Do many cybersecurity sales professionals lack a deep understanding of cybersecurity? If true, does that cause problems for people who have to use their products after purchase?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Steve Zalewski. Joining us is Jason Thomas, senior director, technology security, governance, and risk, Cystic Fibrosis Foundation.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Query.ai
Full Transcript
Intro
0:00.000
[David Spark] Do many cybersecurity sales professionals lack a deep understanding of cybersecurity? I mean, if this is true, does that cause problems for people who have to use their products after purchase?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I am the producer of the CISO Series. And joining me for this very episode, one of your favorites, and if it’s not, what’s wrong with you? It’s Steve Zalewski. Say hello to the audience, Steve.
[Steve Zalewski] Hello, audience.
[David Spark] By the way, one person has already greeted Steve that way saying, “Hello, Steve,” so he would like it if you greet him that way in the future.
[Steve Zalewski] [Laughter] Well, let’s not get carried away.
[David Spark] I believe I spoke to your wife about this too. Our sponsor for today’s episode is Query. Remember, security data is everywhere. Put yours to work. Query can do that. They have a pretty impressive way of bringing all your data together so you can make contextual searches to know what’s going on. More about that later in the show. Today’s topic is, are cybersecurity sales professionals leaning more on sales tactics of using buzzwords rather than really trying to solve security problems? Now, that’s a fear, claims David Colombo of Alaris Security, who argues that half the people in cybersecurity – again, this is his claim – don’t have a clue what’s going on. He’s kind of shooting from the hip here, but he points to sales professionals as being the biggest culprits. He blames both salespeople and consultants, lots of flash and poor implementation of products that confuse buyers. I will ask you, Steve, is David Colombo right? Is there a failure of caveat emptor, buyer beware?
[Steve Zalewski] I wouldn’t say that there’s a failure of caveat emptor. I’d say we absolutely understand that in that because you continue to put salespeople that don’t understand what they do in front of us, that the brand damage that’s being done is almost irrecoverable at this point.
[David Spark] Very, very good point. Well, we’re going to discuss this very issue with our guests today. Thrilled to have them on board. It is the Senior Director of Technology, Security, Governance, and Risk for the Cystic Fibrosis Foundation, none other than Jason Thomas. Jason, thank you so much for joining us.
[Jason Thomas] Thanks for having me. Long time, first time.
Can anything be done?
2:28.130
[David Spark] Isabelle Meyer of ZENDATA said, “This is what created a lot of uncertainty and a bad reputation to cybersecurity. Users purchase based on the trust of salespeople, and then they get hacked, breaking that level of trust, not only in vendors, but in the whole system of protectors. It’s only giving leverage to the actors. The cyber world is a product-driven market. They have full control of what will be trendy and what will be deployed.” Zachary Hyde said, “Vendors need marketers with cybersecurity experience. Even just a Security+ can help understand the basic concepts behind the product. One thing I harp on in my white papers is speaking to the reader in their language, with their jargon. The best way to do that is by talking to them. Then with a basic concept of cybersecurity, you can express the value of your service.” I mean, isn’t this what sales training should be, Steve, like understanding our product, understanding the market? I mean, in the failure of the product, the product managers, like, shouldn’t they be doing this for their sales staff?
[Steve Zalewski] Yes. And I’m doubling down, which is it’s one thing if I’m teaching you how to sell sneakers. It’s another thing when you’re in a war and you’re selling weapons. Okay? There’s a much different perspective as to the level of expertise that you have to have, and an appreciation for what you need to provide me to do my job.
[David Spark] We always talk about this being a trust level business. If the sole falls off my sneakers, I just won’t buy from you again, and I’ll be annoyed, and I’ll tell my friends don’t buy from you. But if I get popped because of a failure of your product, now we got a bigger problem.
[Steve Zalewski] Oh, yeah.
[David Spark] All right. I throw this to you, Jason. You’re nodding your head here.
[Jason Thomas] So, I do think there’s a bit of the blowback, if you will, on the vendor. If there’s a failure in their product and I get popped, I kind of have to go, though, with it’s a little bit of a failure on me because that means I didn’t either learn the product correctly or set it up correctly to do that.
