This article is written as advice for aspiring Virtual CISOs (vCISO).
This is the third part in a series. If you haven’t read the 18-month and 25-month ones, you should. They’re here:
Know, like, trust, buy
These magic words:
“know, like, trust, buy” are the key to success in the Virtual CISO business. (Probably any consulting business but I will write about what I know.)
People buy from people that they know, like and trust. It is so obvious. When I started Fractional CISO, why did my plan involve a lot of Internet stuff? I should have just had coffee and lunch with everyone I knew. I should have done speaking engagements. While I did do some of those things, I did a lot of marketing lead gen work which was mostly a waste.
I hear from others that this is true of all consulting. While I agree to a degree, what is your need to trust your SAP consultant versus your Virtual CISO? I will argue that the Virtual CISO requires a higher degree of trust to be effective. Especially when something goes wrong.
How do you get clients? Likely, you already know many of your initial clients. Let your network know what you are up to.
Have coffee with different people every day. Act as a resource to help others. Stay in front of your network, smartly. Don’t spam them. Form your message based on what you are good at and what you think potential clients would buy from you. Don’t worry about making a lot of money on the first two clients. Worry about that afterward!
Should I quit my good job to become a vCISO
Maybe! I did. Some thought I was crazy to quit. Some literally couldn’t believe what I was doing.
My belief is that every medium-sized company will have a full or part-time CISO within the next ten years. That means that we will need a lot of virtual CISOs!
Assuming that you are passionate about cybersecurity and being a virtual CISO, here are the questions that you should be asking:
1) Can I be good at business development?
2) What is my risk tolerance if I don’t line up clients in three months.
3) What is my spouse’s risk tolerance for question 2 above?
Regarding 3, I know that I am really lucky because Mrs. Black believed in me more than I did!
Regarding 1, you should be engaging with your network before your departure from your full-time job. Tell them what you are thinking of doing. Ask them if there is anyone that they think you should talk to. Having a network of go to people can help along many fronts. They give you great ideas, they provide great resources and maybe they connect you to the right person who will become a client.
From what you are saying about business development, it doesn’t sound like marketing is important, right?
WRONG! Marketing is very important. It is important to distinguish the lead gen aspect of marketing versus two key things for consultants:
Staying in front of your network. Having the right kind of collateral to enable business development.
Staying in front of your network
Will your best friend forget what you do? No. Will the guy that you worked with a few years ago on that project but now runs IT at a target client forget about you? Yes, he will have no idea what you do even after you tell him. You need to remind him when he is considering services like yours.
You need to stay in front of that guy. The trick is to figure out how. Now that we’ve scaled up, I send out a monthly newsletter. (Semi-commercial plug:
Sign up here.) But we only started the newsletter a couple of months ago. What did I do before then?
I was very active on LinkedIn. It is important to smartly remind people that you exist. You will want to think of your target market and not other security people. The same message will not resonate with both populations.
LinkedIn is kind of like eating hot dogs.
One hot dog is good. Two hot dogs are very good. Three hot dogs are okay. Four or more hot dogs are terrible. It is the same thing for LinkedIn. You have to smartly get your message out there without terrorizing your network so they block you. Unfortunately, unlike with hot dogs, there is no exact formula. So be careful but remember that only a fraction of your audience is looking at LinkedIn at any moment in time.
What about other social media? Other Social Media is useless for virtual CISOs. I could be wrong but focus your efforts on LinkedIn and non-social media marketing.
I went to industry conferences and meetups. The goal is not to meet a lot of new people. It should be to rekindle past relationships and to get to know a small number of new people. Do not sell to them when you meet them. Just be a friendly resource of valuable information. Make sure to follow up appropriately with a call, email, coffee or whatever seems natural from a relationship perspective.
You are not engaging in a transaction. You are building relationships. People hire their Virtual CISO because they know, like and trust them. You cannot artificially accelerate this process.
Remember the six-week rule. Well, don’t
Google it. There are a lot of six-week rules. Here’s Rob’s six-week rule: You will forget any and everything about an acquaintance you have met six weeks ago. That means that you need to follow up within six weeks. It can’t be a “hey, I’m checking in” either. You need to find some way to create value within that six-week period. It has to be something like, “I just found this article and thought of you” or “I read the book that you suggested and you were spot on about x.”
Collateral for business development enablement
Remember 500 words ago when I said that there were TWO things that you needed to do for marketing. The other is having the right kind of collateral to enable business development.
You need the collateral when you are in discussions with prospects.
Here are things you need for collateral:
A website with the right content. (95% of the time) A good LinkedIn profile. (50% of the time) A work sample. (10% of the time) A brochure. (5% of the time)
For your website, you need to write the messaging that resonates with your target audience. Using inside cyber speak will not help your credibility with this market. You need a picture of you. Clients are buying YOU. Having something about how you are different and can help your clients is important too.
Your LinkedIn profile should have a professional photo. It should explain what you do, what types of problems you solve and who is your ideal customer.
Create a work sample. We created a risk assessment for a fictions target customer. We followed the same process as we do for real clients. It has a few ellipses (…) in places where people probably didn’t care about the exact details. We wanted to give prospects an idea of the work output that they could expect.
Brochures for professional services are stupid but we created one anyway. We got a number of requests for our brochure. “Um, that’s why we have a website.” Sometimes though it is helpful to email or hand a document to others especially if you are trying to build consensus within an organization or work with someone in your network. Also, a brochure helps too tightly focus your message where a website can talk about a lot of things the brochure only talks about the most important items.
Why do I need to specialize? I can do all sorts of security stuff. I can be a security architect. I can serve any market. I can run vulnerability scans. I can do strategic planning with senior leadership. I know every technology stack.
Do you see any problem with the above? If you are the swiss army knife of security then sure, you may get some clients. But clients are looking for solutions to a specific problem. The more that you specialize the better you are at attracting ideal clients.
While we might be able to specialize tighter, we have a lot of clients in the cloud services space. Of course, now many traditional companies have a cloud service, so it is pretty broad – we have clients in software, life sciences, financial services, manufacturing. We help a lot of clients with
SOC 2 and ISO 27001. Government agencies is the one area that we don’t work with and have referred leads from prospects and clients to other firms. We also focus on the mid-market, so we have sent small companies to other firms as well.
Team Fractional CISO
Why have I written this? 1) To help aspiring vCISOs but also 2) to find the perfect candidate to help our team.
The Fractional CISO team has been growing and is now looking for a
vCISO Principal to join the team. We have a number of great clients and need help to best support them.
We need a client focused security expert that is passionate about working with a select number of terrific clients to improve their cybersecurity and manage their security program. This person would exclusively be focused on client work and leave the business development part to me.
The ideal candidate will have worked for a company running a cybersecurity program with dreams of being a vCISO. The candidate would prefer to spend his/her time working with clients as opposed to bringing in new clients.
If you know someone like that then please send them our way!
For more great Fractional CISO content, subscribe to our newsletter.