For today’s Buyer’s Seat, we’re going to have a CISO persona – based conversation. And we’re going to do a deep dive into a specific decision-maker role, namely the CISO, the Chief Information Security Officer. And to help us think through that, we are pleased to chat with Paul Johnson about it. Paul is one of your technology buyers.
Paul’s spent his entire career in the security space, including 20 years with the US Secret Service, which includes cyber-crime, as well as six years in the presidential protection division right there at the White House. Most recently, Paul was the first-ever Chief of Global Security and Chief Information Security Officer of Papa John’s International.
Here are four key takeaways from the conversation regarding the CISO persona:
1. The CISO position is at a bit of an inflection point, and even large organizations haven’t necessarily tackled it just yet, and a lot of organizations still are taking this segmented approach to security, and they’re trying very hard to start to converge that and pull that together because the physical and the cyber basically are two sides of the same coin. Paul spoke about the Internet of Things, which really forces the issue of what’s cyber, what’s physical.
2. As a result, there’s a number of people in positions like Paul, some are going to come up through technology, others will come from the intelligence community, and what they have in common is they’re trying to take a programmatic approach — very much a root cause analysis — to things. But you’re really going to have to understand who it is that you’re sitting across from because they’re all going to have different backgrounds, and think about things a little bit differently.
3. Paul shared that for him, it’s irritating when sellers haven’t done their homework, and they don’t really understand his environment or his personal needs, and they just aren’t aware of what is going on, and what might be relevant to him. So presenting of lots of boilerplate information, or generic solutions, or case studies that might be from other industries. And the problem is, if you get to that level, and you waste your shot with something that doesn’t hit the mark, well, then you might not get a second chance.
4. He also shared that when a seller come to him, he will often reach out to his network, and so like many CISOs, they’re an exclusive group, and he’s using those connections to determine and validate what sellers are saying. He even uses those connections to determine who he should or shouldn’t talk to.
CISO Persona Panel Discussion Highlights
Do you find that it’s still pretty common for some larger organizations to still be a bit segmented and trying to pull together that programmatic approach?
I do, and it’s interesting. Convergence is a word that’s out there right now, but that is where we have to go. You have to bring it all together under one roof, to a certain degree. And that’s been an interesting struggle with CISOs, and with the physical security folks. Sometimes you have real strong techs, and then you have real strong physical security, and organizations are so scared and focused on a cybersecurity incident happening that… and really what happens, you have real strong technical IT folks that aren’t as good on the physical, and vice-versa. So it’s kind of an interesting time right now.
And how does a CISO get evaluated? If you’re putting programs with KPIs in place, what would be the things that catch your attention?
There are those keywords out there that you have to be able to prove, like driving efficiencies, and improving processes, while achieving the highest level of safety and security for the company.
That sounds good on the resume, it sounds good on what companies want to hear, but you got to be able to show it, too. And when it comes to KPIs, I’m thinking about the budget constantly. That budget is on my mind every step of the way. So when a technology company comes in, either I’ve invited you in or you’ve landed a time slot with me, my time is very important. I’m giving you an hour or 30 minutes, now you’ve got to be able to show that you’re bringing me something that I want to listen to, that I’m going to be intrigued with, and possibly move it on my list of things to consider.
I will say this: it’s so important that companies understand and recognize these events that are going on. A good company, a good tech company will not only understand my environment, which is critical, and I can talk about that, but it’s really important that they are situationally aware of what is going on. What is the root cause of these events?
And it’s so important that you understand, before you have that meeting with me, get to know me. And by that I mean, you need to know my company. You need to know who I am. LinkedIn is a great resource, so is Google. You should, as a seller, really be aware of the situation that you’re walking into. And by that, I mean it’s really critical that you know, has Papa John’s or Paul Johnson Incorporated, or whoever you’re going after, have they had any newsworthy items to have breaches? Have they had incidents? What drives them?
And we can talk a lot about that, because it’s really important that sellers understand the environment that they’re walking into.
I think that can be challenging, because not all information is readily available, and sometimes it’s tempting to say, “Well, I’ve got the meeting, I’ll go in there, and I’ll find out when I’m there some of that important information.” And what I hear you saying is that’s too late.
Boy, is that the truth. I’ll tell you, one thing that used to irritate me when a seller comes in and says, “Well, Paul, what keeps you up at night?”
Chances are, I’m not going to really tell you what keeps me up at night. That is information that I’m not going to reveal unless you’re trusted, or I’m bringing you into a situation where I have a solution. You should have done really good due diligence. Look at this company you’re after.
The first thing you shouldn’t do is come in and go, “Paul, let me tell you what we’re doing for an insurance company down the road. Let me tell you what we’re doing for this great oil and gas company in Texas.” And I would look at folks and go, “I’m a pizza company. I sell pizzas, hot and fresh, delivered in under 30 minutes, all over the globe. You’re not going to win me over by telling me what you’re doing for an oil and gas company down the road. It’s really important that you understand the environment that I have.”
For more of my conversation with Paul on the CISO persona, you can listen to the full episode here on-demand. You can also listen or read more regarding the CISO persona in our other podcast Insights into the CISO Buyer Persona. And if you’re looking for more insights on navigating buyer personas at your target accounts, you can connect with one of the thousands of advisors in our network from Fortune 1000 firms. Contact us here to see what an Emissary can do for your business.