https://cisoseries.com/get-all-the-stress-you-want-with-none-of-the-authority/
CISOs and other security leaders have a lot of stress. But so do other C-level employees. Why does a CISO’s stress seem that much more powerful? Is it that their job is still in constant development, or is the “C” in their name just in title, but not authority?
This week’s episode is hosted by David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Our guest is Aman Sirohi (@amangolf), CISO, People.ai.
Full transcript
[Voiceover] Best advice for a CISO. Go!
[Aman Sirohi] Don’t blindly follow the trends. Be strategic, think about how the business is growing and how the business will benefit from it, and how you’ll be mitigating risk. Key part is don’t be blind and just follow what everyone else is doing.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of said CISO Series. And joining me for this very episode as my co-host, you’ve heard him many times before and you get to hear him again right now, it’s none other than Andy Ellis, the operating partner over at YL Ventures. Andy, make some noise.
[Andy Ellis] The author of 1% Leadership.
[David Spark] We’re going to get into that in a second. Hold tight. This kid, he is uncontrollable on the self-promotion, but I’m going to help him out here. We’re available, by the way, at CISOseries.com, and we’ve got a lot of other programs on our network. So, please, check them all out because they’re a lot of fun, and you can learn a lot more about cybersecurity on those as well. Hey! Our sponsor for today’s episode, we love this brand new sponsor, it’s AuditBoard – connect risk and then connect your teams. AuditBoard – more about that later in the show. But first, Andy, you already teased it. Your book now has a pre-order link.
[Andy Ellis] It does.
[David Spark] It has a cover. It is called 1% Leadership, and I will just say from all the stuff that I have learned from you over this time, some of that will actually be in the book, plenty I have not heard before, I’m sure.
[Andy Ellis] Yep.
[David Spark] If you are first listening to Andy on this show, he is a font of knowledge. Now we’ll be in book form, this font of knowledge, correct?
[Andy Ellis] Right. So, if you don’t like my voice, you can just read my words without my voice.
[David Spark] Yes. You can imagine it with somebody else’s voice. By the way, are you going to do an audiobook of this?
[Andy Ellis] There will be an audiobook, we’re negotiating, but it’ll probably be done by the time this is aired. It’ll be settled. It will probably not be me reading my book.
[David Spark] Really? Why not you? You have a perfectly good radio voice.
[Andy Ellis] So, while I do have a lovely voice, I’m not a trained professional voice actor, and they would much rather have somebody who does this for a living.
[David Spark] Yeah, but you know what to sell in the material here.
[Andy Ellis] If I wrote it well, anybody can read it and know what to sell.
[David Spark] That I think is a mistake, I think it should be your voice ’cause it’s all you in that piece. Mmm, there’s going to be a discussion about this. We’ll come back to this. Let’s bring on our guest. Thrilled to have our guest on. I met our guest at the Black Hat Conference in lovely Las Vegas in a room 20-some-odd floors up the Strip in Las Vegas. So thrilled that he is on. It is the CISO for People.ai, Aman Sirohi. Aman, thank you so much for joining us today.
[Aman Sirohi] David, pleasure. Thank you for inviting me.
Close your eyes and visualize the perfect engagement.
3:11.505
[David Spark] “Brandon Wales, executive director of CISA, said boards need to push their companies to invest more on digital defense, adding that insurers and shareholders will be exerting pressure as well,” said Catherine Stupp in an article on the Wall Street Journal. Now, the argument was that cyber needs to be seen as a core risk. Tip of the hat to Brendon Conlon who’s the CISO over at American Century Investments for posting this article. The trend is definitely happening as cyber is moving up higher on the list of a company’s 10-K, noted Jared Snyder of Sonatype. What are pressures we’re seeing to make the board more cyber aware? I’m interested to know first from you, Andy. And how does a cyber-aware board behave that’s different to a board that just simply gets input from their CISO during regular board meetings? What’s the difference between those two kinds of boards?
