurity through law, a law enforcement background. They come all the time.
They're so when you sit down with them, it's nice to connect on The concept of how your product
will work, will reduce risk and potentially bring justice
Thio, an environment that's being hired
and that that your mission as a vendor
is to make the world better and to make things safer and to reduce overall cyber risk. That's a little different message. It's a wonderful message, and it feels good when you get up against we're meeting with somebody who has that background, but you could see it. It's a different deck, right? It's a different discussion,
a different look and feel, and it's different than let's say you get up with a guy like Jim Ralph
at Mass Mutual. So Jim is a visionary. So he knows
about your product
and he knows about your four competitors,
and he's been in the industry long enough to know what's gonna make you successful or not.
And he's a much listening to how your product works as how your company work.
And this is somebody that you better do your homework on. You know, s so you're gonna get up against them, visionary. They're gonna apply a pretty tough metric against your whole thing. This is the toughest pitch of the four so far,
because this is a really industry expert and there's others. There's quite a few who
really know what they're talking about.
Andi have seen you know, many, many, many pitches, you know, the pros and cons of different companies,
Um, and you know, are gonna really BBs at all so
thes air guys that I personally find,
um, exhilarating. Like when you can get in front of someone like this. You can talk honestly about the warts in your product. You can talk about questions you might have asking their advice, asking their guidance, asking what they think is perfectly fine.
Totally different pitch and presentation than the previous three. Right? This is different, and it's even different. My friend Danny from Verizon, This is There's a lot of ops experts. This is what I think I was. My many years is a C. So,
um, and operations person, somebody's 24 7
always has three computers open in front of them When you're talking to them,
has three phones
and really wants to know
this thing you're pitching.
Is this going to ruin my life?
Like, is he gonna break stuff
when we deploy it? How long does it take to deploy? Do you have a help desk? Tell me why this thing is not gonna break my network and so on, so forth, because understand that going from power point to deployment. That's a big leap
and and they'll want to see metrics. They'll want to see support information. They want to see practical evidence
that you've done this before and that you're not going to be dropping some piece of junk
into their network because they operate it. They're not making recommendations and somebody often I t does it. And if there's a problem, it's not my problem. There quite a few security teams where it is their problem. And they're not even gonna listen to you
If it looks like you're giving them a bunch of power point nonsense without anything to back it up, give you said, right, how would you deploy this thing into Azure?
You say your cloud ready, How would you do it?
And if you don't have an answer that demonstrates some facility with azure,
then you haven't done your homework or you got the wrong person. They're pitching because they're going to see that.
See that you don't know what you're talking about and very quickly tune out and no deal. And again, when you're on the other end of this when you are in operations type, you know what I'm talking about. You know, preventers coming in saying, Oh, it's piece cake. All you do is this This this But it works worked Great.
If you're this type of C, So you're going to go?
I can't believe you just said, Just put it in. It works great. That means you've never done it e can't think of anything
from the simplest two factor authentication to the most complicated, say GRC deployment.
I can't think of anything where you just take it out of the wrapper. Put it in, plug it in. It works. That's just not how cybersecurity goes. So when vendors say that I cringe, especially when they're talking to an operations expert who really does know better than anybody who says
piece of cake, plug it in and run, it
did. They don't know what they're talking about. So again, these air sort of the point. It's fun to think these things through their many, many other tribes. But these Air five, there's probably quite a few more, but we'll leave it at that
Now. Here's one.
There is no such thing in cybersecurity as a green field.
It just don't exist.
You know it, and I ain't no it. But how? Maney vendors have no clue of that, and sales person goes in thinking that they're selling their tool. And for this wonderful, pure virgin environment where everything's fine, break no such thing.
And yet how many of them take the time
to really pre integrate with solutions that matter and I don't mean solutions that matter to them. I mean, solutions that are likely to matter to you. Like, for example, it might be pretty easy to figure out I'm just making this up. Let's say you're a metric stream
user. You like their GRC.
Maybe sit on the advisory board. You could look on the website. There's your face, you're on the advisory board
and you go in your pitching some compliance tool. And you spend three charts explaining how it integrates so nicely with Archer.
Would you explain to me why would anybody wanna listen to that? I'd be like, Well,
I don't use that.
So why you wasting your time with that? And that could have been determined. And maybe even in the lab, you could have gone in and shown that may be your thing does work with metric stream, you call them up. I've got important briefing with the bank and we take a look and then you take those three charts out
and you say, Listen, we knew we were coming here. We see that you sit on the board of Metric Stream, So this weekend we check. We integrate nicely with metric stream. God, Doesn't that sound great? You took the time, your research, the person you you showed it works. That's fantastic. That's gonna That's how you do sales. That's how somebody
it's excited to work with you. That's how you show them that you care who they are and what they're doing, not just some generic
thing. So there's a big one. If you think there's Greenfield,
then I've got a bridge in Brooklyn that I'd like to sell you.
This is a good one. You'll see that Einstein, right?
hate to break this to you
if you're in sales.
But the person you're selling to knows more than you do, probably.
So why don't you just shut up and listen Now, if you're on the other end of this, let's say you're an enterprise,
and you do know more than the vendor. At least be somewhat humble about it. But you can kind of watch, because if it looks like they're trying to tell you
things that you knew years ago and it's dumped,
that may not be the best vendor partner for you, because that's how it's gonna be. You know they're gonna be talking down to you. It'd be different if they took the time and said, Listen,
before we start here, I know we sell cloud security product. I see you're in the cloud security alliance. I see you know what you're doing. Tell me, Mary, You know I don't want toe,
you know, sort of tell you because you're the expert. Hey, why don't you tell me a little bit about how you think our product would help you?
Because I know you're an expert. Thin. Shut up
and then let Mary talk,
and you might actually learn something Mary might say.
Yeah, yeah, I'm glad to your lines. And I didn't know about you. Maybe you're selling a casby or something. I didn't know about your product.
And it's been my opinion that here, the three pros and here 33 cons. And then she talks for half a Knauer intelligently about your product.
Now, you were going to go in there and pitch her.
Ah, stupid is that she knows what she knows, what your product is,
and and she's giving you the pros and cons,
and then you can listen.
And maybe a couple of the cons don't sound so so bad
and you thank her. And that's great. And then you can go focus on the three cons she brought up.
Maybe there really aren't so bad. And there's your sales pitch now. You she laid it out for you is not nice. I mean, that's an important one.
Listen, listen to what? The sea. So is doing
sales collateral. Get rid of your glossies. They're terrible.
Everything that you provide as sales collateral should teach. I believe that to the core of my roots
that sales collateral should teach.
I know that there needs to be product specs. I get that. That's that's not how you sell like a
the data sheet on something. Yeah, you know, something needs to know. You know what the interface is? What does it work? That's fine. That's not sales collateral.
If you're using data, sheets of sales cloud a big, big mistake.
Sales collateral should teach, and this is like the greatest had ever written. It was by Louis Angle, um,
then of Merrill Lynch, Pierce, Fenner and Smith that you speak called and he wrote this full page ad. I think it may be the longest one page ad in a newspaper ever written.
It's this beautiful thing called how Stocks and Bonds were,
and and Merrill Lynch was publishing his little pamphlet,
and it lays it all out. And many people believe this was the greatest advertisement ever written.
What was it just explaining in clear, simple language?
What how stocks and bonds were.
I can't think of a better way to sell anything that you're involved in than to explain it and teach and not at these dumb, um, such and such for Dummies books.
Oh my gosh, there So vapid. Those things, like there on the table at a conference.
You know where it's this fat, but that's big type.
And there's about 1000 words on a 40 page book. It's just those air, just terrible. They're more big headings. And,
uh, I don't like books for dummies because you're not a dummy.
Um, but at least they're trying to explain one of the disparage that whatever companies doing that, I'm sure they're real nice.
But I'm just saying that, you know, teaching like we're explaining how things work, what could be better? I think again, if you're on the selling side,
get rid of the dumb, you know, glossies. I mean, a brochure that just
if you need something, is a calling card. I guess that's okay.
I even do a little bit of that. Just, you know, here, the things you talk about when it comes time to provide something that really is intended to be a sales artifact, that should be some learning.
White papers, research paper
These are all companies that
have I. This was sort of a joke t mobile here. I don't know why I put that in there, because they're not, but all the others are evolved in Been gone.
if you're gonna use logos as a vendor,
make sure you ask and get permission. Because if you don't, man, you're talking to security people. Let's get a heck of a way toe. You know, break bread with the security vendor by putting a bunch of logos up of companies. You didn't get permission, Thio use the logos for that could be quite terrible. So I hope you don't do that.
Um, if you are on the other end of this and you see a bunch of logos, I strongly recommend that you ask.
Ask the person pitching. Hey, did you get permission to use thes logos and check to see if they say they didn't,
um that I wouldn't do business with, Um I think that could be a very, very big problem. So I hope you'll depending on which end of the spectrum you're on with this one,
this could be a tricky one. Also, when a vendor tells you that their product
would have stopped,
you know, and then they name the last five big hacks that occurred. That's a really, really crummy way. Thio
Thio layout Your purpose statement.
