What is the best way a new cybersecurity vendor can establish trust with you/your company?
Technology Compliance Director, Information Security in Travel and Hospitality, 51 - 200 employees
I don't fully trust any of my vendors. Establishing trust comes after a clean demo and some time kicking the tires. Trust takes time. Trust comes when I confirm the vendor is not lying or taking advantage of my always pleasant disposition.A new cybersecurity vendor should have a compelling argument that they have a good solution to a problem that I have. If they have a solution to a fabricated problem I immediately discard them.
· I will apply a manure filter: If the marketing puffery is overloaded with adjectives, I will read it without the adjectives and see if it still says anything.
· If it's a SAAS vendor, I expect an ISO27001 certification or you don’t touch my data.
· The implementation needs to allow flexibility, since I know that no one product or vendor can do it all for every business.
Trust comes when we each know that we will not lie to one another. The manure filter is the biggest thing for building trust. Vendors that compulsively tell white lies or exaggerate what we know to be possible cannot be trusted. But I still might use their products, I just won’t trust them. I’m OK with that.
Director of IT in Software, 201 - 500 employees
It takes time to establish trust, they need to present results before you can take their word for granted. A successfully delivered project or PoC goes long way. Recommendation and vouching by a peer you know/respect can positively impact your trust/acceptance of them. This is especially true for new vendors with which you do not have any previous relationships. If you’ve worked with a vendor for a prolonged period … well you must have a certain level of trust alreadyCISO, 201 - 500 employees
The biggest points that would gain trust for me in regards to new cybersecurity vendors are:- Certifications from independent parties (i.e., ISO, SOC reports – specifically SOC type I and type II reports)
- An open willingness to support an audit clause in their contracts
- Respectful of countries privacy laws (i.e., GDPR)
- Possibility to host in house data
- Performance of continuous vulnerability assessments at their workplace
- Strong change management policies to monitor changes in the organization's use of the cloud services
- Proper and mature policies in place (i.e., ISMS, Physical security)
- Data not collocated with other customers and if so, assurance on security and segregation
All of these points, including more soft points through conversations, such as cyber attack management and response times (transparency on issues), would make the service provider gain more trust with a new client. Trust comes with working together and the above step could be the first step towards it.
CISO in Software, 201 - 500 employees
I try to summarise the beginning of trust with a simple line, "I don't want the best product in the market, I want the product that's best for me", when a vendor goes on talking about how his/her/their product is the best in the market and how they are better than the others, they have usually lost me halfway through the meeting. At the other end of the scale, I have vendors asking me details of my company and product ("to find the right place for their product") that I am not sure I should be doling out at the first meeting either. There is a mid-way, but that means the vendor is expected to do homework on my company, my product, my scale and demonstrate that he is invested in pain points that I might have. When I talk to invested vendors, it's a good beginning. Even if they don't manage to close a sale, I have them at the back of my mind and will reach out when the time is right, because I know they invested time and effort into understanding my company.
And that's the beginning of trust. How they build on it of course is largely determined by the product itself, its fitment, flexibility and support.
Content you might like
Way more involved6%
Somewhat more involved47%
A bit more involved30%
Security’s current role is adequate10%
A bit less involved4%
Somewhat less involved1%
Way less involved1%
203 PARTICIPANTS
CEO in Services (non-Government), Self-employed
Using AI tools 2-3 a week. Use cases: -summaries of content
-slide outlines
-abstracts
-citations.
-Beauti.Ai for slide preparation
-Chat GPT 4
-Styluschat
We lack AI governance policies24%
We’re banned from using these tools37%
Our staff and/or leadership are resistant38%
We have concerns about the results being generated43%
We have third-party security and risk concerns27%
We don’t trust current vendors4%
Other3%
246 PARTICIPANTS
I am fed up of sales people asking to connect on Linkedin. It often starts something like "We move in the same circles", or "You popped up on my feed". I know they are using Linkedin's marketing tools, particularly as they use my Linkedin name and not just my first name. The very next thing, they say is "my companies does this, would it interest you".
I have so many emails, at least a few hundred a day. I can not deal with them all or I would get no work done. These cold contacts are deleted or blocked without being read. I'm answering honestly here so you have an idea of the first hurdle, getting my attention.
This starts with a thoughtful approach. Research who I am and my current role(S). Look at the company and what they are doing. Think about what my pain points are and how your product addresses them. Consider that I will already have incumbent suppliers, particularly if a mature company. For example, we have phishing training, awareness, a learning management system, SIEM, SOC, SDLC with scanning of sourcecode and container security. What can you bring that these existing suppliers can't match?
Then start building a relationship. A lot of successful introductions have been the results of networking. Having round-tables and discussion forums on the latest trends and real world impact. I expect at somepoint during these to have sales discussions. The events have to be paid for somewhere but everyone is getting value from them. Some have gone down the track of creating online events with a guest expert in an interesting field. Waldo the wingman, a wine or whisky tasting session, cocktail mixing. If you consider the cost of an in-person event, these can be quite economical. I do see the in-person events picking up again. These can work well if people can get time away from the office or are local.
The reason it's best to work on relationship building is also to understand the buying lifecycle. Companies often buy within an annual budget but can also extend these to 2 or 3 years to obtain better terms. By understanding where a prospect is in this cycle, you will know when best to engage further.
For new products, the puppy-dog-close is often a good way to get the product in. Allow it to demonstrate value and the client is less likely to want to take it out. This can be difficult for startups as it involved locked up costs for you during the trial period so make sure you manage this well. If you are seen as unable to support a trial or POC, a large organisation may be concerned over the support-ability and viability of the company.
> Do your homework
> Build the relationship
> Time you selling.
I broadly agree with Andrew. Let me stress out what in the end might be the tipping point: do they understand where their solution fixes my problem and can they easily demonstrate it is fit for the purpose?
Even if they check all the other boxes, I might be hesitant buying a solution if I smell the way it meets my needs is more of a side effect or a minority use-case. Bringing in a new vendor is a serious commitment which costs me much more than just the annual subscription fees, and I want to make relationships that stick.