[Andy Ellis] So, I think it starts with looking at what the role of a board is and how we’ve been failing it. A board has two roles, only two things a board is supposed to actually do for you. One is to ensure that the CEO has a succession plan. I’ll note that there’s a lot of boards that fail on that one. You should always look around, and if you can’t figure out what the succession plan is, that’s probably a board that’s already dysfunctional.
Which means when you go look at the second thing which is ensuring proper governance exists, the board doesn’t manage the company, their job is to make sure the company is well governed, and so the question is when the CISO’s been reporting to the board, have they been able to communicate whether or not proper governance exists, the answer is pretty clearly, “No.” The challenge is I think that boards are getting told to be more active, but they’re not thinking about what does “active” look like in this role of ensuring proper governance exists. So, more and more we see companies that talk about initiatives that are led by the board. The board should never lead initiatives in your company, that’s another sign of dysfunction.
[David Spark] So, do you think board being active is a misnomer and is something that shouldn’t be pushed?
[Andy Ellis] No, no. I actually do want the board to be more active around cybersecurity, but they’re not active in management. They should be active in governance and saying, “What is wrong that we can’t tell whether this company is well governed or not? What’s going on in the executive chambers?” So, actually able to communicate to us about what’s going on. Are these appropriate risks that we’re taking? Because more and more we’re seeing boards that are like, “Oh, this is how I want the CISO to report to me,” and they’re basically asking for like an audit report, they want to see a statement of findings against the NIST CSF, and you’re like, “That’s too much detail for a board to process.”
[David Spark] No, no. I understand that. So, what is the level of communications that the board should want? Aman, I’m throwing this to you. I’m really interested because we’ve talked a lot about not overloading the board with data and communications. But I want to understand specifically what makes a cyber-aware board different than a non-cyber-aware board because there’s a push from a lot of organizations, as was said in this Wall Street Journal article, that the board needs to be more cyber aware. What does that mean?
[Aman Sirohi] So, a cyber-aware board versus a non-cyber-aware board, right? From my experience, being in a company previously where we had a very cyber-aware board, they were very in tuned of what’s happening in the environment. They actually knew what the trends were, they actually knew where the gaps were. So, what happens with them is they’re very much pushing CISO to get things done and get things done faster, right? Because they actually know what needs to happen. Versus previously, when I was privy to some different board that I was part of, they were actually just gathering information. They were just listening to what the CISO actually had to say.
A quote that I’ve used before when I was talking to the board is – like to quote Desmond Tutu, right? Desmond Tutu said, “There’s only one way to eat an elephant – one bite at a time.” So, a cyber-aware board very much understands that, and then you take bits and bites of what you want to go accomplish and go show them on a yearly basis that this is what you’ve accomplished, and this is what you’ve completed. Versus a non-cyber board, they’re just listening to you. They’re not providing value to what needs to get done. So, for them, they’re like, “Oh, we’ll give you time and money and go get it done right now. Everything in one year.” From a CISO perspective, you’ve got to push back and say, “Look. That’s not how it’s going to work. This is what I’m going to do. This is how much time I’m going to need, and this is the scope I’m going to get done.” So, that’s where I think the difference between cyber-aware boards comes in and non-cyber-aware boards comes in.
[David Spark] Andy, I think you wanted to conclude on this.
[Andy Ellis] Yeah. So, I really agree on that. I think an important piece of that cyber awareness is the board recognizing that cybersecurity is not binary. It’s not we’re done or we’re not done, it’s how much risk are we taking. In the same way that when the CFO talks about foreign exchange risk, nobody’s expecting the CFO to say, “Oh. We have complete control of foreign exchange.” No. We want to know how you’ve hedged your bets and how you’re protecting against these risks, but we also totally recognize that if the euro collapses tomorrow, that’s a huge problem for a US company with a subsidiary in Europe. Probably a bigger problem for European companies.
