Top Ten Rules for a Successful Cyber Security Sales Pitch

“The rules we have set down here are not mere theories or guess work. They work like magic. Incredible as it sounds, I have seen the application of these principles literally revolutionize the lives of many people.”

These inspiring words were penned four score years ago by the greatest of all success coaches, Dale Carnegie. If you’re one of the eleven people yet to read “How to Win Friends and Influence People,” then stop what you’re doing now and rush to the nearest bookstore for a copy. (As a print traditionalist, it seems weird to suggest that you rush to your nearest iPad to download a copy, but I guess that would be OK too.)

The reason for invoking the Master is that I’ve spent decades in a human laboratory not unlike Carnegie’s, toward establishment of some basic principles. But unlike Carnegie’s work on human behavior, my work has been a tad more gear-head. That is, over the past three decades, I’ve witnessed as many sales pitches on cyber security as any person alive. And from that experience, I have drawn some forceful conclusions.

First, you should know that as an early CISO – probably the second one in our industry after my friend Steve Katz – I have been pitched on virtually every cyber security product invented since the mid-1980’s. My present role as an industry analyst affords me the opportunity to continue this process. In fact, a typical day for me involves no less than five private interviews with security companies to learn of their offerings.

What I’ve absorbed from this work is that every company approaches that critical first step – the Cyber Security Sales Pitch – in its own unique manner. Some will start with doom-and-gloom attack statistics, while others reference obscure requirements in RFCs. Some brag their association with famous “Meet the Press” guests, while others use Gartner charts to prove that your current vendor is a worthless bottom feeder.

Now, I wish I could scientifically prove to you which sales techniques work. I wish I’d developed some data analytic tool for correlating sales pitch approaches with market success. But I haven’t – so you have every right to stop reading here. I have, however, given this sales-to-success correlation years of detailed thought, and I believe that I’ve discovered certain techniques that work like magic, to use Dale Carnegie’s words.

Below are my Top Ten Rules for a Successful Cyber Security Sales Pitch. They are offered here simply to help you. Dale Carnegie once claimed the nobility of directing actions toward “adding to the sum total of human happiness.” And that is my intent here: If you were my daughter, or my best friend, or my VP of Sales, then these would be my Top Ten suggestions for how to improve your cyber security sales pitch:

Rule 1: Delete the first three charts in your presentation. I have absolutely no idea what your first three charts contain, but I guarantee that your presentation will be better off without them. In fact, better yet, lose the entire presentation. Human beings having a normal conversation should not need bullets to keep things on track. But if you need the crutch, then at least start on Chart 4.

Rule 2: Tailor your pitch to the audience. Every security team is different, so the idea that the “standard pitch” will work for everyone is a mistake. It should be obvious, for example, that Wells Fargo will respond differently to statements than Uber. So, take the time to include references to applicable regulations, previous incidents, geographic considerations, and so on. This seems obvious, and yet is almost never done.

Rule 3: Research the specific people you are pitching. As a corollary to Rule 2, research the individuals you are pitching. The likelihood that someone you are pitching gave a talk on YouTube is 100% these days. And how about this: start your sales pitch by asking permission to include a link on your corporate Website to that presentation. It's a lovely win-win gesture, and yet, no vendor ever suggested this to me. (Ok, stop laughing. I know my presentations can be dull.)

Rule 4: Green fields do not exist. Regardless of who you are pitching, they already have a SIEM. And they already have a DMZ. And authentication. And compliance. So, please stop wasting everyone's time on how your product portfolio umbrella covers the entire enterprise. Instead, show how your solution integrates into an existing mess.

Rule 5: Replace brochures with technical papers. Stop using color brochures as leave-behinds. Instead, ask your CTO to create technical reports in two-column IEEE style (look it up). Leave these papers after your next pitch as a show of respect for the intelligence of your customer. Even if your customer asks for a brochure, don’t do it.

Rule 6: Stop the customer name dropping. You sound ridiculous when you brag that Citi and JPMC love your product. These folks are our friends and we talk to them frequently. And I’ll bet you ten dinners that they will chuckle at your sales claim, even if they really do love your product. Also, get rid of that logo chart. It freaks us out.

Rule 7: Stop saying your product would have saved Target. You also sound ridiculous when you make this claim because ten other vendors just told us the same thing. Even if you are certain this is true, don’t say it. Let us have the pleasure of making that determination in our own mind.

Rule 8: Stop saying security teams are doing a bad job. This is a big one for start-ups, because they modify their successful VC funding pitch into an unsuccessful sales pitch. Funding sources won’t flinch when you highlight the bad job some CISOs are doing, but this is a terrible sales message for enterprise security teams. Again, it is our friends you are criticizing.

Rule 9: Make it easy to buy your product. Enter every sales pitch with a prepared contract and invoice, printed out and pre-signed by your senior management team and ready for customer signature. Make the process of buying so simple and easy, that all it takes is a signature under the yellow highlighted line. (Read Frank Bettger's "How I Raised Myself from Failure to Success in Selling" to learn more about this method.)

Rule 10: Remember what cyber security is all about. When you are between sentences in your next sales pitch, pause to remember what this whole thing is all about: Enterprise security teams are protecting society. They are the good guys who keep essential services, critical infrastructure, and the fabric of our lives working and available. Remember this fact, and it will serve as a useful backdrop that you too, are part of this noble process.

Now, I am fully aware that the sales process is much more involved than a simple pitch. Successful relationship building, good solution performance, and careful nurturing of any engagement are all considerably more complex than a simple interview. That said, I think you must agree that the process starts with that first impression - that initial pitch. Get it wrong and you are pinned on your own goal line.

And I am also aware that if your product is a piece of junk that doesn’t work, or if your CEO exists on the integrity scale somewhere between used car salesman and US Senator (sorry, I couldn’t resist), then you should find another job. But if the basics are in place from a product, service, and operational perspective, then the quality of your sales pitch will be directly proportional to the quality of your future.

With that, I guess I’ll just plan to dial in at 2:00PM EST for our product review this afternoon. I’ll be listening carefully to your pitch, to see if you were listening to mine. Good luck!