Seven things government security leaders expect vendors to address

Author: Dan Lohrmann, Chief Strategist and Chief Security Officer, Security Mentor

Finally, the meeting has arrived.

After many months of phone calls, e-mails, a WebEx demo and other prep work, you walk in the room and sit down with the government security leader and his or her team. Your hand-picked group of rock stars has been waiting for this moment. They even flew in early to practice the PowerPoint presentation.

Your pitch is flawless. The scheduled one hour provides enough time for the perfect balance of fresh content and an open discussion with next steps.

Everything is ready to go.

But, after starting six minutes late because the conference room was fully booked and the last meeting ran over, you go through the formalities of walking around and shaking hands. Your entire team exchanges business cards with a half-dozen government staff, three of whom you don’t recognise.

Polite introductions take eight minutes while also explaining that the Security Operations Center (SOC) supervisor and deputy were called away to an emergency, so Sarah the student intern is sitting in for them.   

Your mind starts racing. You think to yourself: There goes our closing pitch for the new ‘xyz’ product for the SOC. 

Worst of all, something happens next that really throws you off your ‘A’ game. Just before your team really gets started, the CISO announces that he needs to leave ten or fifteen minutes early to attend to an urgent budget matter.

“Can we get this done in about 30 minutes?”

While your team is mouthing, “no” somehow “sure” comes out of your mouth.

At this point, you decide to ditch the plan and go with your instincts. You turn to the government security leaders in the room and say, “So what’s on your mind?”

The meeting goes downhill from there.

An hour later you’re standing outside with your team, scratching your head and wondering what happened. What seemed like a perfect opportunity now appears to be a misguided adventure. The team looks at you and says, “Where do we go from here?”

Fiction or fact?

The scene depicted above should be historical fiction. Nevertheless, it happens way too often to be a coincidence. I’ve been there in hundreds of meetings with vendors as a Michigan Government CIO, CISO, CTO and CSO, as well as in federal situations as an NSA employee. I’ve also seen similar things from the vendor’s side of things with companies like Security Mentor, ManTech and Lockheed Martin (formerly Loral Aerospace).

My experiences are not unique. Almost every private sector company that sells to or supports government enterprises has experienced frustrations with the way business is conducted in government.

But frustrations abound on the public sector side of the fence as well.  I have heard too many CxOs share stories about vendors who “just don’t seem to get it.”

Occasionally, personal friendships, career experiences or “tell all” books allow us to walk a mile in the shoes of the other side. Nevertheless, easy answers to bridge the vendor—enterprise CxO divide often remain difficult to implement in practice. 

So what are common gotchas that can hinder security and technology vendor professionals when relating to government clients? What is on the minds of government leaders that rarely, if ever, get discussed with vendors? And, most importantly, what are some potential solutions and back-up plans that can help strengthen relationships and prevent misunderstandings from becoming a major train-wreck? 

In a previous post, I described why it is so hard for security startups to get government customers. This time, I would like to offer some thoughts about the things government security pros expect top-notch security vendors to already know—even though these words remain unspoken. I’ll include my advice and suggest some ways to address the issues.

Seven government security leader thoughts – and practical advice to help you read their minds

Government security leader thought #1:  “Do I really know you or your company?”

Most CISOs have a strong network of professionals and companies in the industry that they know and trust. If you are not on that list, or even if your company is on the list but you don’t know the specific person or team, don’t act as if you are life-long pals.    

My advice: As you meet for the first time on the phone, present a WebEx demo or walk in the room for an in-person meeting, be genuine and don’t misrepresent mutual contacts, friends or experiences. Building trust takes time, and you probably won’t do it in a first few meetings.

Government security leader thought #2:  “What are we talking about? Is this a waste of my time”

I never cease to be amazed at the number of vendors who walk into meetings that took months to arrange and ask, “What are your priorities? What’s on your mind?” Of course, they were trying to be good listeners, but what typically comes next is, “We have solution for that!”

Usually it is either all listen or all talk – not a balanced approach.  This is usually seen as a waste of time by CxOs and hurts more than it helps.

My advice: Do your homework on the government needs and requirements in advance. Read their strategic plan. Offer a meeting agenda in advance and ask if the agenda is ok before you start. Be clear on the topic and solutions being offered at that specific meeting. Understand and respect the busy schedule of the government teams. 

Government security leader thought #3:  “Will I get to talk and give feedback?”

Of course, there’s the other extreme too. Vendors that talk and talk in order to fit in as much as possible. In my experience, the CISO is often worried a discussion will never happen.

My advice: After your presentation, ask for input. “What do you think? Does this meet your identified needs? Where can we improve somewhere?”

Government security leader thought #4:  “This is the wrong time, or the wrong price or the wrong product.”

I love my brother Steve’s perspective on technical sales—It’s all about the right product at the right place at the right time at the right price—with the right person delivering the message to the right decision maker.

My advice: Doing your homework up front should enable you to address timing or competing purchases or related items prior to the meeting. Set realistic expectations for the discussion that can be met or exceeded.

Government security leader thought #5:  “You are talking to the wrong person.”

Far too often, meetings in government with vendors occur because someone knew someone else. Often, the vendor is talking to the wrong technology or security leader, but may not know it based on title.

My advice: Similarly to #4, do your homework on why you are talking to this audience. What does this group truly do? Do they know or influence the other decision-maker(s). Set realistic expectations up front or make sure the right messages are passed along if the government team switches-out the attendees. 

Government security leader thought #6:  “I don’t have enough time for this. I need to get out of this meeting early.”

My advice: Vendors need to have a plan B (and maybe C). Expect the unexpected for situations like the example at the beginning of this article. Be respectful of time allotted and also watch the government leader closely. Are they not interested (leaving early) or are they legitimately being called into some emergency situation?  Ask for more time later, if it is a serious problem.

Government security leader thought #7:  “Are you in this for the long haul or a quick buck? Can I trust you? Do you have a good reputation? Will you deliver?  Will you be around in two years?

My advice: Ultimately, if the government leader is asking this question, you have probably succeeded in your sales pitch (so far). Strive to build partnerships, trust, a positive reputation and a track record of delivering success. Have case studies ready. Show where your solution has worked before.

Final thought: Is there an elephant in the room that no one is talking about?

Good preparation means practicing what might (and often does) go wrong.

Watch out for an “elephant in the room” situation where no one is addressing a specific question or topic. There may be simple reason that the government team is being so quiet—such as they just bought your competitor’s product last week.  While that is not a happy situation, it is better to find out as soon as possible what the issue is.

Perhaps you can salvage the discussion with a related product or service—or next year’s opportunity. 

If you do your homework and prepare properly you can (sometimes) read the minds of the security executives across the table. 

This article was brought to you by Enex TestLab, content directors for CSO Australia

Join the CSO newsletter!

Error: Please check your email address.

Tags Security Operations Center (SOC)government securityctoCISOCSOpowerpointlockheed martinCIOCSO AustraliawebexManTech

More about CSOEnex TestLabLockheed MartinLoralMentorNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Dan Lohrmann

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts