How to Sell to a Fortune 500 CISO

Kevin Qiu
August 31, 2021

Macy Mody

Hi, everyone. Welcome. And thanks for joining us today. If this is your first webinar with us an extra special welcome. If you're returning attendee, we're really glad to have you back again. As always for our safe base webinars, feel free to post your questions in the chat window or use the q&a option and we will try to either answer the questions during the talk or we'll make sure we have a couple minutes at the end.

We have two really awesome panelists today that are going to be sharing their knowledge about around the sales process with senior security leaders. So I'm going to do a quick intro for both of them. So first off, we have Sameer Sait, he is the former CISO of Whole Foods, Forcepoint, Arrow Electronics and a couple other major organizations, with over 18 years of experience in the Fortune 500. He's been responsible for building and managing world class security programs across a variety of sectors, ranging from banking to retail to software. You're gonna see my dog nudging my arm in the corner, by the way.

And then we also have Kevin, so he's joining me here today. Kevin is our Director of Information Security here at SafeBase. He oversees our internal security program and has a direct role in the future of our product. Prior to joining safe base, Kevin was a consultant in the financial services world and helped start security programs at Jet.com and SeatGeek. Super excited that both of you are joining us today. I know we only have 30 minutes here. So let's get right into the discussion. Sameer, you're most recently the CISO for Whole Foods, which prior to the acquisition by Amazon was large enough to be in the Fortune 500 on its own. I'm sure you've seen a lot of demos and pitches from tons of security vendors out there. We heard from our attendees today that they're really excited to hear your insight as to how you as a CSO for a large organization, really approach selecting the right tools for your security program

Kevin Qiu

Yes, Sameer, I guess the first question we'll be asking today, everyone's favorite topic. So on LinkedIn Recently, there have been a lot of posts about cold calling, and whether or not they're appropriate for CISOs, and we just want to get your insight as to whether or not cold calling can be effective and if there's certain approaches people should take. I'll let you take it from here.

Sameer Sait

Yeah, I, I appreciate it, Kevin. And thank you, Macy for the warm introduction. I have a hard time with cold calling, frankly. Because, you know, look, a lot of us are working from home, we're commuting sometimes to pick up our kids. And you get this random call from a number you don't know, right? And you don't know if it's important or not. I think cold calling is a bit too aggressive in my eyes. I don't recommend it. I wouldn't do it to somebody else, even another fellow CISO. So I also think that, you know, LinkedIn has a lot of noise, Kevin, we get a lot of messages and we start ignoring people and then blocking them, if you get, you know, some people get frustrated, right? I think the best way to engage with the CISO is really through their teams. Frankly, when you're talking about Fortune 500, typically, you'll have a team of you know, 20, 40, 50, over 100, sometimes, right? And your teams are so much more adept and knowledgeable in the space in their domain, right. So if you can connect with the team, and I'm not saying doing it on a cold call or an email, but at a conference or an event, putting a name to a face, right? Or even through a webinar like this, right? This is a great place to kind of say, "Hey, I saw your webinar, and I want to talk more." There's at least some context behind what you're connecting on, versus something that's just randomly out of the blue.

Kevin Qiu

Gotcha. And so I've also seen some sales folks reach out to people not to necessarily sell, at least in the beginning, but sometimes, especially if they're startups, they just want product feedback. Do you feel that those types of messages are appropriate? Or even that may not be that great.

Sameer Sait

I think the mechanism of how you you request that feedback, if it's through a cold call, or a random email or random LinkedIn message is probably not the way to go. Because we get a lot of those messages, right. Again, so if I was at a meetup around identity management, right, and somebody there was a new CEO of an identity management company, and met me or somebody on my identity team and said, "we're solving this unique problem in this space" and gave me that elevator pitch. And I'll say, "oh, I'd like to learn more. Let's connect offline." That's appropriate, right? I think those are the mechanisms you want to use. You want, there's something to be said about, I've met you. You're real. You're not just a random guy sending me a message. And you're actually thinking about the problem in a unique way, which I appreciate. Or if you're not, I'll say, sorry, I'm not looking for a solution to replace my authentication mechanism, for example.

Kevin Qiu

Gotcha. Cool. So, yeah, hopefully, folks were able to join in time to hear that, because cold calls I know are a big part of sales. But, you know, context and nuance is important. And I think related to cold calls, since they aren't necessarily the best way for you to discover new products. So do you typically hear about things either from your team or peers or industry reports? Like Gartner or Forrester?

