#18 – December 2020 “CISOs: What makes us buy (and what turns us off)?” | SASIG
Forgotten your password?

It’s been a rotten year for everyone

CISOs and their staff have never been busier, whilst service and product suppliers have seen their traditional sales channels closed down or highly restricted in lockdown. “Relationship capital” is rapidly being exhausted, and new associations have become difficult to establish leading to ever more desperate attempts by sales teams to reach out. CISOs constantly report being overwhelmed by the tsunami of cold calls and clumsy pitches; many refuse to answer their phones to anyone, and their inboxes become clogged up with unsolicited emails.


This divide between these two “sides” – users and vendors – has only widened and deepened during the Covid-19 crisis. What can we do to bridge this gap?


What turns us off?

Effective security strategies will always depend on the very best of products and services, so what can we do to bridge this gulf?
SASIG celebrates its 200th lockdown webinar this week. Since March, more than 13,000 visitors have enjoyed our daily meetings. One of the most fascinating and revealing lockdown topics has been “What makes us buy?” (and conversely, what turns us off). CISOs and their teams from organisations of every size and sector expressed their views and gave positive suggestions about helping resolve this dilemma. Some notable quotes have included:
  • “Covid is not a sales opportunity. If you haven’t bothered to approach us before, then now is certainly not the time”.
  • “The pandemic has pushed us to the limits. We are only buying from those suppliers we already know.”
  • “Personal relationships with vendors (and thus a level of established trust) are vital.”
  • “We don’t have time to build new relationships. We’re only buying from those we already know and trust.”
  • “At the moment we will only buy from those suppliers we already know and trust, even if their solutions are more expensive and/or less effective.”
  • “CISOs focus on threats, not solutions. We identify our needs and then look for appropriate solutions – not the other way round! The salesperson has the solution, they try to convince us we need it regardless.”
  • “Suppliers often come with the button and try to persuade us to have a coat made to match.”


The pressures on everyone are clear to see. It’s human nature, when we’re under stress, to withdraw to trusted ground and that’s clearly what’s happening here.


What makes us buy?

So, how do vendors overcome the Catch-22 situation of not being able to build a trusted relationship because they don’t already have a trusted relationship? To this end, CISOs also made a host of helpful suggestions about how suppliers old and new might better court them now and into the future:
  • Vendors hassling CISOs with endless cold calling/cold emails just won’t work. Indeed, this is counter-productive.
  • Stay real. Don’t promise the world. Vendors who claim they have all the solutions to all the CISO’s problems, from end to end, and that they’ll take care of everything – well, this just doesn’t ring true because it simply isn’t true, and it’s an instant turn-off.
  • Vendors should show they’ve researched the prospect’s needs and resources.  They should propose solutions that address these needs and can be provided within the client’s constraints.
  • Build on a small initial assignment to prove your worth, show reliability and build trust.
  • CISOs will speak to their peers and ask for recommendations about who they’ve used to resolve a challenge. They will also keep an eye on the changing threat landscape to try to anticipate problems/solutions.
  • It’s not just about a product/solution’s cost and performance, it’s also a matter of the supplier’s resilience and stability. How good a partner will a vendor become over time is an important element in the choices to be made?
  • Case studies are gold dust. Reference sites are vital. (Conversely, there is often a place for vendors to agree “sweetheart” deals in return for references.)
  • CISOs keep an eye on private investors, they look for where the new money is being invested, this is a great indicator of good products/innovations/start-ups. Ditto, sweetheart deals to introduce new technologies/start-ups/early adopters. 
  • Return on Investment (RoI) is essential, but also tough to measure and prove.  This is where strategy comes up against point solutions, and where short and longer-term benefits collide. Inevitably, purchasing judgements become subjective and “soft ROI” (benefits seen in less tangible ways) come into play (e.g. financial vs reputational costs).


Vendors and suppliers would do well to recognise the motivation by CISOs to protect their own positions/reputations, and to help CISOs show success. The focus should not always be on preventing loss, but on enabling business growth and success – this will help the CISO to justify spend.


The SASIG way of doing things

SASIG is privileged to work with a number of supply-side organisations – our Supporters. They already understand much of the above, and respect completely SASIG’s “no sales” rule.


SASIG Support is strictly limited and by invitation only. Our Supporters have been selected for their integrity and maturity as well as the effectiveness and innovation of their propositions. Supporters all sign up to SASIG’s strict Charter. They are not given access to the membership details, nor are they permitted to market or promote products or services to the SASIG community. But Supporters are free to exploit responsibly and tactfully all introductions made and opportunities encountered via their SASIG activities, in a manner that protects the SASIG spirit.


SASIG Support is an opportunity for a vendor/consultancy to raise its brand, to foster contacts with existing clients and prospects, and to develop over time those direct and trusted relationships with user organisations that will inevitably lead to business. Supporters are within the SASIG “circle of trust”, a position highly valued and respected by each of them, and in the current Covid-19 context they have been able to interact regularly with the membership. Of our 200 lockdown webinars, between them our Supporters have run nearly half, all have been hugely welcomed by the membership, and so those barriers between vendor and user have been dissolved.


This is, I believe, how it should be done. It takes longer, but the results are worth the wait. It’s about growing oak trees, not pine trees. It’s about less haste, more speed. It’s about softly softly catchee monkey. It’s about cooking your porridge slowly.


Oh, and please be kind to salespeople, they are humans too

At SASIG, I have always maintained that vendors are not the CISO’s enemy, even though some may occasionally behave so. Similarly, I see that some CISOs become understandably defensive and discourteous as they react to the onslaught of approaches.


In my last blog on courtesy  I point out that whether we are part of the CISO community or if we work within a vendor or supply organisation, we are all part of the same continuum. We all contribute to the protection and resilience of UK plc whichever side of the so-called “divide” we sit. Most of us, in whatever role we occupy, are highly professional and talented in our own rights and we all deserve respect. So, as a special plea, can we all try to be nicer to each other, including those who reaches out to us for whatever reason? Let’s try and show compassion and tenderness towards all our fellow professionals. It costs nothing.


To comment on this blog, visit Martin’s LinkedIn article here

Read more of Martin's Log

Thank you for reading my blogs. I’m getting quite old now, and hopefully I’m a little wiser than I once was. I have enjoyed a fascinating career full of fascinating people, and made many great friendships. I’ve made huge errors in my lifetime, and enjoyed great success too – it’s been the ultimate game of snakes and ladders - up and down, round and round. It is my privilege to share some of my stories with you, and describe some of the lessons I’ve learned in the hope that it may both save you from falling into the same holes, and help you in your careers and lives. Good luck and good fortune.

More blogs
This website uses cookies, by continuing to use the site you agree to using cookies. Continue