VIDEO Sales + Security = Revenue: Leveraging cybersecurity to build trust in the sales cycle Zach Fuller, partner and head of Business Operations & Strategy at Silent Sector, joined Dan DeCloss to talk sales. Wait … what? Although security professionals may prefer to steer clear of the sales team, they can be an important part of the equation in increasing sales and retention and, ultimately, revenue for their organizations. Listen in to hear how communicating your proactive approach to cybersecurity in the sales cycle is critical to building trust. Series: Friends Friday (A PlexTrac Series), On-Demand Webinars & Highlights Category: Thought Leadership BACK TO VIDEOS Transcript Hey, everybody. Happy Friday. Welcome to our latest edition of Friends Friday. Super excited to be with you. Thanks for taking some time out of your day. Hope you’re finishing up your Friday strong and getting ready for a fun weekend. I’m Dan DeCloss, founder CTO of PlexTrac. We’re super excited to be joined by Zach Fuller with Silent Sector. Zach, I’ve known you for many years. It’s been great collaborating with you off and on and excited to have you on the show. So we’re going to be talking about a fun topic around how sales and security actually equal revenue and some of those core concepts around business growth and how security actually helps there. I’m excited to talk about it because we’ve collaborated on this, but for the benefit of our audience, why don’t you just give a brief introduction to yourself and what you’re doing? Yeah. Happy to. Thanks, Dan. It’s great to be here again. My name is Zach Fuller. I’m a founding partner of a company called Silent Sector. We’re a cybersecurity professional services firm and have clients across the country. We do a lot with software companies and then healthcare and financial services, defense contractors — they tend to be heavily compliance-regulated — and B2B organizations. So that’s kind of the lens that I see things through. And we do cyber security program development and pen testing and risk assessments and such. But, yeah, live here in Boise, Idaho, which is absolutely beautiful and I love it. And I’m a Christian, a husband, a father, a wannabe athlete, I guess I would say, in a few disciplines. So, yeah, lots of hobbies and fun stuff, but I love this topic. So looking forward to diving in. Yeah, I know. Thanks a bunch. And, yeah. So, no, and thanks for the background. Thanks for the intro. Super excited to have you on. Yeah, no, as we were collaborating, we were talking about how people that have maybe not necessarily been as exposed to the business side if they’ve been in the security side, you know, may not always get exposed to the business side. And then also people who are building businesses may not realize how much security plays a factor in them winning more business. Right. And so we thought this would be a great topic. And so I’d love to kind of get your perspective on, you know, what are we talking about? What does that mean? Right. You know, kind of give some examples. I obviously got some from building PlexTrac. You’ve got some from building Silent Sector. So what do you mean when we say, hey, how can security actually help sales? Because, like, a lot of times it feels like they’re at odds, right? It does. I feel like since I’ve, since we started Silent Sector back in 2016, I feel like there’s, you always hear about the cybersecurity professionals just don’t like salespeople, and salespeople are always upset at the cybersecurity team for hindering their efforts and bottlenecking the sales process. And yeah, it’s kind of interesting. So when I got into the cybersecurity industry, I thought cybersecurity was about risk management and protecting organizations. And it turns out that’s only partially true. I mean, that’s the fundamental right we have to protect organizations from cyber criminals. And I thought, again, maybe just a misguided mindset, but I thought that, hey, well, everybody knows they need to protect their technologies and their organizations, and so they’re going to be wanting to do cybersecurity in the most effective possible way to protect themselves. Right. Seeing everything that’s going on in the news and whatnot — turns out that’s not the case. It turns out that over the years, what we found is more and more organizations have actually come to us because cybersecurity is actually a business enabler for them. It’s actually a revenue generation tool, is much or more, and I know some people will cringe, but, or more than it is about risk management and protecting the organization. So that’s kind of the, I’ve had this shift in perspective. While, yes, the fundamentals are always about protecting the organization, there’s so much more to it that I think most people miss. And so I’m just seeing companies win millions and millions of dollars in new revenue because they’ve built certain security capabilities and aligned with the requirements of their customers. And it’s just been a really awesome journey to see that. It’s fun for us, too, because in our business and the professional services world, we get to see the growth and success of the organization. So a lot of times in cybersecurity, when nothing happens, that’s good, right? And you don’t hear anything and you just go about your business. That’s good. But it’s also really awesome to be able to see companies grow and succeed and get acquired and, you know, just create abundance for the people working with them. So that’s, that’s been a interesting journey. Well, yeah, you know, and I think, I think what, what we experienced as PlexTrac and also, you know, I think what you’re, what you’re also