Perfecting Your Cybersecurity Sales Process

By Katie Teitler, Senior Analyst, TAG Cyber

How Is Your Cyber Security Sales Process?

Sales has been around since the dawn of tradesmanship. Even before the term was codified, heck, probably before humans’ early ancestors spoke a language anyone alive today would recognize, humans have been selling wares. Looking at more recent history, pre-1990s or so, sales were conducted in person or over the phone. In-person—even door-to-door—sales were considered the best and most reliable method. If you could look someone in the eye and shake their hand, your chances of making a sale were greatly increased.

When email and the internet started to become ubiquitous, salespeople held on to tried and true methods, dialing for dollars, as it were, and racking up thousands of dollars in travel fees and air miles to visit prospects in cities wide and far. By the early 2000s, the digital realm changed sales for good. LinkedIn was launched in 2002 and suddenly businesspeople had a new way to connect. It wasn’t long before savvy salespeople saw an opportunity and started trying to connect with new, prospective clients, then move them to the next phase, a.k.a., the one-on-one, in-person meeting where the relationship was fully developed.

As time went on, and other platforms made it easier for salespeople to find their “financial buyer” via a quick internet search, the number of unsolicited cyber sales pitches increased exponentially. Executives were inundated with the one-two punch of email-followed-by-phone-message—always under 30 seconds!—in an effort to reach new prospects. As it became easier for salespeople to identify and connect with potential buyers, buyers found new ways to filter out the noise. Thus, it grew even more imperative for salespeople to connect with a greater number of people every day. It didn’t matter how you got through. Just get through. Just get someone to take a call. Just get someone to sit through a demo. Just get them to know you.

Sales digital transformation

Consequently, over the last few decades, sales have evolved from a highly personalized profession to a high-velocity numbers game. Especially in light of COVID, without any in-person meetings or industry events, and as the economy has presented numerous sales challenges, enterprise buyers have reported a massive uptick in digital solicitations. But because cybersecurity product sales, for many (not all), have become high volume, high-velocity outreach, product seekers and budget holders have become the causalities of a spray and prey sales approach. TAG Cyber’s enterprise clients note this all the time: I’m receiving more LinkedIn messages where the person has no idea what my job title is or what my responsibilities are. I got two emails today where the note read, “Dear %FirstName%.” I, myself, have received several messages in the last few weeks asking if I am interested in buying networking equipment, phishing prevention software, video conferencing software, and lead generation lists. I’m a cybersecurity industry analyst. I need none of these things (OK, maybe technically I need the phishing [spam] prevention but it’s not my network, not my budget, not my decision).

Quite simply, this spray and pray approach doesn’t work for end users, practitioners, implementers…i.e., buyers. Good salespeople know this, but they can feel trapped by arbitrary metrics required by management teams pushing employees to hit their quotas. Somehow, a good portion of sales has become like the 1980s perfume sales reps in the mall who would ask if you wanted a spritz of their new perfume, and even when you said no, would spray it in your direction anyway. Maybe the shopper will catch a whiff and realize they really do want to buy this perfume. Today, the sales process has changed, and many salespeople have lost sight of the need to educate themselves on prospects—the individuals they’re contacting—before reaching out. And spritzing.

The art of taking the time to get to know a prospect has been lost, and it has been precipitated by our overreliance on technology and the rush, rush, rush world we live in. As a result, nearly every time we talk to an enterprise security client about vendor product selection, we hear the same things: It’s hard to find a salesperson who will listen to what we need. Vendors have canned product pitches, and they all focus on the same “differentiators” as their competitors. We went through multiple sales calls and an entire demo then found out their product is incompatible with our environment. On the first call, the vendor said they could do X, but when we were ready to purchase, they said they’d be building that capability custom and we wouldn’t have it until 4 weeks after we deploy.

But we know that there are good cyber salespeople out there who believe in their products and have just lost their way. The startup SaaS culture has turned sales into metrics rather than relationships. And it’s hurting both sides of the equation.

Because, as analysts, we sit at the intersection of vendors and buyers, we recommend cybersecurity salespeople return to the “old-fashioned” mentality of a personalized sales approach but combined with the advantages of modern technology. If done correctly, the result will be more conversations, more opportunities, and more (possibly higher value) sales. One challenge, in certain cases, will be convincing sales managers to adjust metrics to reflect the time and effort it takes to get to the first meeting—more reflective of a pre-2000s sales cycle where “hitting the number” is more important than the number of new contacts added to the CRM.

Do your homework

For those with true sales persuasive powers (or enough trust of their sales leadership), we recommend getting back to sales basics. Selling your cybersecurity solution is about people and their needs. And no two companies have the exact same needs, so throw out the corporate pitch deck and start your meetings with conversations. Before you’re given permission for a conversation, though, you’ll need to do your homework on the person whom you’re trying to convince to make time in their schedule. This convincing will require more time than stalking the surface of someone‘s LinkedIn profile. For instance, my profile says that I am a cybersecurity analyst. Job titles in security can be tricky, but it’s well worth a salesperson’s time to a) visit my company’s website to see what the company does and the context of my work as an employee and, b) look at my LinkedIn activity. Literally, two minutes is all it would take someone to figure out that I am a research analyst, not the person who monitors network/cloud technologies and investigates alerts and security issues.

