Michael Coates on better addressing the needs of CISOs and improving the sales process.
Dave Bittner: My guest today is Michael Coates. He's CEO and co-founder at Altitude Networks, and he's also former CISO at Twitter and former head of security at Mozilla. Our conversation focuses on how he, as someone with purchasing authority, prefers to have products pitched by cybersecurity vendors.
Michael Coates: I had some pretty exciting years leading security programs. I was head of security at Mozilla for many years. I was also the CISO at Twitter for a number of years, and what I noticed was that there was clearly a lot of activity in the vendor space for security solutions, which is great. We need innovation. But the way in which they reached out to potential buyers, like myself as a CISO, left me certainly wanting more.
Michael Coates: I would receive, largely, a ton of unsolicited inbound emails with really peculiar message formats. I applaud the efforts to try and catch our eye, but they end up having, you know, an unintended consequence - emails like, do you care about security? Or, did you know you're vulnerable to this? Let's talk more. All things that - I get it. They're trying to be catchy and clever, but it's actually kind of off-putting.
Dave Bittner: Yeah.
Michael Coates: Yeah. The thing that hit me initially was the massive amount of cold-call email that I would get, and that really just didn't work well, as I know we'll dive into here.
Dave Bittner: Well, so let's come at it from the other direction. The folks that were successful, who got your ear - what techniques did they use?
Michael Coates: As a result of the large amount of movement - there's obviously tons of investments in security right now, tons of innovation, lots of new companies. Because of the fact that there's so much noise, many buyers, like myself, would actually rotate hard the other way. Instead, we would rely very heavily on referrals from, you know, our personal networks. And I realize that that is something that would happen in any space. You always want to, you know, think about a referral. But in security in particular, these CISOs form together in these, you know, CISO networks. And we have one in the Bay Area, and I know other industries and other locations have them, too. And in some regards, they're a bit of a support network because let's face it. The security role is hard. It's hard at every level.
Dave Bittner: Sure (laughter).
Michael Coates: But we would definitely use that referral. Like, hey, have you guys heard of this? Or, I'm looking for a solution in this space - and see who would pipe in. And that is great. It's really good to have a referral. But at the same time, that could leave us a little bit blinded to really great new innovation that we should be thinking about.
Dave Bittner: Do you think there's a risk, then, of becoming insular?
Michael Coates: I think we're in a challenging spot because we definitely need to branch out and look at new ideas, look at new solutions. And yes, if we're not careful, we could be a little bit insular right now in terms of the solutions and products we use. But I think the trick we need to do is actually shift the way we look at selling security software, security solutions, and also the method we have for discovery because we've kind of taken two extremes here.
Michael Coates: We're talking about - on one hand, you have cold inbound versus referral. Like, what's that middle ground? Like, where can we have a trusted review of options out there? And in some regard, trusted advocates kind of fill that void. Like, if you have a VC relationship, someone that you trust, they're kind of a vetting mechanism. Like, hey, these solutions look pretty interesting. And sure, they're in their portfolio, but they've done some vetting to get them there. So that's kind of nice. That works really well, of course, in Silicon Valley - but not scalable to the rest of the country or world.
Michael Coates: And so can we have some sort of Consumer Reports-style trusted review or display of vendor information? The thing that's important about that, and where I really key in is, as a security buyer, you want the security information. You want the technical chops of what you're looking at. You really don't want to see a marketing slick sheet that says, machine learning, internet of things. How do you measure success? Which are false positives? How do you look at those types of things that actually matter to us?
Michael Coates: So I think we can find that middle ground if the security vendors realize, hey, stop trying to push buzzwords. Stop, you know, with the cold calls. How do you show your product and what it actually does, hopefully in a neutral space, if we can create such a beast? And if not, how do we lead in more of a demo-first-style sales approach? Like, let your product speak for itself. Let me come to your website and, like, actually see how it works. And for some reason, I think we're really far away from that reality right now.
Dave Bittner: Why do you suppose that is? There's no doubt that there is a lot of noise out there. I mean, you walk around on any of the trade show floors, and it's hard to focus on any one thing. Everybody's fighting for your attention. So I guess on the one hand, I have a certain amount of sympathy for the folks out there who are trying to sell in that environment.
Michael Coates: And I have to eat my own words here because I'm now on the other side of the fence.
Dave Bittner: Yeah, yeah.
