Over the past 12 months, since joining the organization I currently work for, I've heard complaint after complaint about sales people. I know, I sympathize, I've typically trusted them half as far as I could throw them - and still do - so I wanted to write up a quick(er) version of why I think sales people, particularly in the security field, really need to check their ethics.
A few years ago when I was working for GE Power Systems, I had the misfortune of sitting through a meeting with a particularly bad sales guy. He had managed to convince our CISO that his company could really solve some of our problems so it was up to my two colleagues and I to listen to his presentation and decide. From the start, things just didn't get off right.
When the guy walked into the conference room he informed us that he had the answer to everything that ailed us in security. I figured this was rather ambitious since he had no idea what our problems were but her persisted. He asked us to give him our top-3 security challenges, which we did, then he proceeded to "solve" them for us using his product(s). Now, everyone's heard the phrase "When all you have is a hammer, everything looks like a nail" but this was taking it to a new extreme.
His in-line network appliance-based approach, together with a multi-server infrastructure and a client installed on every workstation and server would solve all our problems. Let's assume for a moment that this proposal was even remotely feasible on a network as large as we were trying to secure - the costs would be outrageous, and given the complexity (and lack of hard-line management) this network suffered from it was physically impossible to implement that solution. These blunt facts, of course, didn't really stop this guy. The fact is, he kept talking until we finally had to explain to him, in detail, why his product made zero sense in our environment.
Presentation and comprehension fail.
Here's my point... there are several tactics which sales folks often use that do a dis-service to the products or solutions themselves... and clearly seek to "accidentally" ruin our credibility in a fragile market - but rather than call those out (as was pointed out to me earlier) perhaps it would be more constructive to throw out some pointers to any sales folks who read this blog...
- Research the prospec - get to understand as much as you can about their situation, challenges, and current situation
- Sell reality - Don't over-inflate, stretch, or bend the truth about the capabilities of what-ever you're talking about
- Your product is not the silver bullet - it doesn't matter what you're selling, it won't make your customer magically secure - learn it, accept it
- There is no state of security - only states of higher-order risk mitigation
- All the above applies even more when you're selling directly to a C-level
- Products are useless without process - from firewalls, to antivirus, to scanner software... none of it is worth crap if there isn't a process around using it
- People and tools are not mutually exclusive - you're going to need both to succeed, until tools learn to think
- Product | Services aren't mutually exclusive either - see above