Skip to content

CISO’s your buyer persona? Here’s how to stop annoying them

The most common "buyer persona" I have is the CISO. But I don't hang out with CISOs. Most marketers don't. We hang out with other marketers and complain about sales teams. Obviously 😉

The state of cybersecurity marketing

As a cybersecurity marketing agency, we know one thing: things were never easy in the industry and they’re not going to improve any time soon. But as a seasoned cybersecurity marketer, you probably know this very well yourself. 

Demand for cybersecurity solutions keeps growing, which makes sense considering that the estimated cost of cybercrime in 2024 is already over 9 TRILLION DOLLARS and it’s said to grow to almost $15 trillion in the next four years. So the pool of cybersecurity companies continues to increase–but this in turn creates a highly competitive market and leaves them all to face an uphill climb to stand out. And if budgets for cybersecurity solutions are changing at all, it’s only to make them even tighter. So how do we sell to CISOs?! 

Everything you need to know about CISO as a buyer persona

There’s one reason why CISOs might be particularly challenging for marketing to attract, and for sales to sell to–their role is still relatively new. Sure, it’s been a few years now since the world saw The First Ever CISO (imagine the responsibility), but unlike their CEO, CMO or COO counterparts, CISOs still lack well-defined and universally consistent duties, which only makes their jobs (and ours as marketers targeting CISOs…) harder.

Their role will vary greatly depending on the industry they are in, the regulatory requirements, company size and how many folks they have on their team. Are they the first CISO in the company or are they improving on years of legacy? Do they have a technical or managerial background? Have they already survived a cybersecurity breach? Their budget and technical stack will also influence their responsibilities and stress levels. This diversity requires sales teams to tailor their approach, considering the breadth and variability of the CISO's tasks.

Taking all this into consideration, CISOs are a unique breed, with a distinct set of characteristics and responsibilities that set them apart from other roles within an organization. Lucky for you, we now know a thing or two about those characteristics. And we’re willing to share.

Main pain points all CISOs share

You know the drill, effective marketing is never about you, it’s all about them and their problems–you’re here just to solve them. And yes, given the uniqueness of their role, each CISO comes with their own set of pain points they have to deal with, but there are things they all share. Understanding and addressing these will make your messaging stronger and more valuable. These common pain points include:

  • Never ending threat landscape: New and sophisticated cyber threats emerge daily, requiring constant adaptation. There’s no certainty, no time to take a breather and think, and you’re always behind things. Sounds suspiciously similar to marketing…

CISO checking the deadline meme

Source: 9gag

  • Resource constraints: Limited budgets and staffing shortages often hinder the ability to implement robust security measures. Companies are now realizing the importance of cybersecurity departments, but in most cases there’s still a lot to catch up on;
  • Regulatory compliance: Any CISO’s main task is pretty much balancing between protecting the organization from external threats and enabling internal business operations. Navigating the maze of compliance requirements is both time-consuming and stressful;
  • Vendor fatigue: Imagine being bombarded with countless vendors pitching their products, no wonder CISOs often suffer from vendor fatigue. Every vendor comes with better and newer and faster features, but all the CEO wants is to have them cheaper.  That only makes it harder to capture CISO’s attention;
  • The dread of cyber threats: It might feel natural to you to try to attract CISOs by highlighting the most recent cyber attacks, they make great headlines. But the truth is, it’s more like rubbing salt on an exhausting wound–there’s very little chance CISOs don’t hear about the attacks even before you do.

Personalizing content for CISOs

  1. Your cold pitch basically has no chance. They're just too busy to deal with cold email pitches (I don't engage with cold email pitches myself...) The answer to this is NOT to play a numbers game and annoy 500 CISOs with the hope of getting a single response.
  2. Engage with people lower down the corporate ladder. Sure, the security engineer can't sign on a $100,000/yr product. But they can spend more of their time evaluating it and making recommendations.
  3. Be REALLY specific about the problem you're solving - this applies to sales too. We’ve stopped counting the number of times we’ve seen ads and heard pitches like "we solve all your security problems". No, you don't. Stop pretending.
  4. Be very careful when using 'buzzwords'. Sure, they show you know the topic, but today’s vendors overpromise around words like AI, ML, blockchain, etc. If you know that going in, you can make sure to head off some of their objections early.

  5. For PPC targeting cybersecurity folks, just provide pure value. Don't ask for more information that you have to, don't ask for their phone number for an infographic. And if your CMO/CEO will let you - ungate your content.
  6. Offline introductions are still the best way for vendors to get CISOs’ facetime. But CISOs do still go out of their way to check out new tech.
  7. Do your homework before reaching out. Don't ask "what are your problems?" unless you want your company to be anonymously called out on a podcast.
  8. Do valuable things for the CISO community (AKA, more than free lunches). Be a real resource - even if that means ungating your precious ebook when running lead generation on LinkedIn (which you should do anyway).
  9. Be technical and data-oriented in your messaging, but be available to help CISOs translate that messaging effectively to their nontechnical colleagues. If you make their pitch to the CEO easier right from the start, you’ll quickly become their ally–and that’s all we’re after.
  10. Scrap the FUD.  Be positive, for a change. We made a point earlier about focusing your messaging on the latest cyber attacks, how much they cost, how serious they were, etc. Again, that will surely make a powerful ad, but CISOs have to live and breathe these attacks–so why don’t we try and focus on the good sides for a sec. Make it clear what your solution can bring. Let your product features speak for themselves and calm a worried mind before you even get a chance to speak. Plus, you’ll certainly stand out from the negative crowd.

 

The buying process in cybersecurity is complex, often involving multiple stakeholders and extended sales cycles (that’s why ABM works great for cybersecurity) and it’s CISOs that play a central role in this process, which is often easy to forget given budget restraints and CEO’s expectations they need to meet. So hopefully the tips we shared will help you make CISOs feel they’re the main character again–and if it still feels like a challenge, we’re here to help. Feel free to schedule a free chat to discuss your worries and how Envy can solve them.

This post wouldn’t be possible without the great Dani Woolf, who’s on a mission to bring marketers and CISOs closer together.

 

Share share title underline scrible