I tell you, CISOs get no respect.
8:48.047
[David Spark] “Why is the CISO role seemingly more high stress than CFO, COO, CRO, CIO, General Counsel, or CTO? Is it because we haven’t fully figured it out yet? Not given it proper resources? Not given it proper authority as an actual C-level executive?” asked Frank McGovern of StoneX Group on Twitter. Now, this is obviously a highly slanted question of people who have not experienced the other non-cyber C-suite titles, but those other jobs seem more “settled” in their roles and responsibilities. Andy, in an article on CSO Online, you argued the problem is that CISOs only have the “Chief” moniker in name only, they’re rarely truly part of the C-suite. And in general, most people in the discussion agreed that CISOs don’t often have the authority to push through what they think should be done. They’re often secondary and/or reporting to the C-suite. Is it just because it’s this sort of like, “I got the responsibility, but I don’t have the authority,” situation?
[Andy Ellis] I think that’s a really big piece of it, and what their job is is very unclear. I know a lot of CISOs who thought their job was to eliminate risk in the business. That is very clearly not your job ’cause if you eliminate risk, the only way to do that is to put your company out of business first. There’s no more risk because you’ve already failed. So, not even knowing what your job is is a big challenge. Your job is to keep other executives from worrying about cybersecurity risk is the closest thing we have to a common mission. That’s an awful mission to have inside a business because that means that you own all the stress of the risk if you’re not letting anybody else stress about it.
[David Spark] Now, you’ve had sort of vision into these other roles, and I know this is super, super slanted that we’re having this discussion, but Aman, what’s your take on do you think the CISO holds higher risk and it’s just because it’s kind of unknown what the responsibility is?
[Aman Sirohi] Yeah. So, definitely do believe that CISOs have an unfathomed amount of risk that they carry, and one of the leading indicators for that in my mind is our industry is still on the path to maturity, so we’re still maturing as a group, we’re maturing as CISOs. And I’ve personally seen where a CISO reporting to the CEO unfathomed, like they are part of the circle, they make decisions, they’re part of the core group. Versus where a CISO is reporting to a CIO, and a CIO is reporting to the CEO or the president, they’re in the outer circle, right? So, there’s a huge disparity of who the CISO reports to, and when that CISO reports to the person on top, then the CISO gets respect and the ability to actually move the needle. Versus when they don’t get that respect, they’re actually trying to find their path and trying to figure out how do they actually make movements within the company.
[David Spark] I also go back to this, and we talk about this a lot, about this sort of “nobody understands what I’m going through” kind of a thing of the security professional towards the other people within the organization. But honestly, everybody feels that way. I mean, all these C-level titles, they have their own risks, and they have their own pressures. So, I don’t think a CISO’s going to convince them that, “My pressures are worse than yours.” Because would they care, I mean, Andy?
[Andy Ellis] Well, I think they’d potentially care but it’s all about how you approach it. Like, a CRO, chief revenue officer, you know exactly what they’re being measured on, it’s in their title – revenue. Like, they know exactly whether they’ve succeeded or failed in a given quarter. The chief marketing officer is often metricked on MQLs, marketing qualified leads. The CIO, sadly, is often metricked on how much money they have spent, and so they know if they’ve succeeded by how little they’ve successfully spent. And I think that’s really the big source of the stress is what does success look like for a CISO, how does anybody know if you did your job this quarter? If you went golfing, would anyone notice the difference between that and you working your hardest? And I actually posit the answer is probably no, they wouldn’t notice.
Sponsor – AuditBoard
13:07.013
[Steve Prentice] Explosions of scale such as more data, more people, more assets, more requirements, regulatory expansion, all make the job of an auditor or compliance professional much more difficult. Here is Richard Marcus, head of information security at AuditBoard.