saying is like, and you’ve got a background in private equity too. You know, we’re venture-backed. But like, companies want to do business with companies that if you’re going to be managing any kind of data or sensitive information, companies want to be doing business and be able to trust that those third parties are managing that data correctly and operating in a secure fashion. They’ve put out either, hey, you either have to be soc two compliant or you have to be compliant with the government. We’ve got CMMc now or what used to be, what, NIst 181 or something like that. There’s always some requirements around third parties having security, you know, requirements, you know, tied to them. And so, so, I mean, I think that’s, that’s what we noticed is like, hey, by becoming more compliant and becoming more secure, it actually helped us win deals. Right. And I’m sure, I mean, I’m sure you’ve experienced the same, right? Yeah, absolutely. So there’s, there the, the reality of the situation is that large enterprises have had to become more and more diligent about the vendors that they bring on board. We’ve seen countless numbers of breaches that resulted in a vendor getting breached, pivoting into a large enterprise and compromising that enterprise in a big way. And of course, the cyber criminals go after whoever can write the biggest checks in, well, in cryptocurrency terms. Right. So, so they’re going to, they’re going to go after larger organizations and, well, and small ones for that matter. But whenever they can pivot to that target, they’ll, they’ll do that. So that, that comes through vendors a lot of times. So they’re requiring these things. SoC two audits become very much a standard to do business with large enterprise if you are some sort of a technology solution, a platform or software. So those organizations, it’s basically become standard that, hey, we’re going to get a soc two audited. In that realm, the one that really holds weight is the SoC two, type two. Over a twelve month audit period, some people will start with a shorter audit or a type one, which is a point in time audit versus auditing on ongoing basis. So that’s the type that SoC two. Type two is, has become the standard. When you get into it, though, it’s really nothing. It’s still a requirement, but it doesn’t tell you all that much about the actual security level of an organization. It’s really auditing. Are you doing what you said you would do and what you believe is acceptable to the organization? So there’s that, there’s ISO 27,001. Another good stamp of approval, especially for organizations doing business worldwide. It’s very, very accepted outside the US where SoC two is more us focused. And then you have some of the standards you mentioned CMMC, Fedramp is kind of the gold standard. That’s, if you have Fedramp, you are on the ball. If you are, again, a software technology provider, then you can play in the federal marketplace and get those government contracts. So, yeah, those are all definitely good things to have. Yeah. Well, I think it begs the question that, like, not only should security teams be aware of the notion that, hey, this, you know, by doing our diligence and becoming compliant, you know, it helps us win more deals. Right. And continues. I mean, aside from like, you know, being safer as an organization, it helps us win more deals, helps us grow our business. I think sales teams and like an executive boards, you know, need to recognize that as well. Like you, all too often you’re either in the midst of getting a deal done in terms of like, hey, you know, we’re winning new business, and then all of a sudden you get that dreaded security questionnaire or the, you know, the, hey, just show us your sock to paperwork. Or, you know, you know, and then all of a sudden, you know, if you don’t have it, you’re like, uh oh, right. It opens up a whole nother can of worms. Right. But then also if you are, and I think you and I both have seen this or heard, you know, heard stories wherever in the middle of like M and a activities, right, where a company may be acquiring someone and because there’s been so much scrutiny over acquisitions, because that’s how some of the more large breaches have occurred, you could actually get the denied to be acquired or significantly decreased the valuation of the company simply based on the security posture. Oh, absolutely. Because the acquiring organization, if they, if they’re smart about it and they come in and they do a risk assessment and they see, wow, it’s going to cost us x number a million. Or if you’re smaller organization, maybe it’s half a million or something like that, to get compliant with these standards, that’s a bargaining chip for them. And that if you’re, if your leadership within that company that’s being acquired, you don’t, you don’t want to give them that. You want to, you want to maximize, you know, what you can get out of all your hard work. And so, so that’s, that’s a big, a big piece to have. In fact, a quick story. And one of the things that opened my eyes to this world was we had a client come to us that was a growing technology implementer. They implemented a big name enterprise grade platform for a whole variety of companies, had a lot of mid market organizations, and they were working to get into the large enterprise. And they had a Fortune 500 company, if I remember right. It might have been, I think it might have been General Motors or somebody. They were looking to do big, big organization they were looking to do business with, and they had this million dollar per year revenue contract on the line, and they had to have certain security requirements