Sameer Sait

Yeah, I don't, I don't look much at Gartner and Forrester. And I think those tools have their place, I'm not gonna say it's good or bad. I think the best way that I've been able to identify capabilities is through my peer network, some of the peers that I've connected with, other CISOs. And heads of security are very, kind of our thought leaders in some areas. So I respect their opinions. The other place, Kevin is there's a lot of forums, right, there's CISO community forums, there's, I used to be a part of RH-ISAC, retail and hospitality ISAC, where a lot of information is shared. There's a number of Slack channels. So I think word of mouth feedback through the CISO community. And I think, you know, I want to also say, there are sales people who build trusted relationships, right with me, that when they talk about something, or they move to a new company, I will hear them out, because I think they've got the best interest in my long term success as a seaso. Right. So I think there's trusted communities trusted people, and forums is the three mechanisms I use.

Kevin Qiu

And so one thing for folks to keep in mind. So, you know, at previous companies, I was a key decision maker, kind of like you Sameer. And a lot of times and met lots of great salespeople who are perfectly reasonable. If I said no, don't bother me, they didn't bother me. But there have been the occasional the ones that don't respect my time, or are really rude to me, or pressure me into renewing or renewing the trial. And, you know, something to note is, a lot of times that type of negative experience, other folks in the security community hear about it. And so maybe it won't write off that person's company, right. But their friends, their colleagues, are probably less likely to engage with you. If people hear that you're not treating people with respect.

And at the same time, I always try to respond to vendor emails saying, like, no not interested at this time. I know, not everyone will always do that. But just keep in mind that security folks are very stressed. There's always a lot going on. And so try your best to be nice and understanding, especially these days with work from home.

And so, the next topic I want to talk about is in addition to reaching the security team in the first place, the next biggest pain point for a lot of folks is the dreaded security questionnaire. And so, over the past few years, we've seen several different standards come up. And the idea behind the standards was, everyone hates the custom questionnaires. And a standard maybe can help eliminate, you know, 80 to 95% of those questions. We've seen the CAIQ, we've seen the HECVAT VSA, and yet, we're still seeing all these big questionnaires with hundreds of questions. What are some of the reasons why? I'm really curious about your thoughts around that.

Sameer Sait

Yeah, great question, Kevin. And, frankly, when you mentioned some of these questionnaires, I had never heard of them. So you've educated me to upgrade? So, um, I think that we've struggled with with this for a long time. Kevin, there's one thing to say I'm going to create a standard questionnaire that applies to Amazon Whole Foods, or previous companies I've been at and is it 50 questions or 500? Questions? Is it long form short form? Is it based on the risk of the vendor, all that good stuff, right? We even got to the point where we said we're gonna have an inherent risk questionnaire to risk rank the vendor. And once the vendor we figured out was was a medium or high risk, we'd say, okay, here's the follow up questions, right?

I think the biggest pain point is the number of spreadsheets we have to manage. Right? It's like, it's cumbersome. It's emailing back and forth. It's follow up questions. And it's fast, frustrating, not just for the company that wants to make sure that their data and their trusted partner is secure. But it's probably very frustrating for the vendor as well, right? I've been on the other side of it at Forcepoint, where we'd get these large questionnaires and we'd you know, we rubber stamped it, frankly, right? Because we just wanted to get through so many of them. And so I think the other frustrating part for vendors and customers is you have to have multiple meetings. I didn't include my architect, I need my software developer, I need my security engineer, ops guy, right? Because we don't have those detailed answers. So I don't know if there's a perfect answer to this.

But I think finding a way to kind of maybe respond to once for 80%, of what's needed, giving more information if needed, right. And then maybe the other 20% is a follow up, and a shorter follow up, because you've given me so much information. But I think the world is changing, Kevin. There's no more, hey, give me your pentest report, you got a SOC 2 report, you're good to go. Right. CISOs have a lot of pressure to secure their supply chain. And that supply chain is a lot of known unknowns and unknown unknowns. And that's why we tend to be super, I won't use the word aggressive, but super, super, you know, assertive and pushy around making sure we have a good handle on our on our third party vendor risk.

Kevin Qiu

Yeah. And so you know, the CAIQ or the "cake" and the VSA, they were created kind of for this purpose, right, it was a bunch of questions that are very commonly asked, and I personally am a fan of them. But I think one reason they're not as prevalent, and maybe why you haven't heard of some of them is that people don't have good way to distribute them or share them. Or by the time that salesperson is ready to share it, it's kind of so late into the review process that the team's already set on doing the custom questionnaire. And so, you know, a bit of self promotion, as someone who has seen the SafeBase platform and has played around with it, what do you think the benefit is of having a lot of this important security information kind of upfront on a public page where you can download a CAIQ if you'd like? And, you know, downloaded a VSA?