[Richard Marcus] On the topic of regulatory expansion, we’ve all seen that year after year there seems to be more requirements coming from different sources, whether it’s privacy or requirements coming from the federal government. That’s not slowing down anytime soon. There’s going to be more and more things that we’re forced to comply with over time, and then the existing frameworks that we follow are not static. You might be going from version three to version four and the requirements may be changing. So, one of the challenges that compliance owners in organizations have to contend with is are they aware that these frameworks are changing, do they have a plan for implementing and incorporating that into their programs, and can they track compliance with these new requirements over time.
[Steve Prentice] This is where a single pane of glass solution from AuditBoard comes in.
[Richard Marcus] I think the most difficult thing there is communicating to the business what the new requirements are and what investment might be required to address those things. So, without a technology-enabled platform that enables you to kind of stitch these things together and really extend your program to cover these new requirements easily, it’s a very tough challenge for compliance owners to do manually or in spreadsheets. If you’re not using a technology-enabled platform, I’m not sure how you do that really well.
[Steve Prentice] For more information, visit auditboard.com.
It’s time to play “What’s Worse?”
14:43.427
[David Spark] It’s time for “What’s Worse?” Aman, I know you’ve heard this show, you’ve seen this show live, you are aware of how this game is played. It is a risk management exercise. I make Andy answer first. I love it when our guests disagree with my co-host.
[Andy Ellis] I don’t.
[David Spark] He doesn’t, so let’s see if you agree or disagree with Andy. Here we go. This comes from Nir Rothenberg, he’s the CISO over at Rapyd, and he’s given us a host of great “What’s Worse?” scenarios and here’s the next one. Scenario number one – you have a highly customized security stack with internal security tools and automations which your own in-house security team developers wrote, and they are maintaining it. But here comes the nasty part – due to budget cuts, 80% of that staff is now cut. Not good. Scenario number two – you have a tiny team and only off-the-shelf tools and an MSSP and consultant support, and still 80% of your budget gets cut. Which one is worse?
[Andy Ellis] Oh, the second one. David always hates when I have a fast answer like that one.
[David Spark] I know, I do hate the fast. He’s like, “Let me just pause here.” The reason is is that we didn’t come up with a good enough “What’s Worse?” Like, a “What’s Worse?” makes him struggle, and when he comes up so quickly, I’m like, “Wait. It’s not a good enough ‘What’s Worse?’” because I think these are pretty good. But okay. Why is it such an easy one?
[Andy Ellis] Okay. So, basically what you have is in the home brew version, I have just lost a bunch of my maintenance staff, but I did not lose any of my tooling because I own it. And so yes, I do have a problem now. But in the second version, I actually just lost all of my tools also because I was paying for them on contracts where I get them over time with support from the MSSP. And boop, I just lost all that budget, that’s all gone. So, all my services, all my security stack that were services just went away, so not only can I not add to them over time, now I’ve got a challenge. Now, I’m going to give an out, which is you could argue that it becomes worse in the other direction when I get money back, but I’m not allowed to posit I ever get money back because that’s one of the rules of “What’s Worse?”
[David Spark] Right. Because yeah, it could be worse because the off-the-shelf tools, at least you’ll have people who know how to use them versus…
[Andy Ellis] Who know how to use them when I get more budget, but I’m not allowed to assume I’ll ever get more budget when answering these questions, so for that too it’s clearly my…
[Crosstalk 00:17:18]
[David Spark] So, the second scenario is worse immediately.
[Andy Ellis] Yes.
[David Spark] But would you say the first scenario would be worse if you’re coming back and getting more budget?
[Andy Ellis] It probably becomes worse if I’m in that budget gap crisis for, yeah, like two years but then it comes back. I think it becomes much harder to recover because now I have to replace everything. But that is outside the scope of how I’m allowed to answer the question.
[David Spark] No, but that’s two different answers here, which is good for two scenarios. All right, Aman, you agree or disagree with Andy here?
