Best Sales Practices in Cybersecurity, or OSINT to Help the Salesperson

Sales in cybersecurity have their own specifics: even the stages of a deal in this area differ from the classic sequence described in marketing literature. And it is also difficult for a salesperson in information security to do without using OSINT. Yes, collecting information about a target in open sources is useful not only in pentests and hacking.

If you don't expect the god of trade Hermes to fly in on his winged sandals and help you fulfill your annual plan by 110%, we suggest you familiarize yourself with the best practices in selling information security services, which our BDM Ivan Kurakin shared. We give him the floor.

Sales stages in cybersecurity

Probably everyone who is involved in commerce knows about the canonical five stages of sales. Here are the five “pillars”:

• establishing contact with the client;

• identification of needs;

• presentation of a product or service;

• working with objections;

• conclusion of a deal.

Sometimes the list of steps is expanded by collecting feedback or additional sales.

In cybersecurity, the order of transactions looks a little different:

• defining the target audience and searching for clients;

• search for decision-making leaders (DMLs) and lead generation;

• identifying client needs and forming a proposal;

• establishing contact with the client;

• call with the client and product presentation;

• conducting a pilot (e.g. deploying a demo version of a product);

• signing of the contract.

As you can see, our sequence also contains stages from the classical approach, but they also have many of their own industry-specific features. Now let's talk about everything in order.

Step 1. Finding clients

Which companies to “enter”? B2B sales in any field begin with the answer to this question, and cybersecurity is no exception. Here are a couple of life hacks that I use in my practice:

1. Search open sources for information about cyber attacks on businesses. You can learn about attacks not only from the news, but also from some indirect signs. For example, special bots in Telegram, Discord and various messengers aggregate information about data leaks. If such incidents often occur in a company, it is possible that the business management has already realized the seriousness of the problem and is looking for information security solutions that will help protect the corporate network.

2. Keep up to date with changes in legislation. Many information security companies monitor the requirements of regulatory authorities for organizations from different industries. This allows them to immediately offer potential clients the solutions they need to meet compliance requirements.

3. Monitor the purchases of potential clients. Everything is simple here. You can study the electronic trading platforms of different companies and find announcements about purchasing various information security solutions.

Step 2. Finding decision makers and lead generation

Even if a business constantly loses money and data due to cyberattacks, it is not a fact that all managers understand the value of digital security. To ensure that your proposal does not end up in the closet or in spam, you need to contact interested decision-makers. First of all, these are CISOs, CIOs, and CTOs. Sometimes it makes sense to contact CEOs and COOs, who can redirect you to relevant managers. For example, to the head of the information security service, HRDs, CDTOs, and project office directors.

Search for decision makers in online sales

The best place to “hunt” for decision makers online is on professional platforms like LinkedIn and its less popular analogues (Professionals, Tenchat). You can also place ads in specialized groups in Telegram, although in our case this brought zero conversion. If any of the readers had a more successful experience of such a search for decision makers, tell us about it in the comments.

Let's get back to LinkedIn. The social network allows you to add about 200 people as friends per week and send messages of up to 200 characters to five unknown users. You need to friend your interlocutors, because this opens up their friends' contacts to you. Applications for sales managers and HRs can also help you find contact information (Lusha, Kaspr.io, ContactOut).

The LinkedIn premium account deserves special attention. You shouldn't put too much hope in this option: in fact, it only gives you a gold badge in the profile header and opens the Sales Navigator page. From this page, you can send messages to another 50 users per week. But the letters are not sent in the social network messenger, but to the emails of the account owners. This means that in most cases, such messages fly straight to spam. Of the 250 letters that I sent to potential clients during the pilot month of LinedIn Premium, only one person responded. So this option seems like a “net for catching sea mud.” Again, if anyone has successful cases of communicating with clients using premium accounts, it would be interesting to read about it in the comments.

Search for decision makers in offline sales

Offline, salespeople operate in two main ways: writing official letters to different companies and participating in industry forums. Sometimes good old paper letters addressed to the CEO bring good conversion. Especially if the potential client is a state or budget company. Such organizations are obliged to give an official response to any request.

Now about participation in specialized events. First, you should take more business cards with you. When the decision-maker of the target company shares his card, and you have nothing to give him in return, it is an awkward situation.

Secondly, let's remember the classic's advice: “Study, study and study again!” It wouldn't hurt for a salesperson to read a textbook on business and diplomatic etiquette. Such literature describes the principles of holding such events and reveals the roles of the participants. It becomes clear what to expect from different interlocutors, how to behave during communication. After all, working with cold clients “in the field” is largely a presentation of your personal charm and professionalism, so there are no trifles in a salesperson's behavior.

Also, as a crash course, I would like to recommend a textbook on body language, for example, by Alan Pease. The book will teach a sales specialist to more subtly read the interlocutor's interest in the services offered.

Step 3. Forming a proposal

So, the “company-job title-full name-decision maker contacts” link has been built. It’s time to determine which information security product or service to offer to the client. To do this, you need to get a comprehensive idea of ​​the target company. Several sources of information will help here. The first of them is the portal nalog.ruwhere you can find out the turnover and approximate number of employees of the organization. This will allow you to assess the scale and solvency of the business.

