- Audience 1st
- Posts
- How (and Why) CISOs Evaluate Vendors Before Taking Any First Meeting
How (and Why) CISOs Evaluate Vendors Before Taking Any First Meeting
When a CISO starts evaluating a new product, they start evaluating the people they’re going to work with and only then evaluate the vendor from a technological perspective.
Dani Woolf
25 May • Read Time: 8 minutes
When a CISO starts evaluating a new product, they start evaluating the people they’re going to work with and only then evaluate the vendor from a technological perspective
Because at the end of the day they do business with people, not just with products.
Building brand awareness and trust is very important. Why would you give access to your financial accounts if there’s no trust?
Brutally honest insights from May Brooks, Deputy CISO and Founder and Chairwoman of the Board of Helena Cybersecurity Awareness.
In this episode, I had a conversation with May about her challenges, goals, what vendors do that piss her off, and the alternatives.
POLL: As a cybersecurity marketing professional, which channel do you rely on the most when evaluating tools for your own use? |
Before we dive in, don’t forget to subscribe to join 1700+ cybersecurity marketers and sales pros mastering customer research. You’ll get notified whenever a new episode and buyer insights summary drops.
Who is May Brooks-Kempler?
May Brooks-Kempler is a seasoned cybersecurity expert with over 20 years of experience in the field.
Her journey in technology began in the early 1990s, exploring IRC chat rooms for game hacks and cheats, which sparked her passion for the digital world.
May's professional career started in the Israel Defense Forces (IDF), where she served as a Cyber Security Intelligence Officer and Operations Intelligence Officer, eventually discharging as a lieutenant.
This military experience laid the foundation for her extensive career in cybersecurity.
After her military service, May held various roles in the private sector, including positions as a CISO, Head of GRC (Governance, Risk, and Compliance), and account manager for information security companies.
She founded Helena, a consulting firm specializing in enhancing security awareness, showcasing her shift towards focusing on the human factor in cybersecurity.
May’s expertise spans from zero to hero training, covering awareness programs, academic courses, certification bootcamps, tabletop exercises, and red-team exercises.
May is deeply involved with (ISC)², serving as a Special Advisor for the UAE Chapter, a member of the Chapter Advisory Committee, and an authorized instructor for CISSP and HCISPP certifications.
She has also contributed as a co-author and technical editor for (ISC)² publications.
In addition to her professional roles, May is committed to community building and education in the cybersecurity field.
She founded and served as the President of the ISC2 Israel Chapter and continues to be active in various cybersecurity communities.
May is known for her ability to simplify complex cybersecurity concepts, making them accessible to a wide range of audiences.
She is a sought-after speaker, trainer, and mentor in the cybersecurity industry, recognized for her engaging presentation style that blends technical expertise with real-life experiences.
With her extensive experience, passion for education, and focus on the human aspect of cybersecurity, May Brooks-Kempler continues to be a influential figure in the global cybersecurity landscape.
Pro Tip for Connecting with May
Don’t just talk tech—talk business.
May appreciates genuine conversations about how cybersecurity can empower business outcomes.
Insights and Key Takeaways
Understanding the Business Before Building Cybersecurity Strategies
Insight: The most crucial aspect for cybersecurity professionals, especially in roles like Deputy CISO, is to align cybersecurity strategies with business goals.
May emphasizes that effective cybersecurity isn’t just about implementing advanced technical measures—it's about understanding the business itself.
She reflects on how her approach evolved over time, moving from a purely technical focus to a more business-driven perspective.
Cybersecurity should not operate in isolation. To truly add value, professionals need to evaluate the company’s overall goals, strategies, and risk tolerance before crafting cybersecurity measures.
By prioritizing business objectives, security leaders can ensure that protective measures don’t impede business growth.
This approach helps foster collaboration between security and other departments, ultimately reducing friction and increasing adoption of security initiatives.
“The most important thing is to understand the business. As a CISO, I start with business goals and strategy, then develop a cybersecurity strategy that aligns with that.”
Vendor Trust is Built on Relationships, Not Just Technology
Insight: May underscores that building trust with vendors is more about relationships than the technology itself.
Despite the abundance of innovative security solutions, the human element remains pivotal.
For May, evaluating a vendor starts with assessing the people behind the technology, rather than the technology alone.
The decision to partner with a vendor extends beyond features and specs—it's about establishing trust and understanding.
By focusing on relationship-building, vendors can foster deeper connections and better understand client needs.
This insight is especially valuable for sales and marketing teams, as it emphasizes that building rapport and trust can significantly influence the buying process.
“You do business with people, not just with products. If the people aren’t right, the technology won’t matter.”
Salespeople Should Be Security-Literate to Better Engage CISOs
Insight: Sales teams that have a technical understanding of cybersecurity are more likely to earn the trust and business of security leaders.
May finds it easier to trust and collaborate with salespeople who have technical knowledge and certifications.
It enables more meaningful conversations, helping vendors better align their solutions with the organization’s technical requirements.
For marketers and sales teams targeting CISOs, investing in security training can be a game-changer.
It shifts the narrative from a generic pitch to a tailored conversation where both parties speak the same language.
Sales professionals who demonstrate knowledge of security frameworks, challenges, and pain points can engage CISOs more effectively.
“Some of the salespeople I trust most are those who have taken cybersecurity courses themselves. They understand the professional side and can have technical conversations.”
Persistence Without Value is a Turn-Off
Insight: May explains how repetitive outreach without adding value is one of the biggest mistakes vendors make.
The constant barrage of emails and calls from vendors can be overwhelming for CISOs. Persistence without clear value signals a lack of respect for the buyer’s time and priorities.
This insight is vital for sales teams—there’s a fine line between persistence and pushiness. Instead of repetitive emails, focus on providing genuine insights, useful content, or educational material.
Tailoring outreach based on the CISO’s current priorities and challenges can open the door to more meaningful engagement.
“If you send me email after email without any new value, it’s probably the fastest way to ensure I won’t become a customer.”
Brand Awareness: Building Trust, Not Just Recognition
Insight: Creating brand awareness in the cybersecurity industry is about more than just getting noticed—it’s about building trust.
May discusses the importance of establishing trust alongside brand awareness. In sectors like FinTech, trust can be a significant barrier due to the sensitive nature of financial data.
Marketing teams should focus on trust-centric campaigns.
This could involve leveraging webinars, collaborating with known figures in the industry, or hosting community-driven events.
Building trust doesn’t have to be expensive—it can be as simple as hosting live discussions, answering questions transparently, or providing value-driven content.
“They knew that their biggest challenge was trust, not just awareness. They built trust by hosting live events where they answered customers' questions transparently.”
My Final Thoughts
Listening to May Brooks reminds me of a crucial reality in cybersecurity sales:
Business is still, fundamentally, about people.
As marketers and sellers, we often obsess over features, pitches, and metrics.
But the truth?
People buy from those they trust, not just from those who have the best tech.
May’s perspective reiterates that if you’re not leading with empathy, understanding, and a genuine willingness to listen, you’ll likely miss the mark.
So, to all the vendors out there—ditch the hard sell, bring the human back, and watch what happens.
Until next time,
Dani
Subscribe to Audience 1st Podcast Newsletter
Thanks for reading! If you like summaries like this, subscribe to Audience 1st Podcast Newsletter to get notified whenever a new episode drops.
Excited to collaborate? Let’s make it happen!
Check out our sponsorship details to connect with real security practitioners and showcase your brand to an engaged community of cybersecurity decision-makers giving and seeking real buyer insights.
Reply