Vendors want to sell you the product they have. Their approach frequently feels more like “treating symptoms” rather than diagnosing the root causes.
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining us is Jay Jay Davey, vp of cyber security operations, Planet.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Backslash
Full Transcript
Intro
0:00.000
[David Spark] Vendors want to sell you the product they have. Their approach frequently feels more like treating symptoms rather than diagnosing root causes.
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I’m the producer of the CISO Series. And joining me for this very episode, one of your favorites, it’s Steve Zalewski. Steve, say hello to the audience.
[Steve Zalewski] Hello, audience.
[David Spark] He is very friendly, just as his voice suggests. We’re available at CISOseries.com. If you have not gone over there to listen to all of our wonderful programming, maybe you should. Our sponsor for today’s episode is Backslash, the Backslash App Graph AppSec, using a digital twin of your application.
More about just that a little bit later in the show. But first, Steve, I want to talk about today’s topic. One of the persistent issues we’ve heard over the years from CISOs is vendors are so anxious to sell you that they fail to look at underlying issues. They have less knowledge of their own product or the problems security professionals are facing.
They’re more concerned about checking boxes needed to build a relationship that’s traditionally needed for a sale. And our guest today, Jay Davey, wrote about this frustration on LinkedIn. So, Steve, we don’t want to blame all salespeople, but I’ve heard this frustration from others. What has been your experience with salespeople understanding their own product and the security professionals’ problem?
[Steve Zalewski] [Laughter] It extends beyond the salespeople to, in many cases, the founders themselves, is that they’re here to pitch technology to us, which historically has been what security is. But with 4,000 vendors, they can’t pitch us technology anymore. They have to start understanding how to own a problem, okay?
And I think that’s the transition that we’re underway. This is the frustration is they don’t want to make that transition. They just want to sell us sneakers, not realizing that what they’re really selling is an enterprise craft product. So, it’s like selling a car. We don’t buy them that often. We do a lot of research.
We have a lot of trust. Got to understand the difference.
[David Spark] Well, with that being said, let’s bring on our guest, Jay Davey. He is the VP of Cyber Security Operations over at Planet. Jay, thank you so much for joining us today.
[Jay Jay Davey] Thank you for having me on, David.
What’s the motivation to fix this problem?
2:31.661
[David Spark] Eric Silberman, Electrosoft, said, “They aren’t paid to solve your problem. They’re paid to sell a product.” That is an extraordinarily good distinction. “They only get paid when somebody buys the product. Whether or not it fixes your problem is irrelevant to them.” Jessica Weiland of IOActive said, “More than once I have told a prospect or client that I don’t believe I have the right fit, but that I’m happy to introduce them to someone who might.
To me, it’s not about the initial sale. It’s about being a meaningful contribution to the conversation and the fix. Do I hope one day I might make the sale and have the right fix? Yes, but it isn’t today. That’s okay, too.” These are two extremely good points, and I’ve heard Jessica types say that before, but while that sounds great, it doesn’t help the company’s bottom line.
And you can’t have a team of only Jessicas, can you, Steve? As great as that is.
[Steve Zalewski] [Laughter] I wish, okay? And what I say here is Eric is a hunter. Jessica is a farmer. In a sales area, those are the two styles. And more and more, to buy a security product, you have to be a farmer because there’s relationships that have to be built and an expectation of trust because CISOs now are putting their jobs on the line when they pick a product.
And so, the hunters are important because they do need to churn the mud. They need to find new prospects, folks that will be decision makers or want to be. So, there is a balance there, but I think to your point, it’s imbalanced at this point to hunters versus farmers, and we need that pendulum to move.
[David Spark] That’s a good way of putting it, hunters versus farmers. All right, Jay, you saw these responses when you first put up the post. I mean, they’re both making very cogent points, but I want to start with Eric’s comment of, they don’t get paid to solve a problem. They get paid to sell a product.
And that is not what you as a buyer want to hear.
[Jay Jay Davey] No, it’s certainly something I don’t want to hear, but at the same time, I understand it. They have a business to run. They have money to make. I understand that. And I think to the point of being a farmer, absolutely spot on. They need to understand the problems. And going back to that analogy of the car, we’re going to be using this solution for a long period of time, so it needs to be able to fit our requirements.
And our requirements have many variables in there. It’s not just a case of it’s going to do the job. It needs to fit in with our processes. It needs to fit in with our existing technology. Any integrations, they need to be aware of. There’s lots of things that they need to consider.