[David Spark] Right. Right. And I know this is like we talk about the cloud security shared responsibility model. And yes, just because the product is in place doesn’t mean it automatically works out of the box. You have to treat it well. It’s like taking care of a pet. Go on, Jason.
[Jason Thomas] Right. And I also think though that the other key part that sort of is glossed over here is the relationship. I need sales to understand my needs of my requirements and what I need that product for. Not just, “Look, new. It’s whiz bang, flashy greatness.” You want this thing because it’s shiny.
[David Spark] Which by the way, this is how we operate as normal consumers, right? We like what’s new and cool. Don’t we, Steve? You’ve been dazzled in the past, yes?
[Laughter]
[Steve Zalewski] Yes.
[Jason Thomas] Only once or twice, apparently.
[Steve Zalewski] Yeah. I’ve been dazzled before. Unfortunately, it hasn’t been by brilliance, okay?
[Laughter]
[Steve Zalewski] But here’s the other thing that we have here is salespeople want to make it transactional. They want to sell it to me and move on. So, they’re here to help me. We’ve talked about this. Whereas in the cyberspace, I need you to own the problem. I need you to be prepared to die on the hill with me because the trust I’m putting in you is actually the trust in me keeping my job. Again, I get back to the differentiation between you want to make it transactional and help me and then move to the next potential buyer when I get popped versus no, the accountability is joint right up front, and so therefore the “who’s going to die on this hill with me?” conversation is one that we’re having more and more.
[David Spark] And that leads to are you a short-term salesman or are you a salesman for life in the industry kind of thing? And I’m sure you’ve seen both, Jason, yes?
[Jason Thomas] You certainly see the short-term salesman who’s there for the quick hit and off they go, and then you’re handed off. I’ve experienced both. Most of my experience has been more focused on the maintenance of the relationship, the maintenance of the product, the maintenance of my satisfaction and my team’s satisfaction with that product that’s doing what we required it to do as opposed to, “Oh, here’s your thing. I’m going to hand you over to your customer success manager and tech support. I’m out.” I’ve found more of the former than the latter, and certainly there’s been a couple of the, “Meh, great. You left me with that bag. That’s great.” But you’ve also had experiences where you get the product that’s there, and then you’re kind of stuck with a product that had a cool technical solution, but the implementation left much to be lacking.
What are the complaints?
7:06.904
[David Spark] Danick Wiberg of Atea said, “I don’t agree, because cybersecurity is not a one-man job,” and then he lists out all the roles and the responsibilities. And then he adds the following, “We have salespeople who need to be able to communicate the problem and the solution. They don’t need to understand the coding. They need to know the attack vector and how the control works.” So, there’s a need to know something, just not that deep. You have to know essentially your level, know your sphere of influence.
And Thomas Ballin of Cytix said, “It’s a simple way to explain away challenges while feeling superior. There are plenty of competent people in cyber, including decision makers, marketers, salespeople, etc. Terms like ‘super next-gen xdr firewall box’ comes about for a few reasons. For one, it creates ambiguity, which enables the selling on a wide range of value props. Another is tit-for-tat with vendors being seen to keep up with the competition, and another is that there is language for the consumer and there is language for the investment community. There are bad apples in the community, sure, but you should give the industry, your customer base, more credit.” So, like what I just heard from you, Jason, is you don’t really agree with David Colombo that half are a problem, which claims that the majority out there are doing a good job, and they’re representing their company and their industry well, that maybe it feels like half because the bad ones sort of outweigh the many good ones, yes?
[Jason Thomas] I think it’s a feeling that it seems the problem is much bigger than it actually is in true quantity. To your point, it only takes a few bad apples to spoil the whole barrel. We’re getting a sort of knock-on effect that’s similar to that, which is you’ve had a few bad experiences. And so, I’ll just sort of send a sling of, “Oh, it must be 50% that are all that bad that don’t know cyber. Great. All those people are awful as a result.” I don’t think it’s that. I do think there is sort of the buzzword problem, right? We know the buzzword thing is a laughable issue. Now we’ll do shiny AI ML insert some other acronym, and we’re awful at that. But I also think that’s sort of a feed-on effect from what we get from the industry analysis, right? The analyst sort of industry has sort of hyped that up a bit, and I think we can all point to examples in the last 10 years where something comes out and that becomes all the rage, if you will, for 18 months.