Michael Coates: I think, one, we have a macro challenge in security, which is there's far too much headline-chasing, you know, Hollywood-style products that are solving things that don't matter. And because there's so much investment money out there right now, the bar to get funded, the bar to start a new idea is lower, perhaps, than it should be. And as a result, you see just crazy, off-the-wall ideas that may catch fire because of their buzzwordiness (ph). It may get a set of buyers that aren't as technically adept that, you know, need it. Like, what is your solution right now to quantum encryption? And things like that - like, well, it's a cool buzzword, but is it really the most important thing to solve in your program?
Michael Coates: So we have that big mismatch between flashy, headline-grabbing things, people trying to solve APT. Really, they don't even have good inventory management. Or how do you even think about automation and real-time alerting? You look up something like the Target breach. And so I think that's one problem. There's just so much stuff out there. And then the second part really is we don't have a channel that can give people that neutral way of learning about companies, so it really is the biggest shouting match. How can I shout more over email? How can I shout with catchy phrases at a expo floor? And that's an unfortunate reality of where we are right now. I think as we mature, as buyers become more sophisticated, more aware of what they need to focus on, it will get better.
Michael Coates: And yeah, going back to that point, again, like, I would really love for that neutral evaluation - like, give me the - maybe not a hard copy - but that magazine of - what are the different security products and different spaces, and how do we have a neutral body to give us some information about them?
Dave Bittner: Now, if someone's reaching out to you - you get that email in your inbox - what would the ideal approach be? How could someone get your attention and get you to spend a little more time with their product?
Michael Coates: Yeah, I think that actually is a really good question because sure, I'm harping on email as really hard, and it is because there's so many inbounds. But there's a lot we can do in the messaging itself because there is some amount of hit rate. There's some opportunities where people do sit down and say, all right. Let me see what's going on, what kind of inbounds I have.
Michael Coates: The thing that can help a lot for a vendor selling to a CISO is to basically do the three-second test. Let's assume you're going to get three seconds as they scroll through - if they open it, so make your subject line helpful. But if they scroll through that email, you're going to get three seconds. Don't have a long narrative. Don't have tons of words. Do not ask me things that make me kind of recoil in a bit of frustration. Like, yes, I do care about security.
Dave Bittner: Right, yeah. I love cute puppies (laughter).
Michael Coates: Yes, yes. I know you don't have a silver bullet and all of these things. Like, let's just cut through all that. Just tell me, one, what do you do? Like, we solve this problem. Don't tell me about flashy features because we don't need to sell on features. We need to sell on what problem gets solved. If you tell me, number one, what problem you solve, I will then self-select and say, I have that problem or I don't. And either answer is good for you because we don't need to talk if I don't have that problem. But if I do, I'll read the next line. Like, tell me how you solve that problem. Do it - maybe this is my Twitter days coming back. Do it in, like, one sentence or two, because...
Dave Bittner: That's right.
Michael Coates: ...You should be able to. It should be compelling in two sentences. And three, tell me how you integrate because that's actually really important for a security person to wrap their head around. Like, am I looking at a network device? Am I looking at an agent on my workstations? Help me wrap my head around it real quick.
Michael Coates: And then after those three things, what I would ideally like as a buyer - let me go view your product without talking to sales. I know it's horrible. I know you want me to talk to sales, but let me just see it because if I can do those things, there's a better chance I will learn about your product. And when it's - the time is right, I will engage. But if you don't do those things because you really want me to engage with sales first, you really want me to read this long narrative, what will happen is I will do none of those, and you will have no reaction from me. And I think that's a worse outcome because when you look at security and, you know, why particular things happen - like, if you think about phishing attacks, we're always like, how does anyone fall for those? And most - almost no one does, but if 0.1% do, you just send more emails.
Dave Bittner: Right.
Michael Coates: So maybe we're at a spot where the smarter companies are figuring it out and they're being more successful, or maybe we're all incredibly biased and we're in this small segment of the market. But I don't think that's the case because as much as we say there's, you know, more technical or less technical CISOs, or the West Coast, the East Coast - how they're different from each other or even the Middle America, I think, really, people want that core info. I don't think there's anybody out there saying, yeah, I really want to read through this long narrative to decide if I care about security. Thank you for asking. So I don't know. I don't know what we're missing. I think we have a fair point, as the buyers, to say, please just give it to me this way. That's what I want.
Dave Bittner: That's Michael Coates from Altitude Networks.