What a candid panel lunch at RSA 2026 revealed about selling to CISOs, straight from the source.
Quick answer: CISOs buy software based on trust, relevance, and peer reputation. They want vendors who understand their team’s specific pain points before asking for time, avoid overpromising, and engage through multiple channels with a personalised, account-based approach. Generic outreach is the fastest way to lose them and their network.
Understanding how CISOs buy software is one of the most valuable and most misunderstood challenges in B2B cybersecurity sales. We hosted a panel lunch at RSA and asked CISOs directly: how do you actually want to be sold to? What builds trust? What kills a deal before it starts?
The conversation was candid, occasionally surprising, and full of insight that challenges conventional sales and marketing wisdom. Our panellists were a mix of CISOs, CROs and CMOs who brought perspectives from both sides of the table. Here is what every sales and marketing leader at a cybersecurity vendor needs to know.
What Do CISOs Look for When Buying Security Software?
CISOs consistently prioritise three things when evaluating vendors: trust, relevance, and fit. They are not looking for the vendor with the boldest claims or the longest feature list. They are looking for partners who understand their specific environment, speak honestly about what they can and cannot solve, and respect their time.
Trust, in particular, came up again and again across the panel as the defining factor in purchase decisions, and it is built or destroyed long before a formal evaluation begins.
5 Insights on How CISOs Buy Software
1. Surround the Castle Before You Knock on the Door
One of the most resonant points came from Nick Mansour, Senior Vice President Sales, Americas @ Saviynt who made the case for a true Account-Based Marketing (ABM) approach in cybersecurity sales, and not the surface-level personalisation that most vendors pass off as ABM.
The insight: go wider and deeper into an account before you try to reach the CISO. Engage with the security engineers, architects, and analysts, the people who live inside the pain every day. By the time you get in front of the CISO, you should already have a detailed picture of their team’s needs, frustrations, and priorities.
CISOs do not want to be your discovery call. They want you to arrive already knowing. Vendors who have done the groundwork with the wider security team walk into that conversation with credibility, and credibility is the foundation of trust.
GTM takeaway: Structure your ABM strategy around the security team first. Use those conversations to map use cases and organisational context before you pursue the CISO. Earn your way to the top.
2. Know Your Persona Better Than Your Product
Craig Carney, VP Global Sales @ Mindtickle made a point that resonated strongly across the table: the best sellers are not product experts, they are people experts.
CISOs are not a monolith. A CISO at a 200-person fintech has entirely different priorities to a CISO at a global enterprise. Regulatory environment, board relationships, team maturity, budget cycles, all of it shapes how they think and what they are willing to buy. Generic outreach that ignores these nuances signals immediately that you have not done your homework.
Craig also noted that AI tools are now making persona and account research significantly more scalable. There is no excuse for showing up unprepared.
Crucially, sellers do not need to be the product experts in the room. Their job is to grab attention, identify the right use cases, and get the right people involved at the right moment. When a CISO wants to go deep on product, bring in your product team. When they want a peer-level conversation, bring in your executives. Knowing which moment you are in, and having the right resource ready, is what separates high-performing cybersecurity sellers from everyone else.
GTM takeaway: Invest in persona-level sales enablement alongside product training. Use AI tools to help reps research and tailor outreach at scale. Build playbooks around CISO segments, not just product categories.
3. Stop Selling Silver Bullets, CISOs Can Spot Them Immediately
Both Mea Clift, CISO & Executive Advisor, Cyber Risk Engineering @ Liberty Mutual Insurance and Jennifer Raiford, CISO & Chief Digital Trust and Risk Officer @ ENIGMA Protocol were direct on this point, and it needed to be said.
CISOs know there is no single tool that eliminates a category of risk. They have heard every bold claim, and they are deeply sceptical of vendors who oversell. When your pitch implies your product is a silver bullet, you do not just lose credibility on that point. You lose trust entirely.
What CISOs actually want to hear about is specific use cases and measurable business outcomes. Be honest about what you solve and equally honest about what you do not. Vendors who acknowledge their limitations and focus on genuine fit stand out precisely because so few do it.
Differentiation in a crowded cybersecurity market does not come from the loudest claim. It comes from the most relevant and credible one. You also need to understand your competitive landscape. CISOs know it, and they will test whether you do too.
