Page 119 - Cyber Defense eMagazine January 2024
P. 119
The Hardest Part: Marketing and Sales
My favorite question from the interviews is “What is the hardest part about running your own virtual CISO
firm?” I think it is a tough question, but the responses seem to come pretty easily. 80% of the time the
answer is “sales.”
Why is sales so hard? Focusing on what I have learned from the consultants versus my own experience
with this problem, there is no magic bullet and almost everyone has their own unique approach. I will
address a few of them.
The first approach to sales is to focus on marketing. I have spoken to several vCISOs who have a
podcast, teach through LinkedIn learning or other teaching platforms, write books or contribute to a
specific publication. What was most interesting about this approach was the focus on how their expertise
is discovered by their potential client. They have really focused on identifying that ideal client profile for
their services and then targeting their marketing towards that client. For example, if they find that they
are most suited to startups in the $1M to $10M revenue range, they will target their marketing to the CEO
or CTO of that startup and figure out how they do their research for service providers.
The second approach is to solely rely on their network. Often, the reason a vCISO launches their own
firm in the first place is because a former employer, boss or colleague asks them to provide fractional
security services to a business that is in a growth or established phase. This is a lucrative consulting
position that sets the vCISO up financially to make the leap. Once they do quality work for this one
company client, they use it aa a reference to build a network of other potential customers through word
of mouth.
The third approach I will mention here is the direct sales route. In my discussions, I find that this is the
one that vCISOs consider the hardest path to take. Whether it is cold outreach or using a staffing firm,
the time a vCISO must commit is significant and takes them away from providing the client services. It
can also be relatively expensive as both paths require buying tools or paying fees. Also, vCISOs are
generally uncomfortable doing sales. My suspicion is that part of that comes from having been on the
other side of the sales pitch so many times that they are hesitant to fall into sleazy practices.
Fractional vs. Virtual: Demystifying the Divide
When I interview a vCISO, I like to ask them what they think about the use of the term “vCISO” versus
“fractional CISO” when referring to their practice. Interestingly, several interviewees refuse to label
themselves as “vCISOs” or they used to label themselves as “fractional CISOs” only to now focus on
“vCISO.” Ignoring the SEO of either term, these two words "fractional CISO" and "virtual CISO" seem to
be awkwardly used and confused.
In speaking to an industry expert, I enjoyed her perspective on the difference. She stated that because
the term “fractional” is a mathematical term, those who tend to be more math thinkers may prefer to use
it. Following that logic, it defines the role as someone who offers some of their time, a fraction, to
companies and CISO departments.
Cyber Defense eMagazine – January 2024 Edition 119
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
