3 questions CISOs expect you to answer during a security pitch

It’s a difficult time to be a CISO or a security startup founder: Resources are tight and the stakes are high when deciding where to allocate them. This means the CISO deciding whether to onboard your product has less time, budget and staff than in recent years, and your pitch has to be that much better to make the cut.

Working in your favor, the growing number of cyberattacks and exfiltration ransomware that continue to threaten the bottom line for enterprises, means security remains a business priority. Gartner predicts that end-user spending for the information security and risk management market will grow from $172.5 billion in 2022 to $267.3 billion in 2026, so opportunity remains plentiful.

Just as security executives are condensing and refining their strategies, founders must do the same in the way they’re pitching these CISOs. There’s no more room for a good product winning over a CISO despite a bad pitch.

Based on our more than four combined decades in computer engineering, cybersecurity, and security startup investment and advisory experience, these are the important questions we see smart security founders answering in their pitches over the next few months to close critical deals and adapt to the unique market conditions and industry landscape:

1. How does your solution help me sell more X?

In the industry we often hear about, “a solution looking for a problem,” when the onus is put on the CISO listening to your pitch to figure out what problem your product is trying to solve and why it’s critical to their business. While this may have worked in the past when there weren’t as many solutions, today it can be a deal breaker. With the increasing number of vendors now in the market, CISOs no longer have the time to do this work for you.

A question Steve asked more than a hundred security vendors as the CISO at Levi Strauss was, “how does this solution sell more jeans?”

In all too many cases, the answer was “we are here to help you find more vulnerabilities or identify more risks in your environment,” which lead to a quick “thank you, no thank you” response, since handing the CISO more issues is not helping sell more jeans or solving a problem. It showed a lack of understanding and demonstrated they simply wanted to sell another tool.

When the response was along the lines of “our product will address the use case of identifying and remediating malicious or accidental misconfiguration of your consumer PII data in the cloud to limit the financial risk of regulatory fines and brand risk of violating consumer trust,” it demonstrated that they were thinking about the business problem and addressing how to accept responsibility for solving some facet(s) of it.

Steve appreciated that they brought a solution to a business use case problem and it allowed him to quickly determine if this was “interesting” or “important” in the priority of problems he needed to solve in the next 6-18 months. It was also all too common when the “how do you sell more jeans” question was posed that the individual would just stop and stare, unprepared to answer, resulting again in a quick end to the discussion.

Similar key questions to answer speaking to the bottom line include:

Do you solve a business problem in a way that allows the CISO to consolidate their existing technology footprint?

• For example, if your product can consolidate two solutions and save 25% of their combined operating costs, it gives them wiggle room on headcount justification.

Does your product increase the efficiency of their team or its effectiveness to protect their business over what they have in place today?

• The demand on CISOs by their executives is to show that any investment results in demonstrable efficiency gains in 3-6 months. This translates to automation for most CISO’s and “doing more with less.”
• In addition, CISOs are working with their business partners to analyze the retirement of business applications to see if there is an opportunity to reduce the security products footprint as an existing security solution may no longer be needed if the underlying business application need has been removed. So it may be possible to shift some security functions to another security tool they have in their portfolio and retire one. This is an upsell opportunity for a vendor that has an existing foothold to expand as they may be “good enough” now for something else the CISO needs.

2. How much time/effort will it take to integrate your solution into my workflow?

A key challenge for many startups to get design partners or to get the CISO’s ear when IT budgets are decreased is “the level of effort required to integrate your solution into my existing workflow.” A good way to illustrate this is the amount of effort required (input) to start demonstrating value.

Case in point: A leading identity access governance solution that’s able to glean which SaaS solutions employees use by taking note of which SaaS applications employees have OAuth’ed into reduces the effort of integration. Another example could be email security solutions that integrate very easily and start providing immense value. Reduced investment from the CISO or the engineering team to connect a security solution to their existing SaaS or homegrown enterprise applications will put you ahead of the competition.

Also consider the integration impact to existing business processes, not just technical integration/reuse. Consider the SaaS phishing/malware detection companies that integrate a simple “report as spam/phish” button into existing email interfaces to painlessly allow the business user to provide security with important data in a way that does not require changing the way they do their daily business.

A bad example of lowering the effort are endpoint detection and response and managed detection and response (EDR/MDR) vendors that require the deployment of a new agent/plug-in to provide value.

3. Can I trust you, and are you a good partner?

CISOs put their own reputations on the line when they buy and deploy a new security solution. So a bad experience is not just a “yesterday problem”; it impacts their ability going forward to obtain funding, headcount and business sponsorship. Especially given the high rate of churn amongst the CISO community (average tenure is 18 months), the CISO you may be pitching is likely to be new to their role. This means it’s especially important to focus on how your product or solution can help them excel at their role or deliver insights that they can quickly bring to their board of directors.

In Steve’s case, new security purchases averaged 1-3 per year. The lead time to that purchase was anywhere from 6-18 months. So it is neither a quick sales process nor a high-volume process. For many CISOs a company’s annual budgeting process requires us to think 6-9 months ahead to forecast what we plan to buy and how much it will cost. Then there is the 3-6 month purchasing process itself once we have funding secured. You can see why hunting for a sale by pitching your product and then pushing for a POC and PO in 30-90 days just does not put you in a good position with the CISO.

You have effectively lost the business and you seal your fate when you then hound the CISO with multiple follow-up calls/emails, as it shows you did not listen.

These purchases are more akin to buying a home vs. buying an appliance. So it is crucial that you know what they want and need in addition to understanding their timeline.

Foster the relationship well before and after your pitch. Sponsor local security events and attend them to understand what is happening in the field, build initial relationships with security leaders and their colleagues and get a better handle on what is important to them in the next 6-12 months.

Demonstrate that you care about them and their companies, and that you are putting their best interests first. When it comes time to determine purchases for the next period, this relationship will instill immediate faith in your company versus the many others who showed, pitched and left and never demonstrated that relationship value.

How you pitch your security product has never been more important to convince CISOs their reduced resources will be well spent with your company. By speaking to the bottom-line impact your solution can make, how it will impact existing business processes and why you should be trusted, CISOs will leave with the most critical information they need.