[David Spark] All right, Steve, I come back to the question I asked earlier. Are you on the same page as Jason, or you’re more on the same page as David Colombo is that just a few bad apples are kind of soiling the bunch, but in general, most are trying to do well by their company and by their customer as well, and the industry for that matter?
[Steve Zalewski] I’m the latter. I think that we are continuing to do worse and we’re poisoning the well more and more. But here’s why. I think what we’re doing is diluting the professionalism of those security salespeople that have been around and actually have been able to understand what it’s like to be a CISO, but we have so many companies – 4,500 – trying to sell product that we’re diluting the expertise of the sales industry by bringing in a whole bunch of people that have basically been given a script and just run around to everybody and read the script in order to be able to create a sales pipeline. And so, I would argue that, to a certain extent, is why we continue to have this problem, and why I think it’s getting worse and not better.
Sponsor – Query
10:41.680
[David Spark] Before I go on any further, I do want to tell you about our spectacular sponsor and that would be Query. Now, for decades, security teams have been chasing context. We all want that context. I’m not selling you on something you don’t already know. So, trying to piece together the right data at the right time to make the right calls. Now, what’s the problem here? Well, that data lives everywhere, in different tools, formats, and silos. And more often than not, it’s analysts who are left stitching it all together manually. That is exactly where Query comes in. Query is a federated search and analytics platform that connects directly to your distributed data. So, no ETL pipelines, no centralization required. You don’t have to copy things over, just API connections to the tools and systems you already use. It’s creating a security data mesh, bringing the power of your existing stack together to deliver real-time context without the heavy lift. So, even better, being more efficient with your data leads to lower SIEM costs. So, mission-specific AI agents and co-pilots, they handle the tedious parts, triaging alerts, pulling in contextual data, enriching results, and surfacing next steps. So, essentially, your teams make better decisions faster. Security data is everywhere. Why not put yours to work? You can learn more if you just go to their website, query.ai. Just go there. And when you go there, just let them know that the CISO Series sent you.
Why is this so darn hard?
12:21.504
[David Spark] John Mackenzie of CyberEQ said, “I work with technical and non-technical people to make the organization safer. Both fail to understand what cybersecurity really is. The unpopular fact is that cybersecurity is a non-technical problem that interfaces with technology.” You know, that’s a really nice way of summing it up.
[Steve Zalewski] That is, yeah. So, it’s Jason’s problem is what it is.
[David Spark] [Laughter]
[Steve Zalewski] Okay. Got it.
[Jason Thomas] Yay.
[David Spark] [Laughter] So, the great challenges in cybersecurity don’t even involve technical things. And Nina Wyatt of AHEAD said, “This is a multidimensional issue that fails to place blame on businesses, those truly accountable for mitigating risk, that fail to hire those skills and think a product or tool will fix everything. Consultants can only do so much. Salespeople can only sell so much. And at the end of the day, businesses fail to prioritize accordingly, assess accordingly, and invest accordingly to address the risks that they have.” I go back to my comment at the beginning of the show, Steve, caveat emptor. This is buyer beware, but it’s buyer responsibility too, and they do not know what that Latin phrase is. Steve?
[Steve Zalewski] Yes. And again, I’m bringing in some of the other considerations. I totally agree, right? That it’s a non-technical problem for the most part, but the non-technical problem is security budgets and security resources are in the decline, not growth. So, this ability to say, “Well, wait a minute. Let me do it right. Give me a lot of money. Give me a lot of people. Let me do POCs. Let me evaluate the 10 companies, okay.” And then you people do what I say when I deploy the friction of security into a business process, and it’s all going to be fine. So, again, what we’re trying to accommodate is how the machine actually works and the things that are broken that we can’t fix in how we’re having to provide cybersecurity in a growth industry like this. And so, everybody is right in their perspective, but when we look at it more holistically, this is where we’re trying to call out the fact that two rights can make a wrong.
