Defense in Depth
How Much Should Salespeople Know About Their Product?

Vendors want to sell you the product they have. So why does their approach frequently feel more like “treating symptoms” rather than diagnosing the root causes?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by David Spark, the producer of CISO Series, and Steve Zalewski. Joining us is Jay Jay Davey, vp of cyber security operations, Planet. 

Aligning incentives

Vendor relationships often hinge on incentives, and those incentives prioritize sales over solving actual problems. “They aren't paid to solve your problem. They are paid to sell a product,” said Eric Silberman of Electrosoft. “Whether or not it fixes your problem is irrelevant to them.” But not everyone takes that approach. Jessica Weiland of IOActive emphasized the value of long-term trust over short-term deals, explaining that she’s turned away prospects when her solution wasn’t the right fit, opting instead to offer referrals. “To me, it's not about the initial sale, it's about being a meaningful contribution to the conversation and the fix.”

The realities of the job

The reality is that cybersecurity salespeople need to meet metrics that cause friction with buyers. “Too often, salespeople are being measured on high activities and booked meetings, which is not helping the industry,” said Anna Liv Christensen of Nordic Compliance Partner. She stressed the importance of buyers taking a more deliberate approach—preparing thoughtful questions, issuing proper RFIs, demanding ROI proof, and verifying how vendors will protect their data throughout the engagement. Michael Rack of TryHackMe pointed to the root of the problem in hiring practices, noting that “job adverts for cyber sales roles typically prioritize SaaS experience over cybersecurity expertise.” That, he said, “should tell you everything about how ‘disruptive’ vendors are disrupting.”

Delivering ROI

Our industry is starting to shift away from a fixation on new products toward making existing tools work better. “We see an emphasis on customers getting what they already have aligned and working properly,” said Murray Pearce of Bright Cyber. He noted that mature vendors are adapting, even walking away from deals that don’t align with a client’s best interest, recognizing that trust and integrity are what sustain long-term relationships, similar to Jessica Weiland's sentiment aforementioned sentiment. Cultural gaps still persist, especially in how companies approach engagement. Dean Fuller of Obtain IT observed that many organizations hesitate to invest in sending staff to conferences, viewing them as high-cost, low-ROI activities. That mindset often extends to vendors too, who send SDRs to staff booths while reserving executive presence for schmoozing, rather than genuine community building.

Holistic cybersecurity

Not every cybersecurity issue is what it seems on the surface. Eliza-May Austin of th4ts3cur1ty.company likens her team’s approach to that of a doctor looking for comorbidities—treating symptoms within the broader context of organizational health. While some firms might offer quick-fix solutions to obvious pain points, she emphasized the value of taking a more thoughtful and holistic view. “Many times people come to us with a cybersecurity headache,” she explained, “But what they actually have is a culture problem that can’t be solved with just another report—they need execution support and deeper change.”

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Listen to the full episode here.

Thanks to our sponsor, Backslash

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

Super Cyber Fridays!
Join us NEXT Friday, [05-09-25], for “Hacking the Validity of GenAI”

Joining David Spark, producer of CISO Series for this discussion will be:

• Chris Strand, global security and compliance officer, Thoropass

• Rob Gormisky, former InfoSec lead and founding engineer, Forage

Join us NEXT Friday, May 9, 2025, for “Hacking the Validity of GenAI: An hour of critical thinking about embracing these new tools while still meeting your compliance requirements”

It all begins at 1 PM ET/10 AM PT on Friday, May 9, 2025. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, Thoropass

Security You Should Know
Containing Elevated Privileges with ThreatLocker

Managing privileged access across a sprawling IT environment remains one of cybersecurity’s toughest balancing acts. Admin privileges are often granted too broadly and retained for too long, opening dangerous pathways for lateral movement and ransomware.

In this episode, Rob Allen, chief product officer at ThreatLocker, introduces their Elevation Control tool — a solution designed to help security teams remove unnecessary privileges, apply just-in-time elevation for specific apps, and restrict lateral movement, even within elevated sessions. Joining him are Mike Woods, vp of cybersecurity at GE Vernova, and Steve Zalewski, co-host of Defense in Depth.

Listen to the full episode here.

Thanks to our sponsor, ThreatLocker

Subscribe
Subscribe to Security You Should Know Podcast

Please subscribe via Apple Podcasts, Spotify, Amazon Music, Pocket Casts, RSS, or just type "Security You Should Know" into your favorite podcast app.

CISO Series Podcast LIVE in Boston, MA (05-15-25)

There’s nothing like New England in the spring. The CISO Series Podcast is heading to Beantown for another live recording!

Joining me on stage for the recording will be my co-host, Andy Ellis, partner, YL Ventures. Joining us is Sam Curry, Global VP, CISO at Zscaler. Here’s everything you need to know:

WHERE: Battery Wharf Hotel – Boston Waterfront (Harbourview Ballroom) – 3 Battery Wharf, Boston, MA 02109 (MAP)

WHEN: May 15, 2025. Doors open at 5:00 pm and we’ll be recording at 5:45 pm. Stick around after the recording for food, drink, and networking. Admission is free with the password “Wicked Smart.”

Huge thanks to our sponsor, Zscaler

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be DJ Schleen, Head of Security, Boats Group.

Thanks to our Cyber Security Headlines sponsor, ThreatLocker

Cyber chatter from around the web...
Jump in on these conversations

“I'm the journalist behind the recent story on SentinelOne getting cold shouldered by the industry and I'd like your help” (More here)

“Which industry is or has been your favorite to work in?” (More here)

“What is the least valuable thing that you've learned in your career?” (More here)

Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:

• [05-09-2025] [Hacking the Validity of GenAI]

 Save your spot and register for them all now!

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.