CISO's perspective from the frontlines

Vendors, Stop shooting yourselves in the foot

V

CISOs talk to each other, a lot!!! even on weekends, and when something is going on the word is getting our fast. We also rely on each other professionally and mentally, and some time even emotionally.

A few weeks ago, in a conversation with other CISO friends. I expressed my frustration about a sales tactic a Business Development Representative (BDR) tried to use on me, and boy the flood gates opened and people started to share their frustrations.

Here are several tactics I collected from the conversation and personal experience that rub most of us in a really bad way.

Bad BDR practices

Meeting invites

Unsolicited meeting invites – We never talked, we never met, you have no idea what my schedule looks like (it s extremely busy thank you very much) and you expect me to accept an unsolicited meeting invite? it is not only annoying, it is completely disrespectful.
We will either ignore it, delete it, or some of us may even block your email address from future communication.

“Can I have 15 minutes of your time” – First, I don’t even know who you are or what you do. Second, you don’t actually mean 15 minutes, you are hoping that I will say yes and that you will try to keep me on the call for an hour. Third, every time I said yes, most can’t even articulate in 15 minutes what problem they are trying to solve and what value they bring. Lastly, if I take 15 minutes with every BDR who is trying to sell me something I will not be able to do anything else.

deception and lies

“RE: Meeting request with <company name>” email subject – I never talked to you nor I asked for a meeting with your company. Do you really hope that I’ll think this is a reply to an email I sent you? Not only you are trying to deceive me, you are also insulting my intelligence. Not a good way to start a relationship.

“Hi I’m {name}, I’m your {my company’s name} account representative, I have been working with {my coworkers’ names} and I would like to meet to discuss …” – You are implying that you already have a contract with us and you are just doing a good customer support, but in reality we’ve never done business before, you were assigned to our company as a target customer and just gathered information to social engineer your way in.
We normally look to see if we have an existing deal with you before we reply… and we hate the deception and now have a bad taste for your company.

“Hi Yaron, I just left you a message on your office phone” – I don’t have an office phone …

Unsolicited account activation emails – Yep, you read that right! We spend life time educating users not to share information online unnecessarily and you want to trick the CISO to do that? Even if they fall for it, don’t you think they will realize it and get even more mad?

“Hi Yaron, Mike said I should reach out to you” – Guess what, I checked with Mike, he doesn’t even know who you are.

“Your system was compromised” – What do you think will happen after I took you seriously and find out it was a scare tactic to get me to talk to you?

“Did you hear about the Okta breach? Our product would have prevented that…” – One of the games we play at the CISO community it betting on how fast one of us we’ll get an ambulance chasing email with an offer for a product right after a highly publicized breach or a vulnerability. It is usually less than 24 hours from the first publication.

Linkedin abuse

Out of the blue LinkedIn connection request – I don’t know who you are, we never spoke or met before, and you send me an connection request without any note explaining the reason why you want to connect. I am not likely to connect with you.

Hey Yaron, we have a lot of connections in common ..” – On LinkedIn, yes probably, security is a small industry, but that’s not a good reason to accept a blind connection request. If you do your homework properly and find a mutual connection that is trusted by both of us and ask them to make a mutual introduction that’s a better approach.

“Hey Yaron, LinkedIn suggested that we connect” – So…? Why won’t you just be direct and honest and say why you really want to connect.

“Hey Yaron, I am trying to increase my network and wanted to connect” – Same as above.

Sending a sales pitch immediately after I accepted your LinkedIn connection request – Even if I accepted your connection request, it doesn’t mean I am automatically interested in buying from you. This is why I usually don’t accept LinkedIn connection requests from people I don’t know.

Disrespect

“Dear FIRST_NAME ….” – Not only you carpet bomb the planet hoping to hit someone but didn’t even test that your system’s email merge is working properly. Not only it shows laziness, this is also disrespectful.

“Dear John …. “ – Sorry, my name is not John. You could actually see that the email address doesn’t match the name in the email. Same problem as the previous one.

“Should I follow up next month?” – I already replied to your previous emails and told you we have no need for your offering.

Unsolicited newsletters – I never signed up for your newsletter! What gives you the right to add me to it? And seriously, if I hit the unsubscribe button it will take 5-10 business days to remove me from the list? How do you do that with a hammer and a chisel?

Calling my personal or home phone – I didn’t share any of these with you, and I don’t know you. Why do you think it is OK to call me on these? BTW, these numbers are also registered with the FTC do not call list, FYI.

Weird and creepy

Photo or video of you holding a whiteboard with my name on it – I don’t know who thought this is funny or a good idea, but it’s just creepy.