It might have been your friend, you know, involved in that hack, and and they probably don't know all the circumstances. I've been around long enough to know that there's almost never
been a significant hacked that would be stopped by a product.
It's using a much more complex situation than a product was missing. And, gosh, if I just bought your acme widget, then shoot. You know, I wouldn't be, you know, raising my right hand in front of Congress right now apologizing Everything would have been just fine if I've been using your product, Give me a break.
You know, that's just not meaningful. Reasonable. It's not accurate.
And when a vendor does that, I think it's a It's a sign of great and maturity, so don't do it. And if you see it being done, then you should challenge that vendor on that. But this is a bad one because a lot of marketing and sales leadership teams,
you know, like to use this. You've all If you're on the practitioner, you know what I'm talking about.
The first, those first three charts that I say get rid of
a lot of them. Say now, first off, if you know God, if Home Depot and Target had only been buying our acme widget,
then we wouldn't be using them is the canonical hack examples. And that's just nonsense and just not the way
work. So So don't do this. And if it's done to you, make sure you challenge it
here. Is this important?
like to have this beautiful integrated suite of solution offerings
that makes their marketing
Like we have a complete set of solutions for you. We've got this. We got this. We got this. We got this. We got this. They all go together, and they're all thing. It connected together.
My observation is that may be fine, but what people really want is not a new integrated suite. They just want to know how your thing fits into my mess.
How does it snap into this *** I've got? Remember I said no, Greenfield,
they've got stuff already,
and you're selling something
as snap in. So when you're a buyer of this, you're sitting listening to this pitch and they show you this beautiful purpose for their company is if they're pitching their venture capital team,
ask them that. Say, is this
a power point deck
for me, the buyer? Or is this the same thing you used to get your Siri's? A funding that I read about last month
because I'm not impressed by your sweet and how smart you are and you know how everything all fits together and two coherent
platform offer. It couldn't care less. I'm just interested in this thing you have. Has it fit into my existing mess. Do you follow? That's what's going through a buyer's mind. But product managers and vendors too often confused selling to an enterprise
with selling to investors or to the market or two analysts like may
you know will come to me and they show me the integrated suite. I want to see that because I need to know all the different things they're doing. But if I was buying, I just by, you know, by what you need, you know, you go to Palo Alto Networks, you're gonna buy a thing you need not necessarily
everything that they do, You might like the domestic thing they bought. You buy it
or you might like the next generous fire away by. But you need to buy them together. Probably not. I mean, yeah, maybe they're integrated, but they were integrated before. You know, Palo Alto. What? This stuff. So you get the point. It's the interfaces that matter. And when you brag about a big, beautiful sweet
um, you know the person sitting there at the bank running the you know, the sock is not funding. Your company couldn't care less about it. By the way, also, don't brag about how much money you're making to that sock manager because that you lose the sale every time,
right? I mean, times vendors come in and talk about how they sold this company and sold that company. That's not my favorite. Deploying fast and free is something I think people should try to dio.
I've found this to be If you're on sale side, if I can get you something and deploy it quickly
potentially free like that's such concept of an unpaid uh, P O. C.
That's really powerful. Um,
and I said when I say fast, I mean fast, like not a three month deployment, whereas India's and contracts and plans and all this nonsense, If there's a way that I could be talking to you on Monday morning, I get excited. I call you back on Tuesday
on by Friday. We're making plans to push out over my tool like like McAfee p o. For examples famous
for being the vehicle of choice for pushing a lot of things to end points. I think that's how titanium got started.
So stuff like a fast free deployment really, really, really good way to sell it on your end. That's your first question to a vendor. If I like this,
what would I dio? How quickly could we get something in place? And I'm assuming I wouldn't have to pay for it. Right? And the answer to both of both of those should be We can deploy it fast. And it's not gonna cost you anything to get something tested.
Here's a big This is my friend Keith Alexander.
Hey, he was on 60 minutes, and I amount to consider my customer. But, you know, I guess could be,
remember, I texted him afterwards, and he said, thank you back. And I remember asking him, God, she must have got a barrage of text, and he sort of laughed and said, No, not really. I thought My God, how many vendors
you know, when he was at NSA were desperate to get him
to have the government by their thing.
And yet, you know, guys on 60 minutes and maybe don't have his number, but they could get him on social or get somewhere, um, doesn't have to be him. But when was the last time your customer did something and you thank them, and so that was good. I really enjoyed that text. Um, congratulations on winning
one of Marcie McCarthy's awards or congratulations. I saw your article in such and such really good job or
congratulations. So you on the security weekly podcast, I thought that was really good. I enjoyed it. Nice job. Come on, man, that's Dale Carnegie. And there's also a sincere And as somebody who does a lot of these things, I could tell you, get up and give a big giant keynote. Seems like it went really well.
