Infosec Sales Practices - the Good the Bad and the Ridiculous

I think I am a polite and forthcoming person. Most of the time.
So when a sales representative of a reputable and well-known security vendor calls me, I will most of the time listen to what they are offering, although I really don't appreciate cold-calling. I will first see if I can somehow verify the identity of the caller before even continue talking to him or her. Since the person already managed to get my phone number, I will allow him to send me an email with his contact information. I will ask him to not call again since this would be pointless. I'll tell him that I know the company and am aware of their products and that I will definitely contact them if and when I need an offering, a demo, a PoC or whatever. If the sales person is wise, he or she will leave it at that and not call again, unless I'm asking for it.

You know what I really hate? I hate it when I am forced to become unfriendly.
I had that guy that was calling me again and again and again. After the third call I told him very bluntly that it'd be just pointless to call me again since I would only become upset. I memorized his number (it begins with +45, go figure) and ignored any subsequent calls that actually did occur from time to time. However last week when the phone rang and I did not take attention I accidentally picked up the phone and again the same guy was asking if our projects are now finished so that we would have time to have a look at their product. I told him the year before that we had all kinds of projects going on and that he shall not bother us again until we contact him. I asked him "Why do you call me? I have told you explicitly not to call again." You know what that guy did? He answered "Well, but that was not my question."

I must admit, that this impertinent move took me off balance for a second, but then I replied "I think you heard me the first time" and hung up. This is an example of really, really bad sales practice and the person is really doing a disservice to his company. 

But I am a nice guy, so here is my advice to all the security vendors out there:

1.) Don't do cold calls! Especially infosec people hate cold calls. And they are illegal in Germany, too. If your company is well-known in the industry, the person you called will most probably already know it - at least if he or she is well informed.

2.) Don't engage sales droids. Infosec people hate sales droids.

3.) If you get a pre-sales meeting, don't bullshit the audience. You might fool the CEO if he is not a technical person, but Infosec people will either laugh at you or get angry and show you the door. I would show you the door. Everybody hates to be BSed. Be honest. And take an engineer with you who actually knows the stuff you are offering and who is able to answer detailed technical questions.

4.) Make yourself known in the community by contributing something really useful. Speak at conferences, but skip the marketing slides or at least leave it at doing a very brief introduction and a list of your products or your field of expertise. 

5.) Provide public access to detailed product information and full product documentation (handbooks, setting-up guides, operation-guides) without obligatory contact info registration.

6.) Do not - repeat - do not have the incredibly dumb idea to put me on a mailing-list without previously asking for explicit permission. I don't klick on opt-out links. Instead I just have your entire company blocked for spam. You as a security company should know better and if not, you are incompetent and I won't buy your product.

7.) Offer on-site PoC (including hardware appliances if this is your product) and/or a web-based online demo/lab-environment where customers can test and play with your software.

8.) Make it easy for tech people to buy your product. If your license model is complicated so that the tech person will have all kinds of trouble tracking all of that stuff or even understanding the license in the first place, or if it is cumbersome to update licenses that have been bought on various dates subsequently, many tech people will just not buy your product even if the product itself is good. I don't know how many working-hours I have wasted on figuring out and explaining to our purchasing department how to buy, upgrade or update licenses and I just try to avoid such products.


As a good example I would give a shout out to Tenable and their Nessus Security Scanner. They have a fair and easy license model, they provide valuable technical information and have a great podcast that not only covers their products but also infosec news and other topics and they provide full documentation on their website.
Disclaimer: I am by no means affiliated with or related to Tenable Security, apart from using Nessus as a customer.
This is just one example. There are more, but not enough. I would rather say that it's getting worse instead of better, and whenever a small, agile and innovative company is bought by a big corporation, all of this is going down the drain.


Views: 223


You need to be a member of Dissecting The Hack to add comments!

Join Dissecting The Hack

Latest Activity

Vivian Rivera updated their profile
Steve Brandidge updated their profile
Jan 28
SUR3SH0T updated their profile
Oct 20, 2020
Anton Vyacheslav is now a member of Dissecting The Hack
Dec 9, 2018

Stratagem 13 News Feed

© 2021   Created by Marcus J. Carey.   Powered by

Badges  |  Report an Issue  |  Terms of Service