Is anyone happy with this solution?
5:27.870
[David Spark] Anna Liv Christensen of Nordic Compliance Partner said, “Too often, salespeople are being measured on high activities and booking meetings and is not helping the industry. We need to be more critical when shopping for IT. Too often, their knowledge is limited to the product and not cybersecurity.
I’m always saying to the businesses I’m working with, prepare your questions. Have a proper RFI, request for information. Make sure they can demonstrate the ROI and tell you about how they are protecting your data under the whole time you are a customer.”
Michael Rack of TryHackMe said, “Job adverts for cyber sales roles typically are more interested in SaaS sales experience versus specific cybersecurity experience, which is often just a ‘nice to have.’ That should tell you everything about how disruptive vendors are disrupting.” All right, Jay, I’ll start with you on this one.
I want to just go to the measurement of salespeople in general. When everyone complains about security sales, I say it would all change if they were measured differently. Now, how they should be measured differently, I don’t know the answer to that because it is a tough one, but people are essentially self-motivated in how they’re reaching out.
And it’s not for them individually, it’s how they’re being measured in their performance. So, do you have any idea how you think they should be measured differently?
[Jay Jay Davey] That’s a really difficult question to answer because the bottom line of sales is revenue coming through the company. But I think we need to focus on relationships. I mean, that is incredibly important. Now, I know relationships doesn’t directly convert to sales, but it’s a good foundation.
[David Spark] Well, it’s a trust-building mechanism.
[Jay Jay Davey] Yeah, it is a trust-building mechanism. I saw a salesperson the other day achieve a CISP certification. Now, I thought, this person is going out of their way to understand the very things that we do every day. And that’s incredibly important. If we go back to the car analogy, you wouldn’t want to buy a car from a car salesman that doesn’t understand the motoring industry.
It’s something that’s incredibly important to me. I don’t want to just know about the products, I want to know about how has it solved other people’s problems.
[David Spark] Steve, let me throw this one to you. We’ve actually talked about this a lot on the show, and I keep saying it’s the way they’re measured, and I wish I knew the answer. I am befuddled on finding a new way to measure salespeople where it’s more in line with how the buyers want to engage.
What do you think, Steve?
[Steve Zalewski] Until cybersecurity is not considered like selling sneakers from a sales perspective, which is it’s all just about volume. We hear it over and over again, right? Which is they’re hiring salespeople. Sales has been taught rejection comes with the business, and you just keep hammering for opportunity, and you will eventually get sales.
And what we’re saying is in the cybersecurity industry because it’s cars and not sneakers, stop trying to fill the pipeline where 99.9% of the pipeline is actually not a qualified opportunity. And understand, fill the pipeline with the 20% that will result in a sale, but it’s going to be 9 to 15 months.
And when salespeople are hired, it’s all about the Rolodex. It’s all about churn. And that’s what I mean. So, you’ve got this dichotomy here where too many security companies, just needing to fill the roles, hiring salespeople who have been taught over and over, Sales 101, that’s it. So, that’s what I said is this hunting/farming thing is an appreciation of this particular market, and we have not been successful in getting people to understand the transition of selling cars versus sneakers here, and I don’t think we ever will because with 4000 vendors and constant churn in the vendor mix, there is no institutional memory to move us in the right direction.
[David Spark] Let me ask you, Jay, was there some trigger that inspired this post when you got so frustrated? What was it?
[Jay Jay Davey] So, when I changed my LinkedIn title to VP of this company that I joined, all of a sudden, the floodgates opened. Just sales after sales after sales.
[David Spark] Yeah, I hear it. By the way, let me just pause you. Every time a colleague switches a CISO role or becomes a CISO, my first question is, how many? How many emails do you get that says we should set up a time to talk? Which we always joke is like CISO doesn’t know what they want when they first start a job.
But go on, Jay.
[Jay Jay Davey] Exactly. And I didn’t know anything about the environment yet. I was still finding my feet. I was still doing the HR process, so that, I don’t know anything. So, how on earth am I meant to understand the problem that I’m trying to solve? I can’t relate that to the very solutions that I’ve required to solve that problem.
So, I didn’t get much breathing space, which kind of paints a bit of a black mark on a lot of these organizations that are trying to push these solutions out en masse. It doesn’t give me the opportunity to breathe and think, okay, this vendor actually might fit the bill. I’m going to put them down on my little book of vendors to go back at a later date when I truly understand the problem because that’s going to help me qualify whether I need to have that conversation with a vendor or whether I can just say, “Sorry, you don’t fit our requirements.