[Aman Sirohi] I’m going to have to agree because for me, the way I look at it is even if you lose, you have internal stack, you built it yourself, you can stretch team members. You actually built it, so you understand it and you own it. When it comes to third party software, if you lose it, you have no support and then your risk profile is even higher as the CISO. I can stretch to get all the capabilities in place, but if I don’t have the tools, I have no chance, I have no chance to protect the company.
[David Spark] Now, do you agree with the second option that I said, should the money come back, is scenario one worse or just the same or not?
[Aman Sirohi] For me, the second, if the money came back, I think you have to reevaluate at that point. Because I think you have to look at what you’ve done in the past two years, where you are with that technology stack versus what other tools are out there, right? Because the tools may not have changed too much and then your internal stack that you’ve developed might still give you water. So, I would have to reevaluate it and then decide on which way I would want to go after those two years.
There’s got to be a better way to handle this.
18:49.359
[David Spark] “What is the easiest way to safely open PDF/Office files?” asked Katie Paxton-Fear, who is a lecturer at Manchester Metropolitan University. The question which was posted on Twitter resulted in the following suggestions: An air-gapped device or a virtual machine, Windows Sandbox, Google Drive, send it straight to the printer, send it to someone else’s computer, or using the service VirusTotal. So, I want to know your thoughts on these suggestions and your own suggestions. My guess is the average user isn’t doing any of this, and most of us think we’re getting files from trusted sources, so we don’t bother. Aman, your take?
[Aman Sirohi] The last thing you said is probably the most apparent. We trust the sources we’re getting the files from, so we don’t think about it. I would say that I was previously in a Microsoft shop, and we used Safe Documents a lot, and we actually enabled that. You have to have a certain license level in Microsoft to actually use that capability, but that capability was pretty handy where you saw the document, it would say you can view it until actually Defender would come and say, “This is a clean document,” and then you can actually download it and use it for your purposes. The other view of this is I would almost say that when you’re looking at documents, if you don’t need it or are not expecting a document, I wouldn’t open it. Like I wouldn’t open a document that you’re not expecting from a source or from even an internal source. So, I would be more from a security lens. If I’m not expecting a document to come my way, I actually wouldn’t even open it.
[David Spark] Yeah. But let’s just say for – and that’s a good argument right there – but let’s just say you are suspect of a document, what tool would you use to open it or what mechanism would you use to open it?
[Aman Sirohi] Give it to the business partner I hate the most so they can deal with it.
[Laughter]
[Aman Sirohi] What tool? I would do more of a view only type of capability instead of trying to download it. If I had to pick one, being in the Microsoft world, you would basically leverage Microsoft Safe Documents for you to do that.
[David Spark] I’m not familiar with that. How is that different from Windows Sandbox?
[Aman Sirohi] It might be the same thing, right? They’re talking about it’s basically… They call it Safe Document, and the Safe Document is enabled under a certain license. It might be the same capability.
[David Spark] Honestly, I don’t know.
[Andy Ellis] Well, Windows Sandbox, I assume on this is basically a separate machine functionally.
[Aman Sirohi] Yes. Yeah.
[David Spark] Mm-hmm. Which in a sense, the same thing could be with Google Drive, which is essentially also acting like a VM too, which a lot of people recommend it as well. Andy, what’s your take on this?
[Andy Ellis] So, my take is that we’re answering the wrong question. The correct answer is I double-click, and I let my computer open it. That’s the only correct answer. Everything else we do should be to make that safe. If I have a PDF that I need to open, then I should double-click it, and I’m opening it up in Reader and great, and that’s that. So, maybe I’m doing things that are exploding the document on my mail share, maybe I’m doing things where I only open things on burner devices. I mean, functionally, all of my devices are burner devices, everything I have is stored in the cloud, so if I happen to lose a machine, it’s not quite the end of the world. That said, I’d still prefer not to lose one of my machines. But no, we need to make it that the only correct answer to this is I open it in the native Reader on my platform.
