Why Is There a Salesperson at my Security Conference!? SANS Charleston Edition

Jon Sanders

Published on 23 August 2018

Salespeople aren’t generally active participants at security conferences and it really shows in how some companies try to sell their products. Without understanding the pain points and inner workings of those doing security on a day-to-day basis, it makes it really hard to understand how a product can fit in. However, I had the opportunity to do just that for Elevate Security in Charleston at the SANS Security Awareness Summit on August 8-9, which hosted 350 attendees from across the world. It was two days of engaging speeches, breakout sessions, workshops, and a fun night out at a baseball game (or museum for our co-founder Masha, who was also in attendance).

Being my first time at a security awareness summit, I wasn’t quite sure what to expect…but I wanted to be as much of a sponge as possible. I thought I’d share some of my takeaways from the sales perspective, as well as touch on why it’s so important for salespeople to learn the pain points of the community they’re looking to sell into.

Every organization experiences different security challenges, and that diversity was on full display during our time there, with everyone sharing the different ways in which they handle security based on varying company cultures, geographies, employee sizes, business units, languages, and budgets. Most salespeople fail to realize these subtle differences, but they make a vast impact on how a security product may be utilized (if at all). Companies with a largely remote staff don’t collaborate the same as those mostly in-house, traditional organizations don’t function the same way that more decentralized ones do, and many just don’t have the same size budgets as their larger enterprise counterparts. These are all pieces that not only affect the day-to-day of security awareness teams, but absolutely affects what projects they’d take on, and in turn, the products that would be a fit for their situations.

Some of my favorite talks touched on shifting employee mindsets about security through behavioral science(shameless plug), building security ambassador programs, involving employees in security awareness campaigns, finding creative ways to engage (such as with mascots), and even using things as simple as donuts to drive a 30-second security conversation. With all these talks came the perspective of why these initiatives worked at their respective companies, each molding their approach to the employees and organization that they’re working to educate — much as how sales should work to understand where and how a security product would be relevant to potential buyers.

One of the big topics at the SANS summit in Charleston was that measuring success not only helps to prove out the ROI of projects but also helps to spread the influence of awareness programs and grows the practitioner’s own internal brand, which is something that salespeople should understand fully (although few do). Some sessions went into depth on measuring the variables of not just training completion, but event attendance, phishing campaigns, user-generated incidents, reporting rates, and security ambassador programs (to name a few). Everyone has their own metrics they’re judged on and those need to be understood to be able to recommend a solution that will be useful to their security efforts. At the end of the day, sales is about equipping organizations to do their jobs better and driving success for everyone involved — the hard part is understanding what that may look like and helping the buyer to best build the project to get to that success.

The thing I also realized and found to be pretty interesting, as I’ve spent my whole career in sales, was that security awareness involves A LOT of selling. At the end of the day, security awareness requires selling to every member of the organization, not just to executives for budget on critical projects, but to every employee on doing their part to keep the company secure. How that gets done can happen in a number of ways, but much as any salesperson should understand the inner workings of an organization before making a recommendation, security practitioners have to understand what will fit best for their company — there’s no cookie cutter approach in security awareness or sales!

It was great being able to attend the conference in Charleston not just to learn more about security awareness, but to have the opportunity to be a part of the community. This was absolutely the warmest reception I’ve ever received at a conference after introducing myself as the ‘sales guy’ (as that generally elicits glazed over eyes and a desire to run to the door). Hopefully as the space matures a bit more, salespeople will continue to shift their approach to understand what is really important to their buyers and what their biggest pain points really are. I hope to make it out to many more of these conferences in the future and am excited for what they’ll have in store next time!