We’re going to move on to the next one.”
Sponsor – Backslash
11:07.842
[David Spark] Before I go on any further, I do want to tell you about our absolutely spectacular sponsor, and that would be Backslash. So, let me ask you a question. Are you unhappy with your AppSec tools and processes? I mean, we talk about this all the time on this show. It doesn’t seem to be any one that does it all.
And is your team fatigued from endless false positives? Most are. Are you finding it hard to convey the urgency and relevance of findings to developers creating essentially unnecessary friction and frustration? If I’m speaking your language, you got to listen right now. If you answered yes to any of these questions, you’re not alone.
I know you’re not because we talk about this all the time. Application security is in a rut because while the world of software development has progressed by leaps and bounds, facing even more disruption with the use of AI-assisted coding, AppSec tools are having a hard time catching up. And piling on more features onto existing tools will just lead to more of the same, that being frustration.
But Backslash is here to change all of that. With a completely fresh approach, Backslash models your application, creating a digital twin of your code using an AI-enabled App Graph. It then uses this model to traverse the code, finding vulnerabilities that are, listen to this, both reachable and triggerable.
And then it categorizes those findings into human understandable business processes, thus allowing developers to simulate the security impact of updates. This is the core to it all. So, organizations are looking to modernize their AppSec use Backslash to dramatically improve their efficiency and eliminate the frustration caused by legacy SAST and SCA tools.
You need to learn more about this. Go to their website. It’s/backslash.security. Just go to backslash.security and you’ll see more.
What’s the ROI?
13:14.303
[David Spark] Murray Pearce of Bright Cyber said, “We see an emphasis for customers getting what they already have aligned and working properly. The industry needs to grow up and support this thinking. The days of easy money for product sales are over.” Well, there you go. That’s some strong talk, Murray.
Murray goes on to say, “There are vendors and salespeople who are on the right side of this movement, understanding context, and even prepared to let go of a sale/renewal if it doesn’t align with their client’s best interest,” like what Jessica said. Murray goes on to say, “Understanding we sell trust first.
Integrity matters for long-term successful business relationships.” I mean, there’s nothing wrong about what Murray just said there.
Dean Fuller of Obtain IT said, “I’ve seen firsthand that the majority of organizations do not invest in their staff to attend conferences or meet-ups because they don’t see the immediate ROI on what can often be expensive trips.” Now he goes on, he says, “However, I see the value in building relationships.” And then Dean says, “It works the same way for a lot of vendors.
The only salespeople they send to conferences are SDRs to man the stall or the VPs/directors to dine and schmooze clients.” In general, and by the way, I will also say this about like I was at the Black Hat, Steve.
[Steve Zalewski] Mm-hmm.
[David Spark] So many companies take pride in like we have so many more women working in cybersecurity. And I go, “Well, you’re not sending them to Black Hat. I’ll tell you that much.” This is the thing. If you want people to grow, they need to engage with the outside community. Steve, yes?
[Steve Zalewski] Yes. And the other half of that too, David, is have they also been trained to understand the problem they’re solving, not to be able to stand there and click through the screens of the product. If you’re going to add more women, that’s awesome. Where are they? And are you actually training, from a diversity perspective, all of your staff to understand the diversity of what we as CISOs need on how to sell your product?
And you go, that’s where the whole thing falls down again because they’re ultimately just salespeople and they stop the training at the here’s how you sell sneakers, right? And it’s like that’s what’s so frustrating. And you see here is how do we break through? The ways that selling is being done in cybersecurity, we are adapting to it a little bit, right?
We as CISOs are simply saying that’s as good as it gets, and we’re complaining about it because we want to get it better, but we are also lowering our standards and simply understanding this is the way the game is played.
[David Spark] But let me ask you this question, Steve. And this even goes before in cybersecurity, I would hear cybersecurity pitches, it was just technical pitches as well all the time, is that I would get a salesperson that would pitch me, and it was the most surface-level pitch. It’s all roses and puppies and there’s nothing that could be negative and there’s no actual conversation.
And so, when you start to actually ask questions, they literally do not know an answer to anything. And when I mean anything, nothing. And I get a lot of this, “Oh, we’ll get back to you.” In all the meetings I ever had, no one ever got back to me. I’m wondering what’s the best you’ve had with – and I can’t expect someone young just learning to know everything – what’s the best experience you’ve had when someone didn’t know the answer and they did get back to you?
