Book a Chemistry Call

Building a False Sense of Trust vs. Trusted Advisor Status | Joshua Marpet

The way you build trust can take you in different directions:

Down a destructive path of ruined reputation or up a rewarding road of unlimited relationships and referrals.

What do you choose?

In this episode, I had a brutally honest conversation with Joshua Marpet, CEO of MJM Growth, about his challenges, goals, what vendors do that piss him off, and the alternatives.

Josh is an ex-cop, ex-fireman, ex-blacksmith, and ex-horse dentist (not a joke).

He has also worked for the Federal Reserve Bank of Philadelphia, has advised the largest companies in the world, and runs conferences through BSides Delaware along with his wife and business partners.

He is also on the board of BSides DC and previously served on the board of BSides Las Vegas and Hackers for Charity.

Guest at a Glance

💡 Name: Joshua Marpet

💡 What he does: Josh is the CEO and Co-Founder of MJM Growth, Executive Director at RM-ISAO, and a faculty member at IANS.

💡 Noteworthy: He is an ex-cop, ex-fireman, ex-blacksmith, and ex-horse dentist (not a joke). He has also worked for the Federal Reserve Bank of Philadelphia, has advised the largest companies in the world, and runs conferences through BSides Delaware along with his wife and business partners. He is also on the board of BSides DC and previously served on the board of BSides Las Vegas and Hackers for Charity.

💡 Where to find Joshua: LinkedIn or Twitter

Episode Insights

What Josh hate’s most about the industry:

The insularness/the echo chamber.

The use of scare tactics and fear, uncertainty, and doubt (FUD)

“I despise the fact that we don't listen to people. The echo chamber effect of security is not easy and compliance is similar. And the fact that we've tried to use scare tactics for so long. FUD is just, everybody's jaded to FUD, man. And we're done with that.”

Cardinal rules vendors, marketers, and sales are breaking these days with regards to the direct security audience:

One of the bigger problems with security and compliance is that these companies don't know how to sell or market themselves.

People fail to understand the needs of the people around them.

"l, too often, see product companies and services companies and systems and whatever selling, “look how shiny it is. It's a silver bullet. It's gonna solve all your problems.”

Leading with shiny things is not going to get business, especially now. These days, CISOs are not coming up from keyboard warriors and technologists; they're coming across from management programs and down from the C-level.

“The CISOs of today are very wide-ranging in interest and in thoughts, but they're not normally going to run Nmap or Nessus or scan or dig down through Linux. They might. There are some that are fantastic and have that wide range of interests, but they're business-focused. And if they're not business-focused, they're not a CISO. And so the shiny and the scary don't sell anymore. Have a nice day.”

The outreach of then vs. now:

Back in the day, tech sales were smile-and-dial cold calling and it still happens, but it has got to be better.

“There's gonna be a blood bath in the next few years. It's starting to happen. Every year, there's 1,800 to 2,200 new security companies, new product companies coming out. You get this new category that Gartner puts out because somebody paid them to be put in that category, but Gartner has to put somebody in the lower left of the Magic Quadrant. So they will find 15 other companies or whatever. And a lot of those are copycat companies. You've got so many companies doing similar things, there just can't be that many.”

Getting yourself above the sales crowd is critical given the rise of security companies year over year. Many companies are not actively working to get their marketing and sales tactics better.

“There are so many companies that don't train their people. That don't think about these things. That just don't do a good job.”

Robin Sage: The Fictional Porn Star Cyber Threat Analyst

Tom Ryan, a friend of Josh’s, is an absolute lunatic, according to Josh, and a salesman, by the way. Tom did something interesting. He created a Facebook profile using a picture of a porn actress and named her Robin Sage, after a training exercise of United States Army Special Forces.

So, it was a little showy, shall we say? Tom Ryan started friending all of these military people. He did that over, and over, and over again, and eventually, he got to the point where he was seeing and chatting with these military men and women.

He had generals friended on Facebook. He had privates friended on Facebook and he was able to pull movement orders and so much private information from these soldiers. Tom Ryan showed the world how social media is very dangerous for classified information.

The relevance here is:

You can build trust. Tom Ryan built trust with these military men and women and they trusted him (or her as was the case). The trust was abused because it was not actually that person.

So, if you’re at all thinking of creating an alias on LinkedIn or Twitter to engage buyers - rethink that tactic. Crumble it up in a ball. And throw in the flaming pit of hell.

These kinds of interactions build false trust.

You will be called out for that tactic if you’re caught. And there goes your reputation. And your company’s reputation.

How to build trusted advisor status with security buyers:

You must imbue all attributes of trust:

  • Be honest.
  • Do not lie.
  • Do not spin, scare, or be nasty, or rude.
  • Put all of the cards on the table.

“We will protect you as best we are able, but I don't guarantee squat. Let's be clear. We're going to make good choices with you. And we're going to show you what can be done properly now to do that. You're the one making the decision, but I'm giving you the benefit of my knowledge, my experience, my gut, all the different options that you have and all the different choices that you can make. Here they are. When we do that as a consultant, even as a vendor, as an employee, we gain that trusted advisor status.

Even as a vendor I've been told, “Hey, look, you're not in the running for this, but can you give me some advice?” Sure. I don't mind because they know I'm not going to bother lying to them. It's not worth my time to lie to them. My reputation's on the line. If I don't have time or if it's inappropriate, I'll say “no, I can't, I’m sorry.””

If you can provide value, why wouldn't you? The only thing it's going to do is provide you more value in the long run because you get a better friend and eventually it'll get you more business.

So many companies are only in it for the short sale right now.

This is a long game.

Marketing is all about building knowledge and trust; sales is about capitalizing on that knowledge and trust; technology is about building the pieces that marketing and sales can use as the foundational elements with which they build knowledge and trust. If they all work together, it goes really well.

“There are marketing-led organizations, there are engineering-led organizations, and sales-led organizations. Sales-led organizations never prosper because they sell what six months down the road. They never sell the current version. They've got an engineering-led organization never succeeds because they're always like, “oh, let me finish this one little widget, this one little knob, this one little thing.”

The only one that profits is a marketing-led organization, because a marketing led organization goes, “Hey customers, prospects, what do you want? Oh, you want this? Okay. Engineering build that. Sales, sell that.” And guess what? They do. And while they're doing that, do you know what you just did by talking to your prospects and customers? You gave them knowledge and trust - knowledge of the company and the product and trust. Hey, we're gonna build what you want.”

Two different types of cultures at security conferences:

Hackers and suits.

“They're both useful. Don't get me wrong. Hacker conference is where I go to learn. What's gonna scare me this year. And I go to see my friends and pretty much my family and I enjoy the hell outta myself at the hacker conferences because it's just so wonderful. It's a subculture. It's a wonderful, welcoming subculture.”

What is proper conference etiquette for engaging audiences in different conference cultures?

If you want to engage a buyer’s brain, put a demo up, show them why it’s interesting, and prove to them the benefit of the product. Show them something that they need that will solve a problem they have.

What Josh finds as good swag:

A nice pair of socks or something useful. Funny stickers, funny magnets,

“And then there's some things that are interesting as well MITRE which is a big part of our industry put up at BSides DC a Minecraft server running off of a small single board computer. And they had the computers there. So people were playing Minecraft and they were loving it. Everything in that MITRE Minecraft world had been custom designer to say MITRE on it. That's a great way of marketing. Be ingenious. Be inventive.”

Subscribe to Audience 1st

Get notified every time an episode drops to better understand your audience and turn them into loyal customers.