How to Sell Cybersecurity in 2024: The Ultimate Guide

With cybercriminals’ ever-evolving tactics, changing customer preferences and a near-endless array of products and services, selling cybersecurity has never been more challenging.

The global cybersecurity market will grow from $190.4 billion in 2023 to $298.5 billion by 2028, at a compound annual growth rate (CAGR) of 9.4%, according to MarketsandMarkets. Market expansion is primarily driven by the escalating number and sophistication of cyber threats as organizations and individuals increasingly operate in a digitally interconnected world. In addition, the widespread adoption of technologies such as cloud computing, IoT and AI further amplifies the need for strong cybersecurity measures.

Moreover, strict regulatory requirements for data protection across various industries compel businesses to enhance their cybersecurity frameworks.

So amid this positive forecast, how do you unleash your cybersecurity sales potential? We spoke with sales experts at cybersecurity vendors and MSPs/MSSPs, as well as the leader of Omdia’s cybersecurity research group to get the nuts and bolts of selling cybersecurity.

Thapana_Studio/Shutterstock

1. Strategy Comes First for Selling Cybersecurity

When it comes to crafting a cybersecurity sales strategy, the FUD factor (fear, uncertainty and doubt) is not a good approach, according to Maxine Holt, senior director of cybersecurity content for Omdia and Informa Tech.

Related:RSAC 2024: Increasing Cybersecurity Burnout a Prominent Issue

“Today’s organizations want security products and services that provide a good return on security investment and can be linked directly to business outcomes,” she said. “From a sales perspective, this involves appreciating and understanding what these business outcomes are and how security is closely linked to the business.”

Omdia's Maxine Holt

Tim Weber, Cyber74’s vice president of channel growth, said the biggest component of a cybersecurity sales strategy is the education of end customers and prospects.

“The security landscape is confusing, even for those of us that work in it, and for somebody who doesn't work in it, such as a small business owner, I think my favorite word would probably be overwhelming,’” he said. “It's continually changing, continually evolving and it's what makes it interesting for those of us that work in the space. But for everyone else, I think that's probably maddening in a lot of ways.”

The old ways of selling cybersecurity don’t work anymore; there needs to be a move away from a product-based focus, Weber said.

“I think our industry has done a disservice in some ways because everybody gets focused on the coolest, newest software or service or SaaS solution or this, that or the other thing,” he said. “And a lot of what's needed is fundamentals. So, the more that the fundamentals can be covered and can be understood by the client, the security in an overall architecture and framework, that's where the focus needs to be.”

Related:Enterprise Security Considerations When Deploying Microsoft Copilot

Moe Askar, Sophos’ vice president of Americas channel sales, said successful sellers of cybersecurity make it easy for their customers.

“It's who's going to make it easier for me from an operational perspective,” he said. “We hear about vendor consolidation. It's hot in the industry right now; essentially, how am I going to lower my overhead? And then the other aspect coupled with that is, how do I make more money? To me, that is utilizing a vendor relationship that has a portfolio stack that's horizontally wide, where if I can sell one thing, I can then come back at the appropriate time and sell the other thing, and then sell the other thing. From our MSP perspective, that works.”

2. Stay Ahead of the Ever-Evolving Threat Landscape

It’s important to be aware of the challenges your clients and prospects are facing, Holt said.

“If you can empathize, then you can help them with achieving their desired outcomes,” she said. “To do this, of course, be aware of the threat landscape as it pertains to the capabilities that your organization is selling, but also keep abreast of the wider threat landscape through specialized media outlets. Podcasts are also a really useful way of obtaining information and getting a feel for the many things that are going on in cybersecurity.”

Related:Kaseya Connect: How MSPs Can Make Money on Cybersecurity Services

Pamela Diaz, president and CEO of Entara, said it’s important to continually change your cybersecurity sales process because cybersecurity itself is continually changing.

