Security Experts:

10 Ways to Lose That Security Sale

There are few things in life more dissimilar than security practitioners and the salespeople that sell to them.  The interaction between these two groups in a professional setting often creates some pretty interesting situations.  Although it can be awkward at times, I have learned a lot from watching these interactions closely.

During my career on the operational side, I saw just about every type of salesperson you can imagine.  Those who seemed to talk endlessly.  Those that never seemed to listen to anything you said.  Those who couldn’t give you a straight answer.  Those who condescended and told you that you didn’t know what you wanted.  Those who were overly pushy.  Those who became combative when they felt like they were not going to get the deal.  Those who tried to go around you.  Those who were not receptive to feedback about their products.  And so on and so forth.  And yes, even those who were extremely talented sales professionals and were very good at their jobs.

When I moved over to the vendor side, I was, and still remain, very conscious of my own experiences on the operational side.  Although I’m not in a sales role, it is hard to be on the vendor side without being part of a large number of sales efforts (even when brought in as a technical voice).  I’ve definitely seen a wide variety of situations from this slightly different perspective.

I’d like to share some of the observations I’ve made throughout the years around behaviors that aggravate the “culture clash” between salespeople and security practitioners.  These are behaviors that may be effective on certain personality types, but are most often ineffective on security practitioners.  I present: “10 ways to lose that security sale”.

1. Be my fake buddy: Security practitioners may not be the most extroverted people in the world, but we generally have a pretty good sense for sincerity.  If you are generally interested in my life or want to be my friend, great.  But it is hard not to see right through complimenting me or faking interest in what interests me when it comes from an insincere place.  It won’t help make a sale, and worse yet, it can really put me on guard and make me put up my defenses.  Let’s keep the discussion professional.

2. Over-selling: Tell me what your product does, what problem of mine it solves, and why it’s the right choice for my organization.  Yes, it does involve quite a bit of active listening to be able to have that discussion with me.  But that’s the discussion I’m interested in having.  Turning on the verbal diarrhea stream and the over-sell won’t help in the least.

3. FUD: Fear, uncertainty, and doubt (FUD) is one of the biggest issues plaguing the security industry.  Too many vendors use the same fear-driven, sky is falling approach to security sales and marketing.  It might get some press or even the ear of a few, but by and large, it doesn’t resonate in the least with your target audience.  Leave the FUD at the door when you come visit me.

4. Hype and buzz: Let’s do a little test.  At this year’s RSA conference, who wants to tally up how many vendors tout their capability around “machine learning”, “artificial intelligence”, “analytics”, “blockchain”, or a number of other buzzwords.  Sure, it’s easy for a company to use these magic words to generate a bit of buzz an add to the noise, but as a salesperson, you should know better than to walk into my shop and start hurling them at me.  Unimpressive and underwhelming to say the least.

5. Inducing an allergic reaction: If you’ve ever seen someone have an allergic reaction to something, it can be rather unpleasant and very scary to say the least.  I’ve been in far too many sales meetings where I feel like the room is on the verge of this.  Security practitioners have buzzwords and marketing claims hurled at them all day, every day.  To the point where many are more or less “allergic” to them.  Inducing an allergic reaction won’t help close the deal.  Best to stick to a substantive discussion.

6. Attaching to the “item du jour”: Some salespeople like to attach themselves to the “item du jour” (e.g., ransomware) when positioning their product or making their pitch.  There are two main problems with this approach.  First, while I need to understand what your product does and where it fits within the ecosystem, chances are that I have multiple different use cases I would like to apply it to.  Second, today’s crisis will lose its luster at some point, and I need to know that the solution I am buying has broad applicability across multiple different situations that I may encounter.  If you attach to the “item du jour”, you put yourself in a very confined and restricted place.

7. Being an ambulance chaser: Don’t you love it when salespeople contact you immediately after your organization or one of your peer organizations has been in the news because of some security related incident?  Of course not.  Coming in with a pitch like “if you had our product deployed, you would have been 100% protected” won’t win you any friends.

8. Keep talking: If you don’t leave any room in the conversation for others, how can you expect to understand what your audience finds value in, what they are most interested in, and how you might be able to help them?  Deluging your audience with an endless stream of words is a great way to lose a deal.  Less talking.  More listening.

9. Become combative: If I disagree with the points you are making or don’t believe that your product is a fit for my environment, nothing turns me off more than when you become combative.  True, I may not have bought your product regardless, but it’s a small world.  You never know where I might move on to next or if your product may become more relevant in the future.  If you come out swinging, I’ll likely not want to see you again, regardless of how much I am interested in what you proffer.

10. FoMO: Fear of missing out can be a powerful psychological force.  As security professionals, we feel enough FoMO as it is.  A salesperson that comes in trying to convince me that if I don’t go with their product, I am simply missing the boat isn’t what I need.  For sure there are some who may take the FoMO bait, but most security practitioners I know won’t.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently Co-Founder and Chief Product Officer at IDRRA. Prior to joining IDRRA, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.