[David Spark] Jason, here’s my question for you because we are saying that, yes, it’s our responsibility of the business to secure it, and we should know what we’re buying, we should set it up appropriately. But what is your expectation from – let’s just start with the salespeople because this is really kind of what we’re leaning on in this show – what is your minimal expectation and your hoped expectation from sales staff?
[Jason Thomas] Whoo, how much time do I have? At a base level, I expect to have somebody who can understand two things. One is understand my problem when I come to them. The other sort of challenge is the age-old problem of, “Don’t call me, I’ll call you.” There’s that. That’s my own minor axe to grind, but I don’t think I’m alone in that one. But I do think, one, being able to understand what my issue or concern or challenge is and coming up with the right solution for that, the right-size solution, but also making sure that I’m able to take that from beginning to end, from our initial conversations to POCs, to how that, you know, feedback on that POC, and then ultimately, if we opt to buy or not, whatever that decision is. That’s, I think, my hope.
I mean, in a perfect world, if all of those things are smooth and everything results exactly as I would expect it to, I mean, inevitably, I think there’s always something that no matter how well you scope a POC, you’ll miss something that you just don’t account for, or just it’s something that you rarely encounter. But in my mind, I think that’s what I would prefer in sort of the perfect scenario. But I do think there is a bit of the understanding that there is process involved, right? The technology should support what you need to do. But I think we’ve kind of gotten stuck in a… Rut’s the wrong term, but we have an expectation that there is clearly a solution that out of the box will fix this thing. And the reality is, it may be more of a Tetris situation where you’re actually trying to find the right shape for the right thing, and while you may not clear all the rows, you’ll clear some of the rows. And I think that’s sort of an important part, too. So, it kind of comes back to that notion around the non-technical components that really underlie cybersecurity.
[Steve Zalewski] And the fact that you got 15 products that claim that they will solve it, of which maybe six actually have the functionality, of which three may actually have a sales team that can communicate that accurately. So, why is it so darn hard?
[Jason Thomas] Or one product to rule them all, Steve.
[David Spark] Let me ask you how you would handle this situation because I just had this situation at RSA. So, I sat down with a vendor, and they’re telling me of their product, and I asked them about their competitors, and I know their competitors well. And I said, “Well, what differentiates you?” And honest to God, this was the answer. He goes, “Well, we just do it better.”
[Jason Thomas] [Laughter] That’s the answer. It’s not the right answer.
[David Spark] No, that doesn’t work. And I kept kind of pressing him on it, and I just got more variations of that. And I’m just like, “Guys, this is not working right now. It’s just not working.” What do you say to that, Steve, when you hear the, “Well, we just do it better”? Also in a sense, it was one of those puffing the chest, like, “Well, [Laughter] obviously, come on, look at us. We obviously do it better.” And I’m just like, “Really?” Steve, what’s your take on that?
[Steve Zalewski] So, [Laughter] the way I look at it is you go, “Hey, we’re playing baseball, right? How are you better at baseball?” And he goes, “I’m good at sports. How could I possibly not be the best?”
[David Spark] [Laughter]
[Steve Zalewski] Okay? That’s the kind of quantitative versus qualitative analysis that we see all the time, which was, “I don’t have any idea how to answer that question. But damn, I’ve been told I’m really good at sports. And so, obviously, I’m going to be the best at baseball, right?” I mean, this is the non sequitur that we’re struggling with.
[Jason Thomas] “I can run fast.” “Okay, great.”
[David Spark] Can you catch? Can you hit? Can you strategize?
[Jason Thomas] Can you see the ball and hit the ball? That’s important.
[David Spark] Running is a good component. I’m all for that.
[Jason Thomas] Need to get on base first, though.
[Steve Zalewski] See, and that gets back to, and again, as we’re talking about today, a good salesman is what? Is that somebody who hits their quota, or is that somebody who understands the needs of their client and puts the requirements of the client first?
