Book a Chemistry Call

63 CISO Buyer Insights Carefully Curated for Cybersecurity Marketers

buyer challenges buyer motivation ciso customer research relationship capital Jul 11, 2022
63 CISO Buyer Insights Carefully Curated for Cybersecurity Marketers

I recorded 6 CISO interviews in a month and a half.

That’s nearly 5 hours of buyer insights.

Here are 63 buyer insights I carefully curated just for you.


  1. To enable the business and catch the bad guy early.

  2. The goal is not to secure all the things - it’s to do as much as they can in priority order of tackling what’s most at-risk in the business first.

What CISOs hate most:

  1. Ambulance chasing

  2. Being used as a stepping stone

  3. Overpromising and underdelivering

  4. Taking advantage of negative press

  5. False promises; it's better to have no security than to have a false sense of security.

  6. The mafioso type of behavior in the cybersecurity industry and the victimization of clients

  7. Landing on websites that have no idea what the hell they are talking about, even if they’re pretty

  8. Security vendors are fighting and kicking each other's ass over a market that's already being served - the enterprise; meanwhile, the underserved markets - small to mid-sized businesses - just sit there and flounder


  1. Balancing time to continuously learn

  2. Complexity is the worst enemy of security.

  3. Getting people to speak the same language

  4. We do not speak ‘human being’ as an industry.

  5. Vendors are adding to the complexity by telling practitioners to buy more tools.

  6. Adopting technology that one wouldn’t necessarily choose in the first place as a new CISO

When evaluating security solutions:

  1. First, identify the actual problem the team has and is trying to solve. Only then, evaluate if the team even needs a security tool in the first place.

  2. Play vendor bingo with a scorecard on a tradeshow floor to evaluate if the vendor message and offer are clear

  3. Keep a scorecard for continued research in their community.

  4. Turn on the bullshit detector and check for conversational red flags.

  5. Check to see if a vendor aligns with general philosophies.

  6. Talk to other CISOs in closed communities for last-minute information and recommendations

  7. Occasionally check with a Gartner analyst

  8. Very often, POCs are a bake-off between 2-3 finalists…and at that stage, that’s where the real, final decision gets made.

  9. One rule for new vendors is to be prepared to discuss list pricing on the first call.

  10. If they have to fill out a big spreadsheet of something, they are not buying you. Period.

On engaging cybersecurity buyers:

  1. If you focus on the mission, you will make the money.

  2. If you add them to a mass mailing list, you’ve lost marks.

  3. Relationship capital will always generate more financial capital.

  4. Being authentic, transparent, and speaking their language moves the needle.

  5. Bringing up something that is a weaker area in a CISOs offering is appreciated.

  6. What really matters is understanding what a person's motive is and where they come from.

  7. Email is not dead. It's just not the only one that's primarily used. It's still heavily used, though.

  8. Blind calendar invites are the single quickest way to piss off a CISO and blacklist you - forever.

  9. The way an organization or vendor treats their employees impacts a CISO’s decision in the buyer’s journey.

  10. In cybersecurity, credibility indicates that someone can be trusted and that they're not going to waste a practitioner’s time.

  11. Marketing in the cybersecurity industry has the opportunity to evolve and improve if people take the time to build relationships.

  12. CISOs know you’re under a lot of pressure, but it isn’t an excuse to do things without clarity and knowledge of what you do.

  13. If you cannot back up what you did; if you cannot define terms of use; or relay antiquated ideas - that is a conversational red flag.

  14. Everyone has to put food on the table. It’s how the transaction is conducted that’s important. And honesty gets you a seat at the table.

  15. There are three things you need to build to get customers in this industry - trust, credibility, and likeability; if you can establish those three things, you’ll kick ass.

  16. Having honest, realistic conversations about what your audience's current state of affairs is and what they might need will get you a seat at the table.

  17. When you focus on the mission, even if you don't win right now on customer acquisition - you will absolutely win on the churn rate. People will not leave you. They will stay with you forever because they trust you.

  18. A CISO can tell when a marketer’s heart is in the right place; it is when a marketer actually inquires about the kind of problems they are trying to solve vs. pitching a solution to him and creating a problem for them that he wasn’t even thinking about.

On messaging and content:

  1. Ungate your content.

  2. It’s game over if you’re using buzzwords in the industry.

  3. Your messaging needs to cater to multiple segments in your target account; you need to get double buy-in these days.

  4. Before you get 10 minutes of your buyer’s time, remove FUD, remove fluff, and clearly explain what you really do.

  5. The goal is to frictionlessly get buyers to information in trusted ways so they can make wise and educated decisions.

  6. There is no other industry that is allowed to give a 100% guarantee of something without first being able to scientifically prove that that's true.

  7. There is always an opportunity for your audience to learn and engage if you provide them with information with context and a point of view.

  8. Validate messaging with your buyers first. It’s harder to retract and change inaccurate messaging released to the market once it’s already out there.

  9. Time is the most valuable asset. Let your buyer decide when their time can be used for your resources and assets in the way you serve the information.

On differentiating from your competitors:

  1. It's super important to have a true, fundamental, realistic nature and notion about where you really are in the market.

  2. Learning about your competition will result in stronger messaging that will resonate with your audience.

  3. You’re not necessarily wanting to win over the CISO anyway.

On security as an industry: 

  1. Security is people first. It’s not about the technology.

  2. Information security is not about information or security as much as it is about people.

  3. This is a service industry. We are not here to sell people a bunch of goods unless the goods are actually there to protect people.

  4. If people got rid of half the tools they have and actually learned how to use what they have responsibly, the industry would be in a much better spot.

Best insights I’ve heard from all my interviews:

  1. More marketers, salespeople, and vendors need to get better at listening.

  2. To understand which questions to ask your audience, seek counsel from friendlies.

  3. It doesn’t take much to get to know your audience. But you do need to invest some leg work researching about them.

Join Audience 1st Today

Join 700+ cybersecurity marketers and sellers mastering security buyer research to better understand their audience and turn them into loyal customers.