Have you had that, Steve?
[Steve Zalewski] The really good ones, like if you’re on the floor or you’re there, they walk over and find somebody who’s more qualified to answer. If it’s a qualified lead, you escalate right now. You get them in front of somebody else because you did your job of meet and greet, move them over. And I can appreciate that, right?
To who on the floor actually knows what they’re talking about. Outside of that, if you’re somewhere else where they don’t, that’s actually the first test of trust. Because if they don’t get back to you, I’ve, in essence, blacklisted that company. And so, they don’t realize just how much damage they did to the likelihood that I’ll ever reengage with them.
[David Spark] I’ll tell you, something that used to happen, and I haven’t had this happen in a long time, but I would be talking to someone at a trade show and they’d be demoing their product to me. I often have a press badge and it’s pretty clear that I’m with the press. And their PR person goes – and I’m already engaged in conversation, it’s actually going well – and the press person goes, “Oh, no, no.
You don’t want to talk to that person,” and they’ll want to tear me away. And I get really pissed at the PR person. I go, “We’re doing fine here. Go away.” Nothing’s more insulting. And I go, “If you truly believe that, you should not have put that person on the floor.” All right, Jay, I’m throwing this to you in terms of people not knowing, how do they handle your questions when they don’t know?
[Jay Jay Davey] So, like Steve, I’ve seen it firsthand where, at a conference, I would ask them a very difficult question, and sometimes I do it on purpose, and they will go and collar the person who has the ability to answer that question, which is a great experience. But to the remote working world, that’s a little bit difficult.
So, often, I ask the difficult questions, and I get back, “Oh, we’ll get back to you with that. We’ll get back to you with the answer to that one.”
[David Spark] Have they ever gotten back to you?
[Jay Jay Davey] No, I’ve never, ever had a return on the questions I ask.
[Steve Zalewski] They’ll scan your badge, “Here, let me scan your badge and we’ll get back to you,” right?
[David Spark] Yeah, we’ll get back to you with you’re on our list now. That’s how we got back to you. And you can dig through and find the answer somewhere. Maybe it’ll be there. Who knows?
What are the best practices?
18:52.210
[David Spark] Eliza-May Austin of th4ts3cur1ty.company, and that is one of the most bizarre spellings of a company I’ve ever seen. I will not do that for you, the listening audience. But Eliza says, “Sounds nothing like us. We’re more like doctors looking for comorbidities so symptoms can be viewed as a wider picture.
You can go to a doctor for a headache and get a pointless recommendation for painkillers, or you can speak to a doctor with an open mind, some longevity, and actual knowledge. Many times, people come to us with a complaint about a cybersecurity headache. What they’ve actually got is a culture problem that requires more support than a report telling them what they know they need already but maybe don’t have the means to execute.” So, let me ask you, Jay, have you talked to vendors that act like doctors looking for comorbidities?
[Jay Jay Davey] I have. Now, I have. A recent experience of a sore vendor that shall not be named who was touting that they have the solution to all of my problems. The opportunity arose and I asked them, “What are my problems out of curiosity?” And they instantly came back with, “Let’s jump on a 15-minute call.” And I was just quite taken aback by it because it was quite a brazen approach that they had, and I thought, well, if you have the solution to my problems, you must know what my problems are in the first place.
So, I think if we look at what a kind of best practice for cybersecurity sales is, don’t come towards your client with predetermined knowledge of what their problems are without understanding what those problems really are because you’re going to land yourself in some very, very hot waters.
[David Spark] Yeah, that is, by the way, that is a bold statement to make and that was a good response. So, what are my problems? [Laughter] All right, Steve, let me throw this one to you. Have you had a vendor come to you as a doctor looking for comorbidities?
[Steve Zalewski] Yes. And I got to hand it, the way she says it makes it sound good, but if I look at it the other way is, okay, so in essence, they’re saying I have a screwdriver. Let me find a way that I can sell my screwdriver. So, the fact that I have a headache, it’s like, “Oh, you’ve got a headache.
Well, maybe it’s a migraine. Maybe you got the flu. Maybe you got brain cancer.” So, let’s go ahead and ask you a bunch of questions to find a way to sell you the medicine that I have. This comorbidity is another way of saying, “So let me ask you a bunch of questions so I can figure out what I can throw up against the wall to be able to sell you something.” Now, not everybody does that, but there’s another way of, in essence, that’s what she’s saying is, “So we’re going to ask you a bunch of questions because that’s giving us an opportunity under the guise of, well, maybe it’s a comorbidity.