in place, otherwise they would lose the deal. And they only had a few weeks to get there, at least cover the fundamentals. And so what ended up happening is we’re able to get that organization and get some foundational components in place or hard set requirements of the large enterprise and give them a good, very well articulated plan of action and milestones to cover down on the rest of the requirements and such over time. But that was enough for them to win that deal. So rather than, rather than losing it, we’re able to negotiate. And so that the listeners out there, if you don’t have all these things in place, you’re not aligned to NIST or Cis or ISO, or you don’t have a Soc, two, that’s okay, still go after the enterprise business. Don’t let that stop you. But just know that once you’re talking to them, these things are negotiable. Right. The cybersecurity team, and there is large enterprise, is tasked with the decision making process around, well, can we use this organization to accomplish whatever task or solve whatever problem? And you can talk with them and explain the scenario, explain what’s being handled, and kind of negotiate your way through. And as long as you have a very good plan in place, we’ve seen that be enough to get those deals across the finish line. And usually, hopefully, those organizations are proactive enough. They follow up with you and make sure that you’re following that. Some will, some won’t, but that’s one of those things where for this particular organization, they won that contract and there’s a game changer for them, because once they winden one large enterprise like that, then they start winning others, and it’s easier to do business with more and more Fortune 500s or even Fortune 50 companies. And it was great to see. It was kind of bittersweet because eventually they got a lot of notoriety in their industry. They became one of the top in what they did and got acquired by a big multinational tech conglomerate sold out and it was a big success story for them. And in fact, the CEO of and founder of that company is going and doing it again in a slightly different space, similar business model, but non competitive, but really cool. So they’re going to go through all that again. And now they know, hey, if we have our ducks in a row, we’re going to be able to win those large contracts rather than having that sales process bottlenecked. Yeah. It might help avoid some of the stress that might have been happening in the midst of that deal, I’m sure. So, yeah. And, you know, I mean, you know, speaking from personal experience, you know, when we, when we went through, you know, we’re a series b funded company going through each round of funding, you know, we had to, you know, we had to answer and fill out security questionnaires just like any other, like, vendor. Right. You know, so, so, you know, our VC firms were focused on, you know, hey, you know, we’re not getting into something where it’s, it’s adding risk to the portfolio, you know, and it’s already risky enough, you know, investing into early stage companies. You don’t want to be invest, you know, adding to that risk with, you know, cyber elements. Right. So. Oh, definitely. And, yeah, and you had, you had a leg up being that your, you know, your, your background is in cyber and you’re much of your team as well, probably the majority of your team, whereas a lot of these organizations that are more, they’re, they’re outside of the cybersecurity realm that’s out of their wheelhouse, that sort of thing. A lot of times they get caught off guard, kind of blindsided by this. But it’s a really interesting dynamic. In fact, to illustrate this, I have a couple slides. If we want to pull these up. What I’ll do is explain the sales process a little bit. And this is something for those of you watching. I would encourage you to capture this and explain this to your organizational leadership. Get the sales team involved, because this is, conversation has helped a lot of companies bridge that gap and tighten that bond between the sales teams and business development, for that, for that matter, marketing as well, but, and then the cybersecurity department or, you know, their third party cybersecurity efforts, whatever they have. So I’ll just take, I’ll take a moment to share a little bit about that. So when we think about the sales cycle, the number one thing that we are working on doing is building trust with our prospect. Right? So the first thing an organization is going to come and look at, when they’re looking at your, let’s just, let’s use this in the example of a B, two B SaaS company, right? So we’re a software company. We’re selling to businesses, other companies, and chances are those are, they’re much larger organizations than we are. And so here’s what happens. First of all, we’re working on building trust. So we’re in that familiarity stage, right? They’re saying, does this product or tool accomplish a need for us? Does it? Does it? Which primarily those needs are increase revenue, decrease costs, or decrease risk. Right. So does this product or tool do something that ultimately results in those, one of those three things for us? And they’re looking at the product and all the hard work that you put into building it. Beautiful user interface, beautiful marketing materials, all this stuff, they’re saying, okay, great, this looks really good. It solves our problem. It’s going to help us as an organization. Outstanding. So you get through that familiarity phase and the very next thing they’re going to hit you with is the vendor vetting process, their due diligence process, and that’s where they send you that questionnaire, that