Place was enjoyed it when I made a joke. They roar with laughter, Big things, every place, every thanks. My walk off And the instant I walk off I feel insecure that I bombed, for sure.
And when somebody comes up to me,
I don't care who it is. But let's say it's somebody who wants to sell me something comes up and says, Ed, that was really good. Good job. I think everybody really enjoyed that. I sell. Gosh, you don't have to say that. They walk around and I go. Oh, thank you for saying that,
Um and and that that's that's not a not buttering me up. You know? You know the difference between somebody who's just blowing smoke and being sincere,
But these air just basic human, uh, sort of interactions that I think in tech we do a very bad job of.
Here's a make sure you, when you go to conference sessions goes and listen. Look, here's when there's my friend Jon Stewart's in there his Venable says. There's another, but his mother CSOs, In here
think conferences and meetings and standards, groups and Cloud alliance and this and that. There's people that you probably sell to
who go to these meetings and they talk and they sit on panels. They just go make friends with them
and learn what they dio. If you're in sales, this should be what you do.
And if you're at these meetings and you notice vendors air there and they're participating and listening,
then you should think kindly of that vendor. They're taking the time. This is their profession. They're there to understand and learn. You shouldn't be marketing at these places. Should be attending conference sessions. That's what I mean. Attend, be there, participate, not sell, meet people. Make that. That's the idea.
Amazing how few vendors do this blows my mind. Here's a version of this,
um, on your website. Is your customers probably
pitching writing papers or something? Just a little company called capper. They're part of,
um APC eight now
And I remember they called me years ago when I was back at 18 t.
And I've written a paper in the first issue of I Tripoli Cloud Computing.
Eso is a bunch of years ago, 2015 or something.
and I wrote a paper called Practical Methods for Securing the Cloud and they liked and they asked, could I could we put this on our website? And I was like, Of course, and it's published. We just have to ask I Triple II Tripoli. Tripoli said Sure. Boom goes on the website because they paid for it. They actually pay little money to put the thing there.
How many times do you think I pointed people to this when they wanted to see the paper million times?
They said, What? Your thoughts on cloud. But listen, I wrote this paper. Where can I get it? You know capper has it on their website. I just happened to notice even though I've been there 50 times that day. So proud that my papers on their website
welcome to the basics of selling folks. This is win win. They get nice piece of content. I'm really psyched. I tell people to go download here. How many people for selling do this? Nobody. How many of you who have written things have had anybody notice? Ah, thing you've written
and actually asked that it be put on their website
for download. It never happens when it does,
so it can't be Never. If it does happen, it rarely happens when it does. It's very powerful,
so I hope you'll consider this one. I I consider this to be an important one,
asking your customer to review product again if you're selling.
This is a natural if your product manager. When was the last time you had product activity
that involved a step before announcement where you called your customers in and actually let them review the thing?
Show them what's going on, given advance view and not as a pre sell,
but I mean, really review it and take their comments into what kind of make changes based on their commentary. Like See this kid here who's commenting on this whole robot thing? Everybody in here looks like they really listening, and they're gonna say, Yeah, that's a good idea. He's saying, I think this thing should have the following
and looks like these air. These probably students doing some. They look like a bunch of college kids.
They're they're building the thing, they're listening, and they're probably going to make a change to the robot. Isn't that I love the picture, right? It's like making some suggestions. Go fix it. When did you do that last with your customer? I don't know. But, man, that's a great opportunity. Bring your customers in at design and development phase. Let him look. Let him comment. They'll do it,
you know, though, they will do it. I used to do this quite a bit when I was more practitioner. This is just a little quick one.
Always be early to every meeting and always finish early when, um,
what we do is such a structured life that we don't have time to be waiting around for some vendor on. By the way, if you're a buyer in the vendors late, just hang up and don't buy from them because they're going to do that to you again.
But if they're there three minutes in advance, you should let's say it's a two o'clock meeting and you jump in at two o'clock
and you notice that there's four people from the vendor and they're all there, and they're already Hi, Ed. Welcome. Glad you could make it. You know, we're all set here, do you? Everybody in urine
and I'll go.
Yeah, we're good. Thanks. Now, how horrible is it when I get on it? Two o'clock.
The bridge hasn't opened its their bridge. They open it a 201 And then they have to go
poke around to get the other two or three people by 204 We're starting.
Um, that's ridiculous. It's a joke. And again, if you see that as a buyer don't buy from a company that does that and if you are a vendor, don't do it now. Occasionally, stuff like that happens. Uh, maybe you get away with it once, as long as you apologize. But if you do it once, make sure your 10 minutes early for the next call.