And so, therefore, let’s solve the important problem for you,” with, “No, I’m coming with a problem. Take care of my headache. If I got brain cancer, that’s a different problem. And there’s a time for me to know that, not you telling me all the things that’s wrong with me.”
So, that’s kind of the yin and the yang of her argument, which is why I really appreciated it. Right? And I would say, hey, David, how much do you look forward going to your annual medical checkup? Because you know they’re going to find a bunch of stuff and you’re like, well, maybe this isn’t the year I want them to find it.
Granted, something could be really serious and it could save my life, but that’s what you’re up against, right?
[David Spark] It’s interesting you mention that. Nobody has a perfect environment. I had a guy come back to me and says, “Is anybody happy with their website?” I don’t need someone to come and point out all those problems with my website. I know a lot of the problems. I know what they are. Is anyone truly happy 100% with their own health, with their company’s health?
Like, oh yeah, I got problems. That’s why I’m looking for solutions. But let’s say I have like two IoT devices in my environment. Someone’ll still try to sell me an IoT security system. You don’t know, it could come through those too. You never know. Jay, what’s your thought on that?
[Jay Jay Davey] I think salespeople need to understand that as security professionals, we’re trying to really balance the functionality of the business and its ability to operate and generate value alongside security. So, being able to secure that ability to generate value. So, sometimes we need to make compromises on security.
So, while the best solution may be present to us and they maybe have all of the solutions to our problem, they need to understand we might not need to solve that problem because we’re making money as a business, and we need to focus somewhere else. And it’s having that honest conversation with a potential lead, trying to understand what are they trying to solve right now?
And then asking the question, why are you trying to solve that? What is the driver for you wanting to solve that problem? That’s where salespeople can fit in. Saying, “I understand that’s the driver. We can also fit in on X, Y, and Z that could be related to the driver.” All of a sudden, you’ve increased your value just by understanding what’s driving my requirements instead of saying, “That’s your requirement.
Brilliant. Okay, we can solve that.” But understanding and going back to that headache analogy is understanding the root cause of why you need that particular solution.
[David Spark] Very good point. Well, that brings us to the very end of the show where I ask you, Jay, first, which quote was your favorite and why?
[Jay Jay Davey] So, I think I have to go with the quote from Murray Pearce about understanding context. And that is going to be the right side is if you understand the context of your sales, of the people that you’re trying to sell to, you’re going to have a lot better time building better relationships and making more qualified leads.
[David Spark] There was nothing wrong about Murray’s quote right there. Steve, your favorite.
[Steve Zalewski] I’m going to go with Michael Rack at TryHackMe because it’s a larger cybersecurity issue, right? You get what you ask for.
[David Spark] Yeah, he was the one talking about the job ads.
[Steve Zalewski] Right, yeah. Job adverts for cybersecurity roles typically are more interested in SaaS sales executives versus specific cybersecurity experience, which is often just a nice to have. And we go, we are going to continue to have this conversation ad nauseum for as long as we continue to put job specifications out there that advocate for show me that you sell sneakers, not show me that you know how to sell cars.
[David Spark] Well, that’s a very good point.
Closing
25:26.377
[David Spark] And that now brings us to the very end of the show. I want to thank our sponsor, and that would be Backslash, and they’re the ones giving us the Backslash App Graph AppSec using a digital twin of your application, breaking the boundaries of traditional SAST and SCA security scanners. I want to thank you, Steve, as always.
And Jay, are you hiring over at wonderful Planet?
[Jay Jay Davey] We certainly are. And we are hoping to bring more wonderful roles to the industry and get some good talent into Planet and help me secure the organization.
[David Spark] So, if you would like to work with Jay, and by the way, are you hiring like all over the world?
[Jay Jay Davey] We are, yes.
[David Spark] Ah, right. Well, that’s great to hear because we have listeners from all over the world as well. So, I’m assuming they can contact you through LinkedIn, we’ll have a link to your LinkedIn profile, yes?
[Jay Jay Davey] They certainly can.
[David Spark] Ah, awesome. But obviously, look at the Planet job board before you reach out. Don’t say, “Hey, can you get me a job?” Don’t do that to people. All right. Thank you very much, Jay. Thank you very much, Steve. And thank you, audience. We greatly, greatly appreciate your contributions and listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.