Sameer Sait

Um, yeah, I think there's multiple benefits. And it's probably going to take the whole call to get into all the benefits. But what I'll say is, there's two aspects.

One is, I didn't know enough to ask the right questions up front. But now that you've given me a status page, I know what to dig into, from a concern or a kind of deep dive perspective. The second is, all of the stuff that you put on our dashboard should tell a story around how you manage the risk of your enterprise to protect my data, right. And so if I have the ability to have a one stop shop, that I can share within my org, without sending multiple emails and, and annoying people with with, you know, the mailbox kind of updates, including the legal teams, including privacy teams, including between sec ops, right? They, they all want to look at it from their own angle, identity teams, etc.

The other pieces, that information is dynamic, right? It's getting to be more and more dynamic, which is really, really wonderful. Because I may not have all the information to fill in the questionnaire, but you will see me fill it in real time, or you'll see me answer that real time. And therefore you won't need to ping me as a hey, man, where are you with your with your responses? Right. So I think those are the the main, I'd say benefits, from my perspective. The other one, you know, I mentioned this earlier, we talked about cold calling. We talked about who to reach out to in your organization  to get the best traction, how do you engage with with the CISO organization? Well, keep in mind at the end of the day, as a CSO, we are accountable for risk for our enterprise, right? So if somebody is filling in a questionnaire or somebody is responding to a question, or somebody accepting the responses on a dashboard, the fact that I have visibility across my third party landscape, and I can click through all the SafeBase Status Pages. I can be like at my fingertips if my boss or the board was to ask me, right? Do you have risks that you've accepted? With one of your key vendors? I can say, Yes, we have. This is why. And in the SafeBase platform here the mitigating controls that I think are good enough, right? So you can have an honest dialogue with real time information.

Kevin Qiu

And I think for me, at previous companies, whenever I had to review other vendors, first thing I would do is someone in marketing or legal said, I want to use this new SaaS vendor. I'll go to their website, see if they have a security page, right. And, surprisingly, a large number of SaaS companies either don't have one that's public or they have one and all it says is we use AWS, which is SOC 2 compliant. So therefore your data is safe with us.

And I think this is because historically, a lot of these companies took the approach of we don't want to tell people about our security, because that'll reveal too much. And so it was kind of this security through obscurity and always like, don't let attackers know what we use, they'll let them know we use the software, and it's gonna be harder for them. And we're starting to see that the world is changing. And we're seeing that Joe Biden's having all those initiatives with supply chain for America, so that we stop having the SolarWinds of the world, right.

And so we're very big proponents of transparency and security. And so, for your sales folks out there, you know, like, you should be best friends with your security team, you guys shouldn't ever be enemies. These are people that will actually help you sell faster. And if you have a lot of security information up front, you're going to be answering a lot of questions for reviewers, right? And the reason why these questions exist is because people don't have these really useful security pages to reference information. Their goal isn't to put you through like hours and hours of filling the spreadsheets out. It's more because they don't have any other option. And so what we're trying to do is to basically say being transparent can help solve a lot of that right. Great.

And so the next topic I want to move onto is smaller companies that may not have security programs. So these days, there are lots of really cool SaaS startups, right. So we ourselves came from Y Combinator, lots of great companies that are our batch. And obviously, most of them aren't going to have folks with security backgrounds or a dedicated security person. But a lot of them have really cool innovative solutions. And so as a large fortune 500 company, you don't want to just use any vendor, you want to make sure that even though they're a startup, they have some kind of basic pieces in place to ensure that you're not taking on too much risk. So from your experience, what are some of the kind of key must haves that you absolutely need to see, even if a company is really small? I know, that's a difficult question. But this this does come up from time to time, right?

Sameer Sait

Yeah, and it's, it's hard to abstract that as it's based on how different SaaS companies provide different services. Right, but but I think, I think at the end of the day, if you can work backwards from my mentality, which is how are you protecting my data and your environment, right. So I'll get into like is the access management properly set? Are the right entitlements are in place? Is the application that you've built, that has my data has been kind of certified, you know, tested, evaluated, third party reviewed, etc. And so we've kind of abstracted out from the data piece, all the way out to identity controls around the app controls around the environment. And then, you know, it's always nice to say, you know, you've got the governance controls, right. Like, we've got policies and procedures.