Entara's Pamela Diaz

“So, for us, I think where we're trying to focus on is the educational aspect of sales,” she said. “I think people are very concerned about security, but they don't understand security well enough to make informed decisions without having a more consultative approach for sales. What we also try to focus on is meeting the client where they are. And at Entara, we're an extended service provider, so everything that we do is with that security-first lens. We know you have to have a solid foundation of security before you start adding a lot of different layers to it. So we try to meet our prospects where they are and help them understand if their foundation is solid or if they need to do a lot of very basic work before they start going up into some of these new, sexy type things they see on display."

Staying ahead of the threat landscape is the biggest challenge, Cyber74’s Weber said.

“You have pressures coming from so many different angles,” he said. “You have the threat actors themselves and you have regulations, whether that be state, local or federal, and then industry regulations and obviously cyber insurance requirements, which actually have driven a lot of change. You have to be focused on it. You have to be dedicated. To be successful in this space, you have to put resources into it. You can't do security part-time.”

John Shier, Sophos’ field CTO, said staying ahead of the threat landscape means doing research.

“It's having visibility into all aspects of the threats, whether that's network threats, email threats or identity threats,” he said. “Having that visibility across the board is important.”

Gustavo Frazao/Shutterstock

3. Know Your Cybersecurity Customers

Deniz Sagnaklar, Entara’s chief growth officer, said there are also more educated buyers. In the past, primary contacts or executives in companies would say, “I don’t understand; you go take care of it.”

“Now you have a buyer that is probably in a CISO, CIO or CTO seat in an organization, and they're asking a lot more educated questions, but they also have a lot of opinions about what tools they want,” she said. “You used to have to explain, ‘Hey, you should have this solution or you should have multifactor authentication (MFA) in place,’ fundamental things. Now you're having to have a conversation about why you don't think a certain tool is nuanced enough, why putting all your eggs in the same basket is maybe not the best strategy. ‘We've got this, we know what we're doing’ doesn't cut it anymore. You have to explain a lot more of the decisions and services that you're having to put forward.”

Ken McCray, Fortinet’s vice president of channel sales, said listening to customers is most important.

Fortinet's Ken McCray

“Listening to your customer means understanding their environment, understanding their pain points and then talking to them,” he said. “I don't even think the first encounter or first couple of meetings should even be about product. They should just be about the customer and the things that they're facing, not just today, but some of the things that they're thinking about in the future. So I think it comes back to understanding the customer's life cycle. What have they done in the past? Where are they trying to go? And then how you fit into that equation. And then I always tell the teams you have to be authentic about your approach. You have to have the ability to relate to the customer. I think those are the keys. Customers really buy into that.”

4. Carve a Niche in the Competitive Cyber Market

A smart way to carve a niche in the cybersecurity market is through taking a consultative approach with customers, Sophos’ Shier said.

“Security can be difficult, so it's great that you have great products, you have great services, you've got the backing of a great vendor and you've got good relationships,” he said. “But at the front end, building that security foundation and that first layer of prevention is really important as well. And that goes beyond products. I think where MSPs can have a big impact is understanding the threat landscape. And then out of that understanding, [say], ‘All right, these are the things that I see you have in your business today and here are the things that are missing. Let's work together to bring those up to a higher bar so the attackers have to build a taller ladder, if you will.’ Being consultative is saying, 'We understand where the threats are coming from and how they're doing it, so let's look at your environment and let's then apply the things we need to apply in the right degrees and amounts to make you a more resilient target.'"

Entara’s Sagnaklar said trying new things can lead to a niche in the market.

“Someone might come to you and say, ‘I have a requirement to do this,’ but you're looking at the security stack thinking you don't have steps one through seven, let alone talking about step eight, and you have to understand how to be the best kind of technology partner for them,” she said. “I think one of the things that we have found success with and joy in over the last few years in our sales strategy is trying different things out, trying to have different approaches with different clients, different packages, trying to have bundles of different kinds of things that maybe target different gaps in their environments. But when it's such a competitive cyber market, it's also hard to understand when you've come across a niche. So, try things out, see what your consumers like.”