GTM takeaway: Audit your positioning and sales messaging. If it relies on superlatives or category-killing language, pull it back. Train reps to lead with specific use cases and to have honest conversations about fit, even when that means saying “we may not be the right solution for you right now.”
4. Multi-Channel, Multi-Touch, and Do Not Abandon the Phone
Here is where the lunch table got interesting.
The CISOs on the panel said they prefer LinkedIn over phone calls. The sales and marketing leaders at the table disagreed, and the debate that followed actually proved the point better than any single answer could.
The real insight is not which channel wins. It is that no single channel wins consistently. Different CISOs engage differently. The same CISO will respond to different channels at different moments. LinkedIn might be where you get noticed. Email might be where you get a reply. A well-timed, well-prepared phone call from the right person might be what actually gets the meeting.
The critical variable across all channels is relevance. Every touchpoint needs to be tailored, prepared, and grounded in genuine understanding of the person you are reaching. Generic sequencing is noise. Personalised, multi-touch outreach is signal.
GTM takeaway: Do not let “CISOs prefer LinkedIn” become a justification for pulling back on other channels. Build coordinated, multi-touch sequences tailored to the individual. Relevance and preparation matter far more than channel choice.
5. CISOs Are a Tight-Knit Community and Your Reputation Travels Fast
This was perhaps the most underappreciated insight from the entire lunch, and both Mea Clift and Jennifer Raiford were emphatic about it: CISOs talk to each other, constantly and candidly.
They have Slack channels. They have peer groups, industry forums, and executive networks. When they have a genuinely good experience with a vendor, they share it. When they have a bad one, they really share it, and their peers listen.
This means your market reputation is not built through your marketing alone. It is built through every single interaction your team has with every CISO, including the ones who are not a fit right now. A CISO who does not need your product today might refer you to three peers who do, but only if you respected their time, were honest about fit, and treated the relationship as worth nurturing regardless of immediate commercial outcome.
GTM takeaway: Treat every CISO interaction as a long-term reputation investment, not a short-term pipeline activity. The cybersecurity CISO community is smaller and more interconnected than most vendors realise. One bad experience does not stay contained.
Frequently Asked Questions: How CISOs Buy Software
How do CISOs prefer to be contacted by vendors? CISOs are split on channel preference. Many cite LinkedIn, but peer conversations, referrals, and well-prepared outreach across multiple channels are all effective. What matters most is relevance and preparation, not the channel itself.
What do CISOs value most in a vendor relationship? Trust is consistently the top factor. CISOs value vendors who are honest about capabilities and limitations, understand their specific environment, and do not waste their time with generic or overhyped pitches.
How should cybersecurity vendors approach CISO sales? Use an ABM approach to engage the broader security team before reaching the CISO. Understand the organisation’s specific use cases and pain points. Bring in executives and product experts at the right moments. Avoid silver-bullet messaging and focus on specific, relevant outcomes.
Do CISOs respond to cold outreach? Rarely to generic cold outreach. Personalised, well-researched outreach that references their specific organisation, team, or challenges performs significantly better. Referrals and warm introductions through peer networks are the highest-converting entry points.
How important is peer reputation in CISO buying decisions? Extremely important. CISOs actively share vendor experiences within their networks. A strong reputation, built through honest and respectful interactions, can drive significant referral pipeline even from non-customers.
The Bottom Line
The vendors who win with CISOs are not the loudest or the most feature-rich. They are the most prepared, the most trustworthy, and the most relevant to the specific context of each account they pursue.
Selling to CISOs requires doing the work before you ask for the meeting: understanding the person, the team, the organisation, and the competitive landscape. It requires honesty when others oversell, specificity when others are vague, and patience when others push too hard.
That is what CISOs told us at lunch at RSA. And from the conversation around the table, the best sales and marketing leaders in cybersecurity already know it. Now it is time to build it into every motion.
Insights gathered from a CISO panel lunch hosted at RSA 2026. Panellists included Mea Clift – CISO & Executive Advisor, Cyber Risk Engineering @ Liberty Mutual Insurance, Jennifer Raiford – CISO & Chief Digital Trust and Risk Officer @ ENIGMA Protocol, Nick Mansour – Senior Vice President Sales, Americas @ Saviynt, Craig Carney – VP Global Sales @ Mindtickle, Mary Yang – Fractional Cyber CMO and Glenn Haertel – CRO @ memoryBlue