security questionnaire. It could be 50 questions. I just saw one a couple days ago. That was 800 questions. Yeah. So it, with, you know, big name company that we all buy stuff from time to time from. So with that we, we have that, the outcome there for a lot of organizations that aren’t ready to receive that and aren’t ready to answer these things, all that trust that they’ve built, all the hard work on all their sales efforts and marketing materials just goes right out the window and they crash and burn. They lose that engagement. Because if the large enterprise that’s looking to use your product sees that, hey, there’s too much risk here, they’re immediately going to move on to something else, some other solution. It might even be building their own solution in some cases, but oftentimes a competitor and so on. And so that’s what we don’t want to have happen. Right? So if we go to the next slide here, this is what we want to have happen and this is what it should look like in an ideal situation. Right. We go through, we’re building that trust, the product, the tool accomplishes all these things that this company needs and they say, okay, great. Well, now we need to put you through our vetting process and make sure that this is viable and that’s what they do. And then you have the ability to put your best foot forward and really drive the process even further, growing trust even more. And then you get through that. You do the security questionnaires. You show them your different things. A lot of times they’re, we talked about some of the certifications. A lot of times they’re asking for things like penetration tests and whatnot as well. But you’re them what they need, just what they need. Not giving them everything about your organization, because if you’re doing that, you should be vetting them. You should be sending them a security questionnaire. Right. If you’re just going to give them all your sensitive data. So you show them what they need, letters of attestation, maybe it’s audit reports, maybe their security questionnaire, continuing to grow trust. Then you get into the contract details, all the legalese, finalizing the deal and all that, and you win that engagement. So that’s, that’s where we want organizations to be when, especially when they’re selling to the upper mid market or even, you know, into the Fortune 50 realm, large enterprise companies. Yeah. Yeah. Well, and I think. I think that it also just hammers home the point of being in a, you know, in a proactive mindset around your security program and your posture. Right. You know, whatever stage you’re. Yeah, like you said, like, hey, maybe you’re not there yet, but, like, you know, now is the time to start, you know, hey, be proactive. What should we be focusing on? Focused on what should we be testing for? What, what are our vendors going to, you know, be asking of us and how do we kind of get ahead of that so that you’re, you know, you’re, you’re prepared, you know, the old scout model. Right. Be prepared. Right. And so, like, I think that, you know, coming into, coming into, you know, a sales cycle saying, hey, like, we feel like we’ve got everything we need, you know, from the security side, and that’s going to help us win rather than, you know, slow down a deal. Right? Absolutely. One of the things that kills deals in their tracks is that bottleneck. So even if you have everything together, things are really looking good from a security posture. You need to be able to articulate that and kind of package that up. So when you, when you’re able to do that and turn around security questionnaires in a couple days rather than weeks, the sales team loves that because all of a sudden now you’re enabling them to get the deal done, and that really helps bring things. Bring things together. So it’s a lot of fun to see when that happens. And then the two are working together. It’s also important to train the sales team and give them some background on certain initiatives that you’re doing. Like if you get a soc two audit, why is that important to their customers? A lot of times they don’t need that or don’t know that rather. So if you can educate them and work collaboratively, it goes a long way. Yeah, I mean, you can throw that in there even in the first interaction with a prospect of like, hey, by the way, you know, we, we take it seriously. We’re soc two certified. You know, it can be used as, you know, as additional, you know, benefits to why they should start building that trust with you in that, in those early stages. I think one other thing that’s also important that I was just thinking about is not only is it important that, hey, you’re staying proactive on, at the forefront of building that relationship, but then, you know, maintaining it throughout the life cycle of the contract itself. Right. And hopefully, you know, you’ve built a built trust and then you, you need to maintain your security posture and keep improving it so that you can maintain that relationship with your business and your customers, you know, for the long term. Right. It’s not a, it’s not a one and done kind of a, kind of a mentality. Yeah. You never know when, when they’re going to come up with a new risk management requirement and you want to do your best to, you won’t be able to answer everything all the time, but you want to do your best to be in a position to do so. We’ve seen companies that say they come out of the blue and they might be doing business with their vendors for a long time, but all of a sudden they say, hey, we need this subset of vendors to have SoC, two audits. All of a sudden we see that stuff happen. And the good part of that