The second valuable source of information is the Headhunter. Open vacancies can help you understand what products or services the company might need. For example, if HR has posted 20 ads for DevSecOps, it would be logical to offer outstaffing to such a client.

The third field for collecting information is news on the company's website and in any open sources (for example, on the Forbes website). Affiliation with parent or subsidiary organizations is easy to check on RusprofileIn short, at this stage, salespeople have the widest scope for OSINT.

Step 4. Establishing contact with the client

If you have an understanding of who exactly to contact and what proposal to make, it's time to contact the client. Personally, I start by entering the decision maker's email, WhatsApp, and TG accounts into a summary Excel spreadsheet. Then I send the letter to his email.

To make your task easier when writing letters, you can develop ready-made templates. In this case, you should follow several rules for correspondence with the client:

1. In the letter header, indicate the specific purpose of the request, for example, “Pentest for Romashka LLC”.

2. If there are several decision makers, indicate their emails in the address bar in the order of their positions – from the highest-ranking official and downwards. What can you do, that's business etiquette.

3. Address recipients exclusively by name, and not as “Dear Colleagues.”

4. Explain to the decision maker where you got his contacts (let's say you found them on LinkedIn or learned about them on a CISO forum). The ideal option is if the addressee's contacts were given to you by the company's CEO.

5. Once you have drafted your pitch, check it for MECE (mutually exclusive, collectively exhaustive). This is a principle for grouping bullet points that McKinsey uses when writing slides in its reports. The gist of MECE is that bullet points should be “mutually exclusive” (i.e., no repeating the same ideas in different words) and “collectively exhaustive” (i.e., taken together, your bullet points should provide an exhaustive description of the problem).

Another useful tool for checking your draft is the Minto Pyramid. It's a way of structuring your text by first stating your main thesis, then your rationale, and finally your source. Here's an abstract example of the Minto Pyramid in action:

We offer to conduct cybersecurity training for employees, during which they will learn to recognize phishing attacks. Phishing is a serious threat to your business, since the company employs N thousand employees, each of whom has access to sensitive data.

The next day after sending the letter is appropriate call the decision maker until he agrees to make a deal unobtrusively remind about yourself in messengers and clarify whether the decision maker has managed to get acquainted with the received presentations and whether he is ready to communicate more substantively. This way the letter will not get lost in the mail streams.

It is important to remember that a salesperson's account in a messenger is also the face of an information security service provider. A description of the salesperson's area of ​​responsibility and experience will add attractiveness to the profile. You also need to check your account settings and make sure that strangers can write to you.

Step 5. Call the client

Finally, the long-awaited moment arrives: the decision maker agrees to a video call. The first thing to do is to check your watch with the client — and this is not a metaphor. Since the decision maker may be physically in a different time zone, specifying “Moscow time” will not be superfluous when agreeing on a meeting time. Otherwise, the salesperson risks experiencing perhaps the biggest epic fail of his career: losing a lead due to inattention and the time difference.

As for the conversation itself, relying solely on impromptu is risky. You need to define and constantly keep in mind your goal in advance (for example, the decision maker's consent to the pilot), and also draft a questionnaire for the client. It is useful to write down on paper a rough plan of the conversation: what and in what order to ask the interlocutor and, conversely, tell him. Of course, the conversation can always go in an unexpected direction, but having a cheat sheet in front of you will help you get your bearings in time and not lose the thread of the conversation. Another rule is to follow the prepared questionnaire and write down the input data from the client's words. This way, you will immediately have a rough understanding of the future commercial proposal.

If a specific information security product is being discussed at a meeting, the participation of a specialist in the field will be required, who will be able to answer complex technical questions.

Following the call, you should immediately write a checklist to record the agreements and not forget anything important. The next step is to send the questionnaire to the decision maker. Ideally, at least partially fill out this document for the client, asking him to indicate only the missing information. This way, you will free the decision maker from unnecessary efforts and demonstrate your customer focus.

It is difficult to give any universal advice on the remaining steps up to the completion of the transaction. This stage of work is usually regulated by the internal corporate regulations of each information security company.

Step 6. After-sales interaction

Working on the principle of “the main thing is the sale, and then the flood” is short-sighted. With the right approach, the provider of information security services can expand its presence in the client company. For example, you can offer the client a free information security audit. If the audit reveals, say, the need to install a DLP system, such a measure can be justified to the client on specific facts.

At the same time, it is worth asking the client to write a thank-you letter to post on the LinkedIn page. It is also desirable that the client recommends the information security company to his acquaintances in the professional community. The mechanics of such word of mouth were described in detail by Maxim Batyrev in the book “45 Tattoos of a Salesman”. To maintain contact with the client, you can inform him about new products and services every day approximately once every 3 months.

Instead of a conclusion, I would like to cite two quotes that I always keep in mind while working. The first is from the book “Five Rings of the Samurai” by Miyamoto Musashi: “Strike at the weakest and most unprotected place.” The second is not entirely accurate, but close to the text – from the memoirs of Marshal Konstantin Rokossovsky: “One of the principles of a successful operation is the maximum concentration of forces and means in a limited area of ​​contact.”

The key principle of cyber sales is a combination of these two wise thoughts. If you hit hard (with a truly targeted offer) in a weak spot (i.e., trying to solve the client's main problems), then the chances of a successful sale are significantly increased.