This is maybe the most important chargeable. It's the next, the last one.
And it's it's this if you're selling or if you're buying from somebody,
you're better off dealing with people who have committed their life to it. is another picture of Keith Alexander. There's from my friend Kent, Kevin Mandia, thes air people who are not going to show up next week.
You know, marketing, you know, trips to Europe. That's not They're not gonna run a company doing that. You could do cybersecurity. They've committed to it. This is their life.
They will outsell. People just have jobs. If
cybersecurity is your job,
you will not only get out sold, you're going to get outhustled in your position because there's a lot of people like me and others on this call who've committed their life to this.
If you commit your life, you will be successful because you're you're all in. I always I always have a problem with people who say, Do everything in moderation. Think that's bad advice? I think when you do everything in moderation, then you're only gonna ever be moderately successful at anything.
I think, Yeah, I mean, when it comes to like, you know, the vices in life, Okay, but But when it comes time to pick your life's mission, don't do that in moderation. Give me a break.
Throw yourself into it, not unhelpfully, but throw into make it make it your life, make it your vocation commit.
So if you commit to cyber, you will outsell
others who just consider this. A quote unquote job
is the fact.
Now the last one is we pull up to the top of the hour. Here is just a trick,
but I really just want to show you this book.
If you do do. Selling This is my favorite sales book. Dale Carnegie's Buddy Scott played third base for the ST Louis Cardinals. Like Like 1920 or something. Awesome Guy Frank Better. And he wrote a book that I personally think is the best book ever written on selling its humble.
It's nice, but there's one technique he proposes that doesn't always translate too well
to today's virtual environment. But he just says,
If you're trying to sell something,
why not do all the paperwork, the contracts, everything sign it and then put a yellow line through where you want the customer to buy and just put everything in front of them, hand them the pen and say,
Here you go. All you have to do is sign here. We're done. I've written the contract up. I got all the terms and conditions. There's an N D. A. There. I put the pricing. We're ready to go is a nen voice. It's already if you sign here, we're done.
Like there's something amazing about that.
I have sold mawr things that way.
Then you could ever imagine. And if you ever see it done, I hope you'll notice it. Because what? That tells you that somebody took the time to prepare.
They didn't say. Oh, you like this product.
I tell you what. Let me work up a contract. Then I'll get it to you in a couple of days. And you should be thinking,
Why didn't you work it up two days ago and bring it here?
Like, if I love this, why don't you have me sign it right now? Why? Why do we have to wait two days? You didn't plan and that tells you how they're going to do everything.
But when they show up with everything done,
you shouldn't be offended by that. They're not. They're not taking license with anything. You can hand them that they go. No, no, This have to go to my boss and you go. Okay, that's fine. But here it is. And there's also an email waiting for you in your inbox right now with all the electronic versions of these things with my e signature, it's all done.
Everything that we would have done. I assumed you were gonna like this. I knew this would be a successful meeting,
so I pre worked everything. How's that sound? You get the point.
That's what this is all about. I promised you 26 points here
and let me just share I. I'm sort of watching the chat here. I can see that. You know, a lot of you are on both sides of the coin here, some people who sell. And there's also some people who are being sold to
um, like Jonathan, who totally knows this business. When it's your vocation, means your professional, He's right.
You know, you can tell the difference
between somebody who takes the time to do this right,
And somebody who doesn't
you can tell the difference. So regardless which side you're on.
I hope this was useful. Usually don't include this in the executive training for security. Usually we don't
Well, we don't focus on other topics, but I I know just discussion with the Sai Buri team. We thought Let's put this in.
Let's see how people react to it. Drop us A line dropped the Sai Buri team Align Drop me line Let me know what you think because it's not usually like I said
part of executive training but I think it's part of our lives.
So for that reason, I thought it would make good sense. Thio include here.
So we're at the top of our time together, even going over by a minute.
So what I want to do is thank you all for the comments here. I hope you really enjoyed the discussion. Looks like a lot of really good comments back and forth year amongst the group
and we'll look forward to seeing all of you next week. Same place and we'll be back to maybe a somewhat more conventional topic next week. So thanks everyone and we'll see you have a great week
IoT Product Security
This course will focus on the fundamentals of how to set up a functioning IoT ...
8 CEU/CPE Hours Available
Certificate of Completion Offered
Certified Information System Auditor (CISA)
In order to face the dynamic requirements of meeting enterprise vulnerability management challenges, this CISA ...
9 CEU/CPE Hours Available
Certificate of Completion Offered