[David Spark] You know, I agree wholeheartedly and that’s why sort of the end of my questions is that all of these answers were kind of like, “This is what a computer geek would do, not someone like my parents would do.” You know what I mean?
[Andy Ellis] This is not what I do, I’ll be honest. I follow Aman’s thing of if I’m not expecting this, I probably don’t open it.
[David Spark] Right.
[Andy Ellis] But no. David, like you send me random stuff, I click, I open it. If I get popped, you and I will have words.
[Laughter]
[David Spark] Exactly. But yeah, it gets right down to it. It’s like this should not even be a question anymore in that you should have the defenses in place to deal with said issue because people aren’t going to every darned document, they go, “All right. Well, now I got to bring it over to Windows Sandbox or Google Drive or I got to load this into VirusTotal and see how the heck this works,” kind of a thing.
[Andy Ellis] Yeah. I’ll say I had to add a second category. For me, Microsoft Word was only used for legal contracts. That’s the only place I’d been down to using it and it does turn out that that’s what you use for your manuscript when submitting it to the publisher.
[David Spark] Microsoft Word?
[Andy Ellis] They wanted it in Microsoft Word. I’m like, “I’ve got it in Google Drive, it’s nice and organized.” They’re like, “Nope, nope. Convert it to Word.”
[David Spark] Did it get messed up in the conversion?
[Andy Ellis] Oh, my God. Yes. Because I had every chapter was its own file, so I had to like stack all of the files. So, there’s a friendly editor who went in and cleaned up everything that was in there, but then I had to approve every change they made, so it was a lot of fun.
What do you think of this vendor marketing tactic?
24:01.409
[David Spark] “Last week I had someone with the title of senior director of SecOps send a connection request, so I accepted. They immediately spammed me with messages wanting ’15 minutes’ to give me a demo of their product. Upon closer inspection, their last few roles were biz dev and sales,” said Erik Bloch of Sprinklr who complained to the LinkedIn community asking if this was a new trend. And by the comments, it turns out it is. As we’ve seen in the past, salespeople have a lot of pressure on them, and they will resort to tactics that are in their self-interest to meet their quota. Honestly, I blame the way salespeople are measured – getting meetings, closing deals before quarter end – for why we see tactics like this. Andy, I’ll start with you. Do you agree, and what other way would you measure security sales professionals that wouldn’t incentivize this kind of sort of urgent behavior, if you will?
[Andy Ellis] So, I wish I had a good answer to this one, and maybe…
[David Spark] And I do too, and by the way, there is no great answer to this, sadly.
[Andy Ellis] So, the best answer that I have, and this is across the line where I report it to a CMO, like I have occasionally had tactics where I will then go find the company’s CMO and I will reach out to them and I’ll say, “This is an unacceptable behavior in your SDR organization.” And I hate doing this because SDRs are the lowest paid, most overseen group in the team with all these awful incentives. But when they start damaging your brand like this, the CMO needs to know.
[David Spark] Mike Johnson had an experience like this, Mike Johnson who is the other co-host of this show, and normally what he would do is he’d post about how annoying this is, kind of like what Erik has done. But he chose not to post, and he actually said the post that never was, and he actually got a lot of popularity, where he did exactly what you said, he goes, “This is not acceptable behavior.” Now, what you don’t want is you don’t want this person scolded though. You don’t want this…
[Andy Ellis] Except this is over the line. Like, they have pretexted, they have lied about what their job was. Either they did it or the company has told them to do it, and in either case that is unacceptable and they need to be scolded. And I wish we could get it to stop before it hits that point and maybe we need to figure out how to give that feedback in before companies cross that line. But no, more and more companies are crossing the line like this.
[David Spark] But I get to the argument of the pressure that is being put on them, and they’re like, “I got to do whatever I can to get this meeting. If I don’t have a meeting, then I got to do this.” And I think the pressure causes people to do things. Look – I’ve made mistakes and pushed a little too far because I just felt I needed to close something, realized I was going a little over the line. Aman, what do you think?