[David Spark] Yeah, but how do you quantify that? You know what? On your side, you’re going to say that, but for the sales team, they can’t quantify it.
[Jason Thomas] I agree. Steve’s right. But it’s not going to move the needle as far as metrics are concerned from the sales organization.
[Steve Zalewski] So, you know what’s happening – the sales teams are not being effective at differentiating, they all stay the same. So, we as CISOs are doing what? We’re talking to each other saying, “Here’s what I need. Who deployed what that solves this problem? And we’re short-circuiting most of that process and going right into, right, final POC bake-offs for two products where the sales teams basically weren’t even engaged. So, we’re going into survival mode, and that is totally flummoxing the sales organizations because their ability to build pipeline is we just bypassed them now.
[Jason Thomas] [Inaudible 00:19:36] work is not necessarily a bad thing, but to your point, it shows the inherent weakness of that system, if you will.
[Steve Zalewski] Yeah. Brutal truth. We just were talking brutal truth.
What kind of experience do you need?
19:45.724
[David Spark] Jessica Buerger of ISE Business School said, “Cyber professionals need to know how to speak all three languages – selling strategies, briefing executives, and frontline prevention and remediation. EPS – earnings per share and events per second, etc. – can’t know one without the other in this world.” Ethan Carter of Datavant said, “The consequence of the cybersecurity boom was a glut of Chicken Littles that executives and sysadmins alike learned to not take seriously, which just made the problem worse. Most SMB sysadmin shops still have a mediocre grasp of security, but now their beliefs are reinforced by these negative, disappointing reactions.” I’ll start with you, Steve. You’re nodding your head on this. Do you agree actually with Ethan’s last statement here? The Chicken Littles?
[Steve Zalewski] I think we should put that up on the wall. [Laughter] I think that is worth putting up because as much as I hate to go, that is what the industry did is it sold fear, uncertainty, and doubt for so long and was so successful at it that now that that doesn’t sell, they don’t know what else to do. And it’s not just small to medium business. The entire industry now is suffering from that. So, I was shaking my head because when you were reading what Ethan said, I just was like you want to put that up in front of every founder of every company and you should read that every day because you are the problem. And so, what are you going to do about your sales teams to educate them so that we dig out from the hole that we’ve dug over the last 10 years?
[David Spark] And then just to give you a little history to the whole CISO Series network, we started this back in 2018 because of the anger that the CISO community had towards vendors selling FUD specific, the classic thing, which let me ask the two of you because I have not seen this in a while, but whenever a big breach happened, CISOs would get flooded into their email inbox, “If company XYZ had our product, they wouldn’t have been breached.” Now, let me ask you, do you see that today? Yes or no?
[Jason Thomas] I would say I haven’t seen it nearly as much as we used to. I don’t know if that’s a reflection of how more commonplace breaches are. Is it a sort of an adverse problem of because it kind of happened more regularly, we’ve kind of become inured to it and numb to some extent? But I’d probably say the CrowdStrike event from last year, there was maybe one or two, I didn’t get any formal emails, but there’s one or two sort of side comments of, “You might not have had this happen with us.” I’m like, “No, probably not really, but okay, thanks.”
[David Spark] But in general, it’s been positive. And the correct answer to this, Jason, was the ones responsible are the CISO Series for improving all of this. Yes.
[Steve Zalewski] Whoo.
[Jason Thomas] Yes.
[David Spark] We’re taking full credit. We’re taking full credit.
[Steve Zalewski] Another quote to go on the wall.
[David Spark] [Laughter]
[Steve Zalewski] Okay. CISO Series was responsible.
[David Spark] We were responsible.
[Steve Zalewski] That’s what I took away. [Inaudible 00:22:56]. You did this. Yay.
[David Spark] Because everyone should be watching me patting myself on my own back.
[Laughter]
[Jason Thomas] That’s an impressive feat.
