I’m very popular with vendors. I get unsolicited mails or telephone calls from vendors who want to showcase their products. This is reasonable: I’m happy to spend ten minutes on the telephone to a vendor as it means that I keep abreast of some of the latest innovations and the poor vendors get to tick the box “told a new person about our product”.
Now that my Infosec 2013 badge has been spanked, I expect a few more in the coming weeks.
Sometimes it’s a link to a webinar. Sometimes it’s a request that I read a whitepaper. Sometimes it’s just rude.
Sending a document that purports to be a whitepaper but is actually a piece of advertising for a specific product is, I think, a little deceptive and doesn’t make me want to do business with the sender.
More rude that that is the email that says “we are in your area, can we meet on the 14th?”. Here is one I received a week ago.
How are you? I hope you don’t mind me contacting you directly. I’m looking to schedule a meeting with you within the week commencing 6th of May if that suits for a quick 15 minute visit. I’d like to discuss <OUR COMPANY> as an option for your office(s). Please let me know!
Thank you XXX.
In the meantime, please find a general overview of our services provided below for your information. <LINK TO URL>
All the best, <SALES MANAGER>
Of course I replied asking to meet. They called, determined I wasn’t going to use their product and hung up. I didn’t point out to them that the email didn’t even tell me what the product did, it just gave me a URL and they expected me to click on it. I can only assume that when sales people go to sales school, they are taught to ask for a meeting on a specific date. It’s quite amusing.
So, what should a sales person do? Most vendors approach the pitch with the perspective of “look how great our tech is. We are the best widget wiper in the business. Use our tooling and all your problems will go away”. This pitch is fine for an organisation that leads on technology and knows that it has a problem to solve, knows how to solve it and knows what type of solution is needed: in this case the organisation will also have the budget.
In other organisations where budgets are important a better approach is to understand the business drivers and then address those. For example, in an outsource environment projects and accounts are run against contracts where margin and revenue rule, not security features. Where security is not business critical and where it is not a strategic business driver (which is most organisations, much to the chagrin of many infosec workers) then the business need should be addressed, not just the security risks that are being addressed. In many cases the business leaders know perfectly well that they don’t live in a perfectly secure world: but they know enough to manage that imperfection.
To sell product in this environment, security vendors should present the business case for the product. What is the financial return on the investment? How much will it cost to buy, to build, to implement, to run? Often vendors will offer a free proof of concept, ignoring the organisation’s costs to run that project which includes a project manager, technical architect, security architect, designs, change control, hardware, data centre routing and other costs. Some useful answers might be that the product will reduce headcount, will bring in new additional revenue, will allow the same team to do more.
Simply showing that the tin is shiny and the tech is cool isn’t going to win executive approval and wastes everybody’s time.
I said that I am popular with vendors: I am, until they realise that I’m not going to buy anything.