[Aman Sirohi] This gets complicated because being a newer CISO, I get bombarded from sellers and all different tactics that they’re coming to me at, right? And the way I look at it is when you cross the line and you become borderline unethical, or you blur the line of fictionally telling me you’re going to solve my biggest problem, that’s when I actually have done once or twice, I’ve responded back. And Andy, you said you’ve gone to the CMO. I actually knew their CISO, and I responded back, and I said, “Your rep is reaching out to me with not data that’s actually factually correct or actually going to help my company versus I know who you are, I respect who you are, so I think this is something you should take it internally.” And I’ve done that twice so far in the last 15 years where I reached out to the CISO that I actually knew from the company, and I actually told them, I said, “Look – you guys are giving out the wrong message, and I’m pretty sure this is not what you want it to be.” And what I did was this is the fifth email I’d gotten from them, so I literally forwarded the entire trail of all the emails that I’d gotten and how weirder every email got at every step of the way.
[David Spark] I think maybe – and Andy, what say you to this – is that while pressures are being put on them, they have to understand that they have to stay within the boundaries. And the other thing is, like, I think about like a really green BDR. We keep saying, “Oh, it’s all about trust and building trust.” If you’re right out of college, I mean, you know no one, you’ve built no trust, you’ve got nothing. They got to understand that they’re allowed to make some mistakes, not these kinds of mistakes in terms of ethics, but mistakes in terms of not reaching quota, and maybe there’s a period of time that they’re given a certain level of leeway. And I’m sure a lot of sales, maybe CROs are listening to this saying, “You don’t know what it’s like to be in my shoes, so shut up,” kind of a thing. What say you to that?
[Andy Ellis] So, if you’re that CRO, come talk to me. I will happily have a conversation with you. Because here’s the most important thing you need to recognize if you’re a CRO or a CMO, which is an SDR who is doing this, that is getting a 1 to 3% conversion rate, and you’re trying to get them, or they’re trying to move that up by like half a percent, which would be huge, recognize that this means that there’s a 97 to 99% failed conversion rate and what is the marketing you are doing for your brand there. This person who reached out to Erik has harmed your brand, and you have told them to do so. So, it is on you to put guidance down to your SDRs that says, “Here’s what we will not do because you are the most powerful marketing tool we have. Our name gets seen more because of the cold email that you send that nobody likes to see than every dollar that we spend on an ad at RSA or on a banner at or anything else you’re doing.” And so you’re fighting against this negative marketing campaign. Change that to a positive marketing campaign. How do you make sure that every touch, even if it doesn’t result in a conversion, leaves someone with a good taste in their mouth? And if you’re not doing that, you’re not doing your job.
[David Spark] How do you measure that? I do like that – leaving positively.
[Andy Ellis] So, I think there’s some ways you could do it. You could follow up, you could ask for surveys, hard because you’ll get opt in issues. Put a little “rate this interaction” at the bottom of the email. Try that, see if that gets you anything. Like one to five stars, don’t ask them for anything else. Like, “Did this leave a bad taste in your mouth or a good taste in your mouth?” That’s it.
[David Spark] Aman, one thing I have always said to people, especially starting out, instead of the thousand, hundred, two-hundred emails, whatever the heck they need to send out to try to get that 1 to 2% conversion, I always say what can you do to make one to two real connections with somebody in a day. And you think about that – over 50 or 100 days, how powerful would that be? Have you had salespeople try to make a real connection with you?
[Aman Sirohi] Yeah. One of the best ones that I’ve ever came across was everyone likes to tell me the problem, don’t tell me the problem, right? Tell me in very simple English what is your solution, how are you going to solve it, and then show me a demo, right? When you’ve come to me and you’ve understood my business and you’ve actually thought about what I’m doing, simplify it to me and then let’s talk about it. Versus telling me the problem, they spend too much time telling me the problem, and it’s always a waste of everyone’s time.