I don't care about that as much. I won't say that it's not important, but it's really starting with what are you doing it at a nebulous level, to protect my data in your environment? So I was just gonna say, I'm not a huge fan of, we have a SOC 2 standard. This is it. Like I've seen SOC 2, and SOC 1s that don't really kind of talk about the detail that I care about. So if we can answer those questions in detail, it's better than kind of saying that you've hired five people and you've got a budget of a million or two, right? That if the budgets not spent right, I'm protecting my data, I'm gonna be like, good for you. You've got money. But how does that help me? Right?

Kevin Qiu

Yeah, yeah. And I think a lot of smaller startups, like good things that they can kind of do is, let's say, they're integrations heavy. They should be very upfront and say, here are the only scopes that we need for your integrations. We don't touch your GitHub code, we just look at your issues, for example, right? That goes to show that, okay, they don't have a CISO necessarily, but they're putting some thought into their customer data. And it's very specific to their product. They're not giving just a blanket statement that oh, we take security seriously. Really, no one wants to hear that. They want to see that.

Okay, you're a small startup. But you've thought through this, and let's say you're, you're protecting credit card data, or you're taking payments. You're using Stripe, because Stripe has a very robust payment storage system and you're not storing your own credit cards, things like that. They may seem really small and trivial but can make a really good impression. Because we're so used to folks with SOC 2s that are just they wrote a bunch of policies, and there's not much going on.

And, and so, and with that being said, like I think a lot of these kind of security products out there they are built for these larger enterprises. And do you think that these companies are missing out by not kind of favoring smaller companies that maybe do want good security? A good example is antivirus, you have to have a minimum of 150 per year. Right? What are your thoughts on that?

Sameer Sait

When you say 150, you mean 150? licenses? Yeah, yeah. Yeah. Okay, got it. Yeah, I completely agree with you, Kevin. It's not like your security requirements go down if you're small, especially if you're a service provider. And so I do agree that I think companies need to have, or security product companies need to have offerings for the SMB market, I think. I think, you know, making it easy to consume products as well, you know, the way we do it in, you know, with Slack and Superhuman and GitHub, make it easy, right? If you make it easy for people to sign up without even having to take a meeting or do a free trial version, etc. I do agree that there's some opportunity there, or what ends up happening is that your dev teams and your product side will end up using open source stuff that's maybe has its own set of risks, right? Yeah, I think I think you're right.

Kevin Qiu

Yeah. Kind of like my last thought, before we open up the questions is, there are security companies like from the past few years that I've taken this approach. So Snyk is a great example. They have a great free plan. And so for sales folks out there, don't ignore the small guys, at least in the beginning, because you never know if they'll grow with you.

One of the reasons why Snyk has been so successful is they have that great free plan. And it's pretty good for a lot of smaller teams. And once folks start using your tool, they're probably gonna stick with it as long as it's good and if their pricing plans are appropriate. So I've gotten turned down from a lot of EDR vendors who say like, oh, you're a small company, you're not going to get our license cap. And it's like, well, you know, I'm probably going to go with one of your competitors that was a little more flexible, and I'm going to stay with them until my company gets massive, right.

And so, one thing to keep in mind, and even if you can't do a sale, continue the conversation. check in on them every now and then if they're okay with it. And you never know where that will lead, right? Because more and more smaller companies that are fewer than 500 people are starting to hire CISOs like Sameer. I think you're seeing that too, right? Some of your peers are starting to join small companies, because people are realizing security matters, no matter how big you are.

Sameer Sait

Right. Exactly. Yeah.

Kevin Qiu

Okay. Great. And with that, I think we will open it up to some questions before we conclude. Okay, so we have our first question. Sameer, a quick question? What if cold calling email LinkedIn is the only viable form of communication for a salesperson? Some folks don't have the opportunity to go to conferences and events or don't get invited to these exclusive forums?

Sameer Sait

Yeah, great question. So what will catch my team's eye or my eye would be maybe an article published on LinkedIn, an email could work, if it has some context that's relevant to the problems we're facing, right? And saying that there's a webinar you can attend or there's a, you know, free white paper you can download. Those are not bad ways to kind of start the dialogue, before you go to conferences and events, but I think some of the events I'm seeing are live webinars instead of actually having to travel right. And so I'm not saying we have unlimited time, but I think going to folks in larger orgs that have larger teams, and targeting the identity management team with an identity management solution is better than going to me because I'll say, well, talk to this person or my team, and you'd have to wait for response and all that stuff.

So kind of figuring out who the decision maker is, quite often, more often than not, the CISO is not the decision maker, or will be a steward from a financial budgeting, planning strategy, strategic perspective. But the real person who will make the decision on a product was probably be a director reporting to the CISO.