Fortinet’s McCray said it’s helpful to look into startups and understand the niche markets where they play and being open to those.

“I think when you do things like that, you put yourself in a position where you're open to innovation, you're open to learning; then, you can incorporate that into your solutions,” he said.

patpitchaya/Shutterstock

5. Establish Trust and Credibility

Mature cybersecurity vendors and service providers have thought leadership within their overall capability, which sales teams can leverage, Holt said.

“Furthermore, working with independent analyst firms for validation of what is being offered can help cultivate trust,” she said.

One of the best ways to cultivate trust is by being authentic, Cyber74’s Weber said.

“Share the information you know, and if somebody asks you a question and you don't know the answer, say, ‘That's a great question. I don't know the answer to that, but let me let me look into it and get back to you,’” he said. “In my tenure of doing this, one thing that I've learned is the more I learn, the more I realize I don't know. I've made it a point not only to continue my own education, but make sure that if I don't know the answer to a question, I know how to find it. I know how to find the right person or organization or resource to connect somebody with. This space just continues to grow and expand at such a rapid pace, there's nobody out there who knows everything. Anybody that claims that is a fraud.”

One way to build credibility and trust is through being a voice of reason, Sophos’ Shier said.

Sophos' John Shier

“There’s a lot of security news out there on a daily basis and a lot of it is ... hair-on-fire distracting,” he said. “And that comes from all corners of the spectrum. It comes from vendors, it comes from partners and it comes from end users. I think as an MSP, you want to build credibility and trust through being a voice of reason. As we all get older, we learn a couple of things. We learn how to ask for help more often, and we learn how to say, ‘I don't know.’ And if you're an MSP that has certain competencies where you're an expert, use that to your best advantage. But then if there are areas where you're weaker, say, ‘I don't know, but I've got somebody over here that can help you with that.’ Lean on partners and lean on your friends out there to really help you get that holistic view of the security market and what it means.”

“If they're just joining a new organization, what that looks like and helping them to navigate their new strategic roadmap," she said. "Think about what they can do in the next six to 12 months to really shore up what they need, or to start making advances that may have been stalled for a while. It's really understanding how we can help them, but recognizing that we can't help everybody. We have to be thoughtful about that, too. We may say these three things we can help with, but with the other 10, you're going to have to find another partner to work with you.

Cybersecurity Sales: MSP Success Stories

Sophos’ Askar said conducting cyber health checks with partners has led to sales opportunities.

“In these health checks, there are multiple instances of success, where maybe something wasn't configured properly or maybe something was alerted that nobody noticed or they weren't fully deployed in certain areas or things like that,” he said. “And being able to do that hand in hand with our partner to protect the end user, I think that’s success in itself because it shows that this is a true partnership. It's not like, ’Here are the widgets, go sell them.’”

Diaz said Entara’s most impactful success has resulted from working with newly appointed CIOs or

CISOs and helping them understand “what technical debt they may have walked into.”

"I think it's also knowing that there is enough work to go around for everyone," she continued. "There is no need to be a backstabber. There's no need to have cutthroat sales. I think that the opportunity is there to create relationships and partnerships with other vendors, other MSPs or MSSPs. We may not be the perfect fit for everybody, and we know that, but I would love to be able to introduce them to somebody that would be a good fit for them.”

Robert Kneschke/Shutterstock

The Dos and Don'ts of Selling Cybersecurity

We asked the experts what they would include on the list of dos and don’ts of selling cybersecurity.

Also, don’t be one-dimensional in your security strategy, Sophos’ Askar said.

“Understand the whole security stack, what you're offering and where your vendors specifically play so you can educate your end customers appropriately,” he said. “Lean in on your vendor capabilities and prioritize the ones that really empower a proactive security strategy.”

In addition, overselling leads to rejection, Fortinet’s McCray said.

“Where a lot of salespeople get in trouble is by promising features and technology that don't exist,” he said. “At the beginning of cybersecurity, everybody would tell a customer their product could do everything, or their product was integrated across the board and they really weren't. They didn't work together.”