Many security executives intentionally have sparse social media profiles, but a quick Google search will often provide greater context about the person’s offline activity and interests. For instance, before Ed (TAG Cyber’s CEO, founder, and lead analyst) founded TAG Cyber, he did a ton of presenting and speaking as AT&T’s Chief Security Officer. His presentations were varied—Ed could/can speak eloquently on any security topic—but often his presentations reflected what his internal team was currently working on. Even if this isn’t the case for other CSOs/CISOs, it’s at least an opening for a conversation. And it shows the CSO/CISO that the salesperson bothered to minimally look into the individual rather than simply spamming them because of their job title.

For large, publicly traded companies, salespeople should peek at the Annual Report/10K, other investor information, and company press releases to see what security tidbits they can glean. As cybersecurity has become a top-line business risk, security initiatives have made their way into these public documents and can give hints about the company’s approach to security. And again, if it doesn’t give the salesperson specific information about the prospect, referencing business goals in the context of security will at least demonstrate an effort to learn and listen. That said, don’t half @$s it. Do your homework with honest intentions and you’re more likely to gain the connection.

After the connection

If the salesperson has done a bit of background investigation and catches the eye or ear of a potential buyer, the next step is…more research! This time, though, in the form of listening. Use the 80/20 rule: listen 80% of the time; speak 20% of the time. If you’re a salesperson doing more speaking than listening on your first few calls, you’re headed down the wrong path. Don’t make it about your groundbreaking, fully automated, cloud-based, zero latency, environment-agnostic powered by artificial intelligence solution.

Go in with the intention of fact-finding. A good salesperson must understand the buyer’s/enterprises:

  • Business requirements: How will technology be used? In what context? What are the intended outcomes? What are the KPIs the tool will be measured against? Who will be responsible for the day-to-day management/operation of technology? How much professional service support will they need? Are there additional stakeholders involved in the decision (who are not involved in current discussions)?
  • Architectural requirements: What networks/data/apps/OSs/languages does it need to support? Does the company run legacy tech, or does it operate int the cloud only? Will the company need help to migrate from on-prem to the cloud? What are the company’s plans for scaling?
  • Implementation requirements: Can the company support network change? Can the company support integrations themselves? What is their timeframe for implementation? What is their timeline for results/reports/data?

The main thing for salespeople to remember is that there are humans on the other end of the phone/keyboard/screen who need to solve real problems for their businesses. For them, buying a product is about a need, not your quota. While it’s a conundrum—the more product you push, the more you get paid, the better your job security—the irony is that the more you listen, the quicker and easier it will be to find the right buyers and the less time you will spend time sending blind emails.

For example, on a recent call with a major enterprise, the security program owners were complaining that they were about to enter the POC stage with a security vendor and it became clear the vendor was unaware that the company was still running a large chunk of its infrastructure on Linux/Unix. To the enterprise, it was obvious—it’s what they dealt with every day. The vendor, on the other hand, was thinking about its cloud-friendly tech and missed a major foundational element that made the product incompatible with the enterprise’s environment.

Because the vendor didn’t take the time to learn about the business’s requirements, discussions were halted in their tracks after months of conversations. This was wasted time for everyone; the salesperson would have been better-served gathering requirements in the first calls and moving on to a more viable prospect with real sales potential, and the enterprise would have been better off evaluating a different vendor.

More than enough prospects to fill your funnel

The reality of today’s cybersecurity landscape is that there are more than enough enterprise buyers. The trick is finding the right match. And salespeople won’t do that with vanilla emails or messages that aren’t suited to the buyer and don’t touch on a pain point.

Every day I log on to social media and see end-user friends and colleagues complaining about the inappropriate and off-target messages they’re receiving from product salespeople. Yet, they all need to buy products to run their companies! In fairness, and salespeople know this, there is some recalcitrance around the idea of “sales.” The spray and prey method used by few (but too many) salespeople have soured the soup for potential buyers—they’ve come to expect a smash and grab approach rather than someone who takes the time to get to know them and their security technology needs.

Technology has made it possible for people to reach farther and wider than ever before. And as such, there’s been a loss of personalization in how we interact. However, technology has also given us the tools to learn more about people—or any subject—from anywhere and at any time. While digital transformation has largely made sales a numbers game, it also has the potential to bring it back around and create opportunities for customization. One very successful salesperson I know recently said to me, “Sales has gone way too far into metrics and away from actually being human and solving real needs. So, anything I can do to correct that is top of my list. It’s easier for me to work on a problem when they know I’m not just trying to shove software down their throats.”

Though sales culture won’t change overnight, I firmly believe we have a huge opportunity—as most of us still sit at home, working in isolation—to start connecting better with others. In a sales context, this will result in less time spent on emails that are inevitably filtered directly into spam, never read, and only count toward arbitrary metrics goals. A personalized approach to connecting will, in fact, lead to quicker, larger deals that end in bigger paychecks and President’s Club awards…when we can all travel and see each other in person again.

About the Author

Katie Teitler AuthorKatie Teitler is a Senior Analyst at TAG Cyber where she collaborates with security organizations on market messaging, positioning, and strategy. In previous roles, she has managed, written, and published content for two research firms, a cybersecurity events company, and a security software vendor. Katie is a co-author of “Zero Trust Security for Dummies.” Katie Teitler can be reached online at and at our company website

November 15, 2020

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Global InfoSec Awards for 2024 are now Open! Take advantage of co-marketing packages and enter today!