Tasteless jokes – A friend of mine, who is a female, received a cold note from a vendor who asked her if she is tired of getting “pitch-slapped”. She wasn’t amused to say the least.

Bets – “Yaron, let’s make a bet. if the Chiefs win this weekend you will give me 30 minutes call …” No thanks, I’ll pass.

Flirty notes – Another female friend, received the following note from a BDR: “How are you doing… I had a smile on my face after reading your profile and I would love to know more about you and see what the future holds for us. It takes a lot of understanding, time and trust to gain a close friendship with someone you have never known or met before …”. He didn’t get any business from her!

Unsolicited gifts

Not going to eat it – This one was shared by a friend “One vendor sent me a cake, unsolicited!  Just dropped it off at the front desk.  It had their logo on it and came with branded napkins, utensils, plates, and a serving spoon.  Weird and wasteful, because I’m not going to consume something like that with unknown provenance – wouldn’t even share it with others”

Not going to wear it – Many vendors send socks branded with their logo. If you see a homeless person wearing your company’s branded socks, I probably gave it to them.

Strong arming

Contacting my boss hoping they will force me to take a call with you – Trust me, not a good idea.

Contacting my CEO or a board member hoping they will force me to take a call with you – Even worse.

What should you do?

BDRs are under enormous amount of pressure to generate leads quickly, it is very transactional and short term focused. If they fail, they may lose their job! I have a lot of sympathy for them, but there is a complete misalignment to how most of us buy.

We plan for the year, get budget for a project, do research, reach out to the companies we are considering, schedule demos/POCs, get feedback from other CISOs, then buy. It takes time, even long time in some cases.

In my opinion, your best bet is to focus on building trust and long term relationships. It will pay off in the long run, and here is how you do that:

Do your homework

Don’t just throw crap against the wall and see what sticks – One of the technics that we use in Security is called OSINT (Open Source Intelligence). OSINT is is defined as intelligence produced by collecting, evaluating and analyzing publicly available information with the purpose of answering a specific intelligence question. Since there is so much public information online, take time and do your homework before dropping cold on someone. In my opinion, you will dramatically increase your chances.

Find mutual connections – Meaningful relationships are built on trust, so finding a way to connect through a trusted network is usually preferred. A mutual connection can also help determining if there may be a mutual benefit or not.

Focus on our mutual benefit not your sales quota

In most cases, when BDRs approach cold, it seems that they only have their interest in mind and it is to close a sale. What if they focus on building win-win partnerships instead of solely prioritizing short-term sales?

I can’t say that enough, focus on the long term and building strong, authentic, trusting relationships! Everything else will follow …

One of the ways I find effective is to network with people in local small events and conferences, B-Sides is a great example! Don’t just go as a vendor, go as a regular attendee, get to know and talk to people.

Respect your prospect’s time (and yours too)

If you reach out via email or LinkedIn, be brief, respectful and to the point! Here is an example:

Hi, 

I'm with <Your company name>, we're a <What your solution / service is>. 

Curious if <Your type of solution or service> is on your radar in <enter year> or at all. If it is, I'd love to share some information and learn more about your program. If it is not, simply reply with "No, thank you" and I promise I will not bother you!

Attached are a couple of brochures so you can see if this is at all relevant. 

Thank you
<Your Name>

That’s it! That’s all you need! Simple, easy to consume, and to the point.

It will allow me to make a quick decision and I will likely respond to you with: “Yes, let’s talk” or ‘Interesting but the timing isn’t right” or “No, thank you”. This way you are not wasting my time or yours so you can focus on other prospects.

I promise to always be direct, honest and respectful, so please respect my time as well and if I said no, please go away.

Conclusion

To all the BDRs out there, forget the trickery and the “clever” ways to “overcome our resistance”. I can’t stress it enough, focus on building trusting relationships and demonstrate value!

First impression matters and trust matters a lot in our industry. The community is small and people talk. We want to work with you, we can’t win that fight alone, we need strong partners that we can trust to fulfill our mission and duties to our organizations.

If you focus on building relationships that are based on trust and mutual value, you may find that you gain loyal partners for a long time. If you start the wrong way and leave a bad taste, most of us won’t engage.

Cheers…

About the author

yaron

Yaron is a seasoned multi-industry Cyber Security Leader. He is 2x CISO, Research Fellow for the Cloud Security Alliance, Security Tinkerer, Advisory Board Member for several cyber security startups and venture firms, and a Mentor to other CISOs and members of the security community.

By yaron
CISO's perspective from the frontlines

Topics

Follow me

Get in touch

Do you want to get in touch? have a question? want me to speak at your event? need advice? please use the form below. No sales messages please!
Please enable JavaScript in your browser to complete this form.