Kevin Qiu

Great. Next question. Oh, this is a funny one. What is your take on XDR as a buzzword or security buzzwords in general? Like do they have an effect on you?

Sameer Sait

Ah, so XDR? You know, I think it's become kind of common verbiage if you will. So, when it first came out, you're right. It was a buzzword, kind of. But but I think I think for me, the buzzwords are okay, frankly, just part of life. ML AI, you know, machine learning, you know, XDR this, there's so many more. There's cloud security, CSPM right. I'm okay with those. Right. What I don't like is FUD. I think we all don't like FUD, but you can have, you know, kind of use what I call extortion as a service. If you're going to try to extort me to buy your product, I'm just going to have a bad taste in my mouth.

Kevin Qiu

Yeah, like If you don't buy my product, you'll be hacked. Right? We've all heard that. Great. And then next question is, let's see, what is the most unique way a vendor has gotten in front of you that was successful?

Kevin Qiu

I don't think there's any vendor email that stood out, per se. The one thing I'll say is that offering free AirPods, offering, anything that's of high value is probably going to be very difficult for a lot of CISOs to accept. So be real careful of that. I mean, a T shirt is fine. And you know, depending on company policy, I can't speak for all companies, but being very cognizant of the fact that a high value ticket to a very famous event or whatever is shouldn't be the hook you use, right? I think that the unique way is typically then, you know, take a test or play a game, and that it's kind of almost like gamifying, like my engagement to say, what are you doing about this? And then giving me a response. I've seen a vendor do that, which is really fun. So that's probably the most interesting one. Let's see.

Kevin Qiu

Cool. All right, we can fit in a few more. So Sameer, thanks for taking the time today. How important is vendor consolidation? So I know that some some CISOs like to buy, like, Palo Alto has every security product under the sun. Now some like to mix and match depending on their needs. What is your opinion there?

Sameer Sait

Yeah, I'm not of the mindset that you need to buy one product. So you have an easier time managing your your vendors from, I think the integration super important, right? If the products have native API's or can showcase how they work well with a logging and monitoring solution, or with a pen testing solution, right. I definitely don't want standalone systems that don't communicate. So I think the vendor consolidation is not so important. But being part of a larger ecosystem is important.

Kevin Qiu

Like integrations with other security products would be ideal, because then you can kind of form your own platform as you'd like.

Sameer Sait

Right. Exactly.

Kevin Qiu

Yeah. Okay. All right. Let's see, we have time for another question. So as a CISO, when you're evaluating security tech products, is the option to start a free trial of the product appealing? So I guess free trial will be different than a free tier plan.

Sameer Sait

Yeah, I think both are good. I think free trial is great. I think making it easy to get up and running with a free trial is even better, right? If it's like, you know, I want to show you like, you want to show me the end result before you show me like the capabilities. And let me kind of play around with it. I think a lot of our team members like to tinker. So giving them kind of the controls or hands on the controls, is really, really helpful in getting in the door.

Kevin Qiu

Great. Okay. And final question. This one's very broad. What is the biggest challenge you face as a CISO today?

Sameer Sait

I would say no, that's a great question. I think there's a lot of challenges. And I agree, it's a broad question. But I'd say the biggest one for me is hiring talent, right? So when you think about selling products to CISO, think about and empathize with the fact that, you know, we don't necessarily have large teams or we don't have, you know, a bench that's that's built out, right. So how can you help get us up and running? How can you help support that without stressing out the CISO organization? So talent is my biggest concern right now. What's my favorite book? I'll put in a quick plug. I haven't read the book yet, but a friend of mine, Chris Castaldo just wrote a book called Startup Secure. And I'm super excited to read it. So hopefully, there'll be a favorite book soon.

Kevin Qiu

It's available on Amazon. And I'll hand it back to you Macy.

Macy Mody

Awesome. Thanks, Kevin. I'm really excited to be here. Thank you both for taking the time today as a quick wrap in case anyone isn't familiar with us already. SafeBase is a tool for companies to streamline their security assessment workflows during the sales process. We offer a security status page product that enables you to organize your security program information in one easily accessible place. And it makes it super easy to share with customers. Feel free to check us out at safebase.io. And thank you again so much for joining the webinar today. We'll be putting up the recording in case that's of interest to you. And hopefully you learned something new from this discussion.

Interested in streamlining the security review process during sales? Sign up for SafeBase today using the button at the top of this page.

Discover SafeBase

Learn how SafeBase has helped companies speed through security assessments and expedite deals.