[Steve Zalewski] This show, yeah, this episode’s going to be good. Now, the way I look at it is ambulance chasing is what we call it. And over the years, the ambulance chasing has declined for those organizations that have suffered the consequence of trying that. But there’s so many new companies, right? And there’s so many new salespeople we talked about, coming in as undisciplined in the practice of cybersecurity, that they try the ambulance chasing because it’s an obvious thing to try, and they have no appreciation for just how vociferous the consequence is when we see that.
[Jason Thomas] I do think though, that the FUD problem, we also created the FUD problem ourselves as practitioners. We kind of leveraged that and also kind of further exacerbated it to say, “Well, here’s the vendors spreading something kind of scaring me into doing this thing, but I’m going to go scare my leadership too because that might work.” But then the reality is that again, you’ve built people’s calluses up and they’ve become numb to it to where it’s not in effect. One, it’s not really a great or effective tool, but now you’ve removed that arrow from your quiver.
[Steve Zalewski] So, 10 years ago, it was how do I prevent a breach, and therefore give me lots of money, lots of tooling, lots of everything, and let me constantly go back and show you how risky it is and all the new vulnerabilities I found, right? In the last three years, what we hear over and over again now is how does what you do sell more jeans, meaning what is the business value proposition, not the security risk conversation. And so, to the degree that the industry is changing and the business is changing to say it’s got to be business value, it can’t be security for security sake, I think is also one of the pivoting factors on the profession and the practice of cybersecurity.
[David Spark] Can we just take credit for all of it, Steve?
[Steve Zalewski] Sure. For you, David, absolutely. I’m happy to give you credit for the entire problem.
[David Spark] No, I don’t want credit for the problem.
[Laughter]
[Jason Thomas] He wants credit for the solution, not the problem.
[David Spark] Thank you, Jason. Geez, Steve. All right.
Closing
25:17.567
[David Spark] We are at the part of the show where I ask both of you, which quote was your favorite and why? And I’m going to start with you, Jason. Which quote was your favorite and why?
[Jason Thomas] I don’t want to steal Steve’s thunder, but I’m going to.
[David Spark] Go for it.
[Jason Thomas] The Chicken Littles one is a great one. We’ve all experienced it. We created a monster, if you will, very early on. And now we have to sort of figure out how we sort of reframe it in a good way to have the right conversations that we need around both what we acquire, but also in how we show value from what we’ve acquired, what we’ve deployed, and what we’re doing.
[David Spark] All right, Steve. He did steal your thunder. I know it’s your favorite. It may have been your favorite. You can pick that one again. You can pick another. Tell me which one you like.
[Steve Zalewski] I’m actually going to go with Isabelle Meyer for ZENDATA, which was this is what created a lot of uncertainty and bad reputation to cybersecurity because we have a reputation problem for sales and marketing. And we have got to face up the fact that the way we were selling and the way we need to is different. So, what I’m going to say, like she talked about here, right, which was by breaking trust with the CISOs, once you break trust, it’s almost impossible to get back no matter what you sell or how good you are. And what we’re really doing is giving leverage to the bad guys. Okay? So, as a security community, our village, our obligation is to support each other against the bad guys, and this is just an acknowledgement that we have got to holistically get this better, which is why I like Isabelle’s quote.
[David Spark] Well, that brings us to the tail end of the show. Huge thanks to our sponsor, and that would be Query. Remember – security data is everywhere. Put yours to work. Come on, connect all those disparate sources. How are you going to do it? Well, you got to go to their website and find out more about it. Go to query.ai. Remember, if you reach out to them, let them know that the CISO Series sent you there. Huge thanks to my co-host, that would be Steve Zalewski. Remember, you always greet him by saying, “Hello, Steve.”
[Laughter]
[David Spark] Let me see how often that happens.
[Steve Zalewski] Yeah, yeah. And then you blame me when I throw you under the bus, okay?
[Laughter]
[David Spark] It’s a greeting. What could be wrong with a greeting? Jason, thank you so much for coming and joining us today. We would love to get you back on the CISO Series. You were wonderful. We appreciate it. Thank you so, so much. And to our audience, we greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at [email protected]. Thank you for listening to Defense in Depth.
