Every mid-sized or large company eventually must purchase a cybersecurity product, which means every company must reach out to a cybersecurity vendor. Vendors can help an organization achieve security goals and maintain compliance. Vendors can also provide valuable insight on the cybersecurity industry in general. However, selecting a product can be a daunting task, especially if there are a lot of choices and the options tend to be expensive. Dealing with salespeople can be a challenge if you dive in without a plan. Here are five tips for making those interactions with vendors as productive as possible.

Vendor Silent Storm Security can help achieve & maintain PCI compliance.
Vendor Silent Storm Security can help achieve & maintain PCI compliance.

1. Do your research.

Before you speak to a vendor, make sure you have a solid grasp of your organization’s needs. It is important to understand why you want a product before you start reaching out to vendors. What is the problem you are trying to solve? What do other similar organizations in your industry do when they encounter the same problem? Adopting your peers’ best practices is usually a safe strategy, but there are times when moving away from the pack is the smarter decision.

It is also important that you and the vendor are speaking the same language. Make sure you understand the terminology surrounding the products you are considering. For example, if you are looking for a new antivirus solution it might be helpful to know the difference between signature-based detection and heuristic detection. This will save time during your meetings with them. But more importantly, it communicates to the vendor that you can do your own research. This keeps them honest and encourages them to go an extra step in winning you over.

2. Clearly state your criteria for success.

Now that you’ve done your research, it is time to tell the vendor what your organization needs. Be upfront about what you want and—more specifically—what you don’t want. Vagueness on your part will confuse the vendor and create unwanted friction. They might start pitching anything and everything in hopes that something will capture your attention. Instead, present the vendor with a document explaining the key performance indicators you have for a product. This will keep them focused on the things you care about.

It is also helpful to propose a timeline. This will aid in organizing meetings, workshops, or proof-of-concept discussions. Establishing goals will provide some structure to your interactions. A timeline can also serve to provide some boundaries. A vendor will likely want you to purchase as soon as possible (especially if you are approaching the end of a fiscal quarter). A timeline lets the vendor know that you are going to move at the pace most comfortable for you. 

3. Keep in mind the vendor’s motives.

Never forget that the vendor is trying to sell you something. It is their responsibility to present their product and company in the best possible light and to focus on the positive. This is not to say that they are dishonest: most sales professionals acknowledge that deceit is a poor strategy in both the long-term and short-term. But do not expect a vendor to volunteer details that reflect poorly on the product. Conversely, do expect them to criticize their competitors.

The vendor’s need to sell can be put to your advantage. Make it clear that a request for information or for a workshop makes it easier to buy. If there are other members of your organization who contribute to purchasing decisions, let the vendor know that accommodating their needs can be a path to a deal. Providing the vendor a light at the end of the tunnel is a good way to motivate them to work with you.

4. Be polite to cold callers.

Picture this: It’s 9:00AM and you just stepped into the office from an early morning rainstorm. Half the staff has called in late, your next appointment is in fifteen minutes, you haven’t had your coffee yet, and you are expecting a call from the CEO. The phone rings. You answer to a total stranger asking you, “Do you have a minute to talk about your vulnerability management solution?” Most days you are as pleasant as can be, but this is a recipe for an out-of-character outburst. 

Aside from common decency, there are several good reasons to keep your cool in this situation. Namely, this cold caller may represent a product you will want to buy. It is going to be incredibly awkward for both of you if ever call them back and ask for a product demo. Even if you do not want this specific product, you may interact with them representing a different product later. The cybersecurity industry is incredibly fluid, with professionals frequently moving from one company to another. It is also a small world. There is a good chance that you will encounter this cold caller again in another context.

Also, there is a very good reason you are getting cold calls from these vendors: you gave them your number. Almost every conference you attended, research paper you downloaded, or “free” subscription you signed up for likely asked for your contact information in return, which you willingly volunteered. You did express an interest in these products, right? It is only reasonable to expect someone might reach out to you.

5. Ask for a reference.

The vendor will likely mention that their customers are highly satisfied with their product. Ask if they would be willing to put you in contact with one of them. Specifically, ask to speak with a client whose organization is of a similar size and type. Hearing testimonials from users in a similar context will give you a much better idea of the product’s viability. Furthermore, speaking to a peer removes a lot of the guesswork about the feasibility of deploying and using a security tool.

Additionally, speaking with a vendor-neutral analyst can be a valuable way to cut through some uncertainty. Ask the vendor if their product has been rated by any third-party cybersecurity researchers, then contact those researchers. Those analysts offer comparisons with other products. An analyst can also provide some “inside baseball” on where the vendor stands in the market and with the industry at large.

Author: Louis Papa
Silent Storm Security Contributor | Security Engineer​