Nancy Wang is the general manager and director of engineering for AWS Data Protection and a venture partner at Felicis Ventures on enterprise infrastructure investments.
Steve Zalewski is the former CISO of Levi Strauss and the founder of S3 Consulting, an executive advisory practice to security companies and VC firms on product-market-fit and go-to-market strategy for security startups.
It’s a difficult time to be a CISO or a security startup founder: Resources are tight and the stakes are high when deciding where to allocate them. This means the CISO deciding whether or not to onboard your product has less time, budget and staff than in recent years, and your pitch has to be that much better to make the cut.
Working in your favor, the growing number of cyberattacks and exfiltration ransomware which continue to threaten the bottom line for enterprises, means security remains a business priority. Gartner predicts that end-user spending for the information security and risk management market will grow from $172.5 billion in 2022 to $267.3 billion in 2026, so opportunity remains plentiful.
Just as security executives are condensing and refining their strategies, founders must do the same in the way they’re pitching these CISOs. There’s no more room for a good product winning over a CISO despite a bad pitch.
Based on our more than four combined decades in computer engineering, cybersecurity, and security startup investment and advisory experience, these are the important questions we see smart security founders answering in their pitches over the next few months to close critical deals and adapt to the unique market conditions and industry landscape:
1. How does your solution help me sell more X?
In the industry we often hear about, “a solution looking for a problem,” when the onus is put on the CISO listening to your pitch to figure out what problem your product is trying to solve and why it’s critical to their business. While this may have worked in the past when there weren’t as many solutions, today it can be a dealbreaker. With the increasing number of vendors now in the market, CISOs no longer have the time to do this work for you.
Just as security executives are refining their strategies, founders must do the same in the way they’re pitching these CISOs.
A question Steve asked more than a hundred security vendors as the CISO at Levi Strauss was, “how does this solution sell more jeans?”
In all too many cases, the answer was “we are here to help you find more vulnerabilities or identify more risks in your environment,” which lead to a quick “thank you, no thank you” response, since handing the CISO more issues is not helping sell more jeans or solving a problem. It showed a lack of understanding and demonstrated they simply wanted to sell another tool.
When the response was along the lines of “our product will address the use case of identifying and remediating malicious or accidental misconfiguration of your consumer PII data in the cloud to limit the financial risk of regulatory fines and brand risk of violating consumer trust,” it demonstrated that they were thinking about the business problem and addressing how to accept responsibility for solving some facet(s) of it.
Steve appreciated that they brought a solution to a business use case problem and it allowed him to quickly determine if this was “interesting” or important” in the priority of problems he needed to solve in the next 6-18 months. It was also all too common when the “how do you sell more jeans” question was posed that the individual would just stop and stare, unprepared to answer, resulting again in a quick end to the discussion.
Similar key questions to answer speaking to the bottom line include:
- Do you solve a business problem in a way that allows the CISO to consolidate their existing technology footprint?
- For example, if your product can consolidate 2 solutions and save 25% of their combined operating costs, it gives them wiggle room on headcount justification.