[David Spark] Now, I will just also caveat. All the salespeople listening to this saying, “Oh, show me a demo.” They would all love to all show you a demo, that’s what they’re striving to do right there.
[Andy Ellis] No, they don’t. They’re not striving to show you a demo.
[David Spark] No?
[Andy Ellis] They’re striving to control your access to a demo. Like, put a demo on your website. It doesn’t have to be everything.
[David Spark] You don’t need to tell me about this, I’ve been shouting from the hills on this.
[Andy Ellis] A six-minute demo on your website, then you cannot complain about CISOs who don’t want the hassle of interacting with you.
[David Spark] This is the exact reason we created our other show, Capture the CISO. Because you have to actually host a video demo on our site if you want to be on. Yes. The schedule a demo, I’ve talked about this incessantly of you’ve no idea of the number of people who are bailing when they see that. Because every time I hear that, I go… They say, “Well, we need to know who’s watching,” I go, “No, you don’t. You don’t at all.” And I go, “What you don’t know is the number of people who would’ve watched it who are never going to now. That’s what you all don’t know.” That’s a major problem right there. All right. Make a positive connection – that’s my closing. What’s your closing on this, Andy?
[Andy Ellis] Well, you just stole mine, so that’s just totally not fair. Look – I just want to go with this. Are you proud of your tactics? If you are not willing to stand up in front of your mom and say, “Here’s what I do to get deals,” then don’t do it.
[David Spark] That’s a good line. Better than mine. Aman, your close on this, your tip.
[Aman Sirohi] My tip is be transparent, right? We’re all humans, we all understand each other’s business, we understand that you have a quota, you have a job to do. Be transparent, tell us what you’re trying to get to, and then that’s when a CISO will partner with you and understand when they want a technology and when they’ll be able to take it inside the company.
[David Spark] Awesome.
Closing
33:41.384
[David Spark] Thank you very much, Aman. Thank you very much, Andy. And thank you to our sponsor. We love AuditBoard, our brand-new sponsor here – connect risk, connect your teams. More on AuditBoard, at you got it, auditboard.com. Now, Aman, I let you have the very last word here. The question I always ask all our guests, are you hiring, make sure you have an answer to that. Andy, I will say do you have any thoughts? I’m sure you’re going to be telling people to go buy your book.
[Andy Ellis] Go buy my book – csoandy.com/book.
[David Spark] Csoandy.com/book, and you can pre-register. When does it actually come out? When can people actually read it?
[Andy Ellis] On April 18th, 2023.
[David Spark] So, right after tax time.
[Andy Ellis] Literally on Tax Day. Certainly for Massachusetts that’s Tax Day.
[David Spark] That’s going to be Tax Day for people. So, if you’re expecting a big refund, a certain percentage of that could be put towards Andy’s book.
[Andy Ellis] In fact, you should put all of your refund, buy enough copies of your book to give them to your friends, to your family, to your pets.
[David Spark] That is advice absolutely nobody is going to follow.
[Andy Ellis] And it’s not actually in the book.
[David Spark] All right. Aman, are you hiring? Any last thoughts?
[Aman Sirohi] Last thoughts are we are looking for very capable security engineers. If you’re interested, reach out to me. And of course, People.ai, we’re a leading revenue platform, so check them out.
[David Spark] Sounds good, and we will have a link to, Aman, they can I’m assuming connect with you via LinkedIn, yes?
[Aman Sirohi] Yep, of course, any time.
[David Spark] And drop that you heard him on this show. It helps him, helps me, might get you a response from Aman. Not saying for sure, but it could very well do that. Hey, thank you so much. And thank you to our audience. We greatly appreciate your contributions and for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our Virtual Meetup, and Cybersecurity Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.