is that usually they’re understanding enough for those vendors that don’t have that at the moment, as long as they have that plan in place and say, hey, over the next twelve or 18 months is our plan. Here’s where we’re going, and we’re going to satisfy that need and that, more often than not, is what keeps the deal going. Yeah. Yeah. Well, hey, this, I mean, this was fantastic. You know, I think, I think, you know, it’s a fun topic to talk about and like, it may not be something that people have been exposed to before, which is why we wanted to chat about it, because like, yeah, this is actually, this is actually a real thing, you know, security has actually won and lost deals for people in big ways. Right. You know, mergers and acquisitions, you know, just, you know, straight up, you know, business development and then, and then just helping grow your business as a whole. I mean, I think it’s, it plays an important factor. So I think, you know, the key takeaways for me are like, hey, make sure your sales team is aware of what security requirements that your customers are going to be asking of you. Develop a good relationship with your security team, vice versa. Security team, you know, be on top of how you can help. You know, it’s one more, it’s one more way to justify the investment in security. You know, like, we’re still in that mode sometimes. You know? You know, like you said, like, you kind of assume being in this space, you hear everything, all the bad stuff, you kind of assume that people just, you know, naturally will understand the need for investing in security and cyber, but it’s not always the case. And so, like, you know, being conscientious of all the areas of how security impacts the business and your, you know, your function, you know, I think are super important in building those relationships and I, and staying proactive, you know, I think that’s, it’s all valuable. Absolutely. I know a lot of security, and it professionals have trouble getting the support they need and getting the budget they need, and they’re, but they’re talking about techie stuff and risk, whereas if they start talking about revenue generation, leadership kind of perks up and says, well, okay, tell me more about that, and then it becomes a different conversation. So it can be tremendously helpful for those listening to take these principles. And we could go on and on, but we’ve talked about the fundamentals, and if we take that message to leadership and to sales and say, hey, here’s why this is important to our customers and here’s how we can use it to get more. Yeah. Yeah. One last thought that just came to me because I was, I was chatting with this about some, chatting about similar topic with somebody else where it was kind of that notion of, like, for the security team to actually kind of put dollar amounts on the, on some of the risks and issues that exist in the organization, and their approach was actually to tie some of these risks back to compliance. Right. So back to their SoC, two, back to the certain controls and PCI, and basically would use that as a mechanism for communicating the risk in that. Like, hey, if we don’t fix this, you know, this represents a risk to, you know, lack of compliance with this control, which then breaks our attestation, which then is contingent. You know, then it hinges on millions, billions of dollars of revenue. Right. You know, we have this much revenue coming into our business every year under contract that we will maintain PCI compliance, or SoC two compliance. And so if we don’t fix this risk now, it affects our compliance, which affects that type of revenue. And that was a whole new way to perceive risk at the business level that actually communicated well for them. So I thought that was fascinating. I just wanted to throw that tidbit out there. Yeah, that’s tremendously helpful. We do some of those financial analysis assessments where we can mirror the. We work with a vendor on this who basically has an insurance grade platform that shows by control, by framework, what each risk costs the organization if it’s allowed to persist to include. And then it all rolls up to show what’s self insured versus what the insurance will cover based on all the history of breaches and all of that. So I think that’s another excellent way to when you could turn things into dollars and cents. It makes a lot of difference for those people that don’t have the backgrounds of probably most of the listeners of this show that they don’t have that technical lens that they’re seeing things through. It’s really just the financial lens, right? Yeah. Yeah, exactly. Well, hey, thanks for coming on, Zach. Super appreciate all your time and just the fun topic and your expertise. Before we take off, like, can you promote what you’re working on and how can people find more about some of the stuff that you’re working on? Yeah, absolutely. So silent sector is just silentsector.com, and there, there’s a link to our podcast. You can also find the Cyber Rants podcast on all your major podcast platforms. So check that out. We’ll, you know, talk about all kinds of different topics. I mean, we. So if you want to take a deep dive into soc two or something like that, we, you know, you can find that on there. So hopefully the information is helpful for you. And hopefully this helped everybody listening today and looking forward to connecting with you shortly on the Cyber Rants podcast, too. Yeah. Yeah. Super looking forward to it. Well, thanks again, Zach, and thanks, everybody, for joining us. Hope you have a great Friday and a great weekend, and we’ll see you next time. Thanks, everyone. SHOW FULL TRANSCRIPT