Here you go again.
Your manager gives you a new list of accounts. And it’s time to start cold calling.
But you’re put off when you see the job title Chief Information Security Officer (CISO)...
Where do you begin?
You’ve got no idea what a CISO does or even cares about!
This is a scary situation. But this doesn’t mean you’re resigned to an unfortunate fate…
You’ve got the power to pick up the phone, and successfully book a meeting.
You just need a tailored script, one that has been personalised to the focuses and struggles of CISOs today.
And you’re in even more luck, because we’ve done all the heavy lifting for you!
We’ve featured a range of insights - including our Enterprise SDR Josh Pritchard 💥
Scroll to find out more 👇
The role of a CISO
A CISO manages all of the company’s information security. For example, it could be an emphasis on cybersecurity, or protecting the data of employees.
Why are CISOs an important persona?
CISOs are going to inform company decisions from a security perspective.
So if you’re selling a piece of tech or software that isn’t compliant or deemed secure enough, CISOs will immediately see that as a red flag.
Therefore, it’s important to consider prospecting into this persona - they’re going to be a key decision-maker that you’ll need to get buy-in from, later down the line.
It’s up to you to understand the focuses and priorities of CISOs, to ensure your outreach has the desired impact.
And yes - this starts from that very first cold call.
What do CISOs care about right now?
Unless you truly understand what a CISO cares about, you’re not going to see much success when cold calling them.
Matt Little, Managing Director at Feeston House, said:
“Create a cold calling script that emphasises value. Demonstrate how your product or service can address security issues or simplify processes. Avoid one-size-fits-all pitches, and engage us in personalised, solution-oriented conversations.”
With that in mind, let’s dive into the core challenge or priority facing CISOs right now ⬇️
According to a report by Evanta, cloud security, strategy and architecture is a core focus for CISOs.
In fact, they found that 69% of CISOs that they interviewed are interested in this from an execution point of view.
So, what does this mean for you, as a seller?
If you’re selling a cloud solution, always think about it from the security perspective. Is the solution that you’re selling going to create a security hazard for the business?
Ultimately, this is always going to be the mindset of a CISO.
Ran Friedman, Business Development Team Lead at Mend, made an appearance on Jason Bay’s Outbound Squad podcast.
He’s had extensive experience of prospecting in this space.
He said:
“CISOs are always thinking about the detection of issues. And they’re focusing on making sure that they don’t become critical or hard to solve, or even alleviate. In other words, their belief is that issues should never become issues.”
Ran also provided an insight into some of the other typical goals for CISOs:
“Adoption is important. CISOs are looking for tools that people will adopt and use. And ones that’ll also be in the stack for a long time.”
“They’re also prioritising visibility. It can be hard to communicate security posture to non-security stakeholders. So being able to visualise it for the business, via a dashboard, for example, is important too.”
(In case you’re interested, check out the full podcast episode here.)
On that last point regarding visibility, the data certainly supports that it’s a core focus.
From the same Evanta report, 65% of CISOs said that being able to measure and communicate risk for the business was a leadership priority.
Best time and length for a CISO cold call
Matt provided some insight into this:
“When communicating with CISOs, morning or early afternoon hours are typically less congested. This means they can devote more time to your call.”
Delfina Vallve Sanmartin, Cognism’s Head of Security & Compliance, said:
“Preferably, it needs to be short and very to the point. Within five minutes I should have an idea of who is calling me, where they’re calling from, why they’re calling me, and what they’re offering.”
The CISO cold calling script
Now that we’ve covered the details, let’s get into the script, starting with the…
Opener
Josh said it’s important to keep it simple:
“Don’t overcomplicate things. Stick with one you’ve found to work well. And for me, I typically go down the permission-based route.”
Hey [insert name here], Joshua here from Cognism. Appreciate we haven’t spoken before, but can I take a quick moment to explain why I’m calling?
Body
Josh tries to leverage information from a referral when entering into the pitch stage of a cold call:
“If I’m talking to someone in the c-suite level (director and above), I try to make sure I’ve got the relevant information first. Now, this might differ depending on who you’re prospecting to. But I typically look for three things: tech stack, pain, and referral.”
Josh uses this phrase:
I’ve been doing a lot of research, and I’ve been speaking to some of your colleagues. They raised concerns about xyz problem, and mentioned I should speak to you.
The first thing I wanted to ask you, were you aware of this problem? Or is this the first time you’re hearing this feedback?
“Depending on their response, adjust your line of questions before getting to the pitch. Really try to unravel as much information as you can.”
Josh offered a couple of pieces of advice during the discovery section of a cold call:
“Firstly, your tonality is crucial. If you don’t sound confident in what you’re selling, you don’t sound credible. It’s not what you say - it’s how you say it.”
“Secondly, don’t just feature dump the product you’re selling. Make sure you’re listening, and asking the right questions.”
Close
Josh said:
“Keep it simple. Quickly summarise the points the prospect has mentioned, just so they know they’ve been heard. And it also gives you a chance to ensure you haven’t missed anything from the conversation.”
Then say:
If I told you that we could solve xyz problem, is there any reason why you’d be totally against setting aside some time to solve these problems?
OR
Is there any reason why you’d be opposed to setting some time aside to talk about how we could solve this problem?
Josh has found that these phrases create urgency without appearing too pushy.
Objection handling
“Please reach back out in six months.”
Josh has said that whilst this isn’t a common objection, it is an important one to be aware of.
“This objection is almost like a brush-off. In those cases, find out what’s happening in the next 6 months, just so you can be informed. You also get insight into what’s going on in the business. For instance, it could be restructuring or layoffs.”
“They might even say that they’re expanding into another region, like North America.”
In that case, ask questions like:
- Have you got a SaaS GTM strategy in motion for NAM?
- What are your plans, specifically?
Then, this information can be leveraged when you reach back out again later down the line. And you can say:
Hey, I know when we spoke six months ago you said you were expanding into NAM. How’s that going? Are you looking for an xyz solution?
Closing thoughts
It’s fair to say that selling into the CISO persona is far from an easy task. With that being said, take the initiative.
In a LinkedIn newsletter article, Kevin Morrison, CISO at Driven Brands, recommends that sellers should do the following:
“Participate in local security chapter meetings. For example, the CISO Executive Network.”
(You can read more insights from the article here.)
The bottom line?
Be proactive. Don’t try and guess what CISOs are going to care about. Go the extra mile, and make an active effort, in order to be intentional in outreach.
Ran shared this view too:
“Acknowledge that CISOs are not going to be a typical persona to sell into. What you’re selling could be a drop in the ocean.”
Level up your cold calling game
Looking to refine your approach towards cold calling?
Check out our knowledge hub SDR Zone below and access resources that’ll help you take your outbound skills to the next level 💥
