[01:56] Mike explains the difference between CISOs at large companies and startups
[03:00] The do's and don'ts of building relationships with CISOs
[15:25] The value of freemium models and its impact on the future of security
[17:59] Tips for founders about pricing models and understanding the CISO’s budget
[25:12] Advice to early stage security founders building companies in today’s environment
We are excited to share our most recent Q&A for founders with Mike Hanley, one of the great early adopters of cybersecurity products. As a security researcher at Carnegie Mellon and CERT, Mike was on the leading edge of threat intelligence research prior to joining Duo Security as its CISO and Head of Duo Labs, an internal R&D organization that incubated new security products. After Duo’s rapid growth and acquisition by Cisco in 2018, Mike became CISO of Cisco and is now responsible for protecting the world’s largest networking and security company, navigating new challenges in an unprecedented time.
As a visionary adopter for new technology, we asked Mike to debunk conventional wisdom for startups and share advice on how founders can build trusting relationships with CISOs.
At Duo, we were building from scratch. We had “wet clay” to shape, which we needed to do to meet the changing needs of the business as we picked up speed. At Cisco, it’s different. We have a 35-year-old company that has a lot of history, as well being in the middle of a significant transition from a hardware model to a software subscription model. There’s certainly a lot of change happening, and we’re giving a lot of thought to not only transform the infrastructure we already have deployed, but also creating new solutions to meet the security needs of our end users who are now fully remote and in a distributed environment.
The best way to build a relationship with a CISO is to understand the problems they’re facing and try to address our top priorities. Remember that CISOs are a busy bunch of folks who are managing a lot of really complex activities, like organizational transitions and rapidly changing business needs. When you approach them with a cold pitch, it can be difficult to get air time. But if you come to them with a pitch that’s specifically about the problems that CISOs are trying to solve, and you can make it clear how your solution helps solve those acute problems, that’s a much better conversation.
What you don’t want to say if you’re sending cold emails or LinkedIn messages is something like, “Mike, as the CISO of Cisco, do you care about cybersecurity?” Of course the answer is yes – and messages like that are hard to take seriously. I love when people actually start the relationship by saying they’d like to have a conversation and get my feedback, particularly for a topic that is relevant for me.
Of course, personal introductions through peers or colleagues are the most reliable ways to meet with a CISO to talk about problems you want to solve. It’s a good idea to ask for a personal introduction through either venture capitalists we know or a friend or colleague in our network of CISOs. That’s the most reliable way to get a meeting to talk through the problems you're thinking about solving or your solution ideas.
Don’t rule out cold emails though–they work if you get the subject line and preview text right, and that shows that the founder did their research. When a subject line is something like, “Compliance in a multi-cloud environment is really hard to report on,” I think to myself, “Actually, that is hard for me” and I want to keep reading. It shows that the person is talking about the same strategic priorities that I have and I’m curious to know how they can make this better for me.
At Cisco, I’m focused on how we can simplify and streamline the efficacy of the controls and systems we buy. If a vendor can consolidate five things that I'm currently paying separate subscriptions for, or can take tasks that three people do manually and put them into one automated tool, that's super-valuable to me. Like many CISOs, I want to reduce the complexity of the portfolio that I need to manage.
Cost is always a tough decision to make, but don’t devalue your solution. If you’ve got a great solution, be proud of that, and come to the CISO with what you think that solution is worth. However, its worth needs to be informed by a perspective of other priorities that are competing for budget, time, and attention from my team.
If you can show me that, for the cost of one employee on my team, I can now free up time and transition five people on my team to work on another priority, that’s a great deal from my perspective. I’ll happily write that check every year so that I can put five people to work on interesting problems. For customers, the cost is important to us, but what other funds we might be able to free up by using your solution to redeploy our budgets and resources matter too.
Of course, the most effective way is to get a personal introduction from a peer I trust or a peer in the industry. It’s a remarkably small community. We do ask each other, “Hey, have you tried company X?” or “I’ve talked to company Y and they’re doing something really interesting – let me know if you want an introduction.” It’s critical to work through your investors and build those relationships with people who can give you candid advice on whether or not you fit in their space.
I’d also urge founders to avoid scare tactics, which don’t resonate well with me or a lot of other CISOs. Sure, ransomware is a threat and a risk. But if you bombard me with too much threat and fear, rather than how you can easily help me make the ransomware problem go away, we’re less likely to respond.
My one piece of advice: make sure you have a laser focus on customer centricity and experience. Security founders can do an outstanding job of putting locks on everything around them. That's not the problem. The problem is having a deep understanding of the other tensions and challenges CISOs face in their job. If you can appreciate and understand the constraints in which I have to operate, and you can still get your product or solution to come up to the top, you’ve put in the time to know the world that I'm living in. Feedback is everywhere–you just have to listen.