#29 I Love Your Product, But I Can't Buy It - Ian Poynter, CEO @Kalahari Security Artwork

Cybernomics Radio

Welcome to Cybernomics, the podcast where we break down the latest enterprise innovations and challenges shaping the Information Security industry. Whether it’s AI, cloud computing, or digital transformation, we dive deep into the forces driving businesses forward.

Join host Josh Bruyning as he engages with industry experts and technology leaders to explore how businesses are leveraging technology for growth. From cutting-edge advancements to the economic impact of tech decisions, Cybernomics delivers insights that keep you ahead of the curve.

Tune in for expert analysis, compelling discussions, and a front-row seat to the future of Information Security.

All Episodes

Cybernomics Radio

#29 I Love Your Product, But I Can't Buy It - Ian Poynter, CEO @Kalahari Security

September 27, 2024 • Josh Bruyning • Season 1 • Episode 29

In this episode of Cybernomics (formerly Security Market Watch), host Josh Bruyning engages with Ian Poynter, founder of Kalahari Security, to explore the economics of cybersecurity. They discuss the challenges of selling security solutions, the importance of understanding business needs, and the inadequacy of mere sympathy in the face of security breaches. Ian emphasizes the need for security to be appropriate to the business context and the necessity of building trust and relationships in sales. The conversation also touches on lessons from the insurance industry and the complexities of selling preventative measures in a saturated market.

Takeaways

Security needs to be business appropriate.
Selling security requires understanding the buyer's perspective.
Thoughts and prayers are insufficient responses to security breaches.
Building trust is essential in cybersecurity sales.
Value propositions must be clear and compelling.
Empathy is crucial when selling security solutions.
The insurance industry offers valuable lessons for cybersecurity.
Preventative measures are hard to sell due to their abstract nature.
Market dynamics are complex and require strategic navigation.
Honesty and clarity are vital in cybersecurity communications.

Sound Bites

"Thoughts and prayers are not enough."
"Security needs to be business appropriate."
"Selling a preventative measure is not easy."

Ian's LinkedIn

Josh's LinkedIn

Speaker 1: 0:00

Your product is great and I like you and I like your product, but I can't buy it because you know it's like I don't know. You're trying to sell me a swimming pool and I don't have a backyard.

Speaker 2: 0:17

Ian, you've got 30 years plus in the industry, you've been a CISO, you understand the business of security and today I'm just going to, you know, open up your brain a little bit, do a little bit of surgery. This is very graphic, by the way, I didn't mean for it to go down that dark rabbit hole, but you know what.

Speaker 2: 0:37

I'm going to pick your brain. I want to know how you view the market from several different angles. I know that you've sold services to startups, to various companies of various sizes. You've been on both sides of the market You've been a buyer, you've been a seller, and so you've got this multi-pronged view, this three-dimensional view, of the security market. And I'm so excited that you've agreed to join me on this show today, and I think the people listening are going to get a better understanding of some of the crucial problems in security today, namely the challenge of selling the future, of selling security, of selling preventative measures and, in a way, the security world that, to some measure, I have as well, is being able to sell a preventative measure. That is crucial and making sure that security is top of mind and is important. So that's why we have the title today Thoughts and Prayers Are Not Enough. Right, right and Ian, why are thoughts and prayers not enough and why is that a relevant title for today's show?

Speaker 1: 2:11

I mean I'll take a slight step back from that before I dive into that. Any level of security and any approach to security needs to be appropriate to the business of the company that is buying it. I think there are, there are still this was really true in the early days but I still think there are security vendors who fail to acknowledge enough that security needs to be business appropriate in the industry to certainly to privacy and security breaches, which is our thoughts and prayers are with you. Security matters to us. Here's a you know, here's five dollars worth of identity theft protection and we're just going to go on doing exactly what we did before. So there's a mismatch there and you know I'm kind of tired of getting thoughts and prayers as the response to what it is that the company actually did. So that's where that came from. Is that? I think there are a lot of, there's a lot of inappropriateness of security. I think it gets ignored more than it should be. But I'll temper that with what I said before, which is that security practitioners because security is front and center to them, because it's really on their mind all the time think everybody should think that it's their center of attention and it isn't. If you're a for-profit business, you've got the answer right there. Profit is the center of attention and even if you focus on that, you can go totally red lobster and just things get out of control and they're a mess and it's nothing to do with security. But at the same time, I'm really very tired of the approach not in the security industry as much as across industries in general which is breach after breach, and ransomware has just amplified this, and their response to it is oh, we're so sorry, we're going to do better next time. And then they get breached again. And you know, I will say you know, there's a chance that everybody can get breached and if, for example, a nation state actor with basically unlimited money decides they want into your files, they're going to get in it's, you're not going to be able to stop it. So you know there are levels of this, there are approaches to this, but it's become very tiresome. I think the the sort of broken record of, of, uh, thoughts and prayers is it. You know, we kind of should be done with that now.

Speaker 1: 5:38

Um, when we were chatting uh, chatting before, I mentioned the Coconut Grove disaster, which is one of my favorite stories around. This. Is that you know, does somebody have to die before a problem is addressed? And with Coconut Grove that was definitely true. Long story short, I've written blog posts about it. You can Google it. Coconut Grove was a huge nightclub in Boston, very fashionable and long story short. They had a huge fire and a lot of people died because they couldn't get out because some of the fire exits were blocked and also the revolving doors. People squiffed up against them and now if you squish up against revolving doors, they collapse open, they fail open, and back then they didn't, and they were very fashionable, so they were on nightclubs. I'll leave the rest to everyone's imagination, since it's not very cheery. But you know I'm wondering who has to die before certain aspects of security get taken seriously, and you know that's come from a long time of hearing these stories over and over again.

Speaker 2: 6:51

So the short answer is both sides are culpable. I'm glad that you tempered everything, this whole discussion, with that message it's. I know that from experience Security folks like to approach with security first, and you're absolutely correct. The business has it. They don't. They don't view it as a necessity in a lot of ways, and so it is up to the practitioner and in many times, in many cases, up to the vendor to demonstrate the business value of security, to demonstrate the business value of security. So first you need to sell the, uh, the, the idea that security is needed, before you even sell the product, before you even get to the product right.

Speaker 1: 7:33

So a lot of people. I've been on dozens of calls, literally dozens of calls, with reps, vendors, people such as yourself, very nice people talking about their products on behalf. Like, I'll go on and talk to them, either because I'm trying to help them improve the presentation, which is something I've done before, or I've got a couple of clients that need a particular kind of product. So I find a few of them and I get sales presentations. And you know, there are two questions I always ask and they're questions that, surprisingly, certain people can't answer. The first one is always what's the value prop? What's the value proposition? What are you bringing to the table that is going to make me want to buy your product, possibly at the expense of someone else, someone else's product? Or, you know, I have to go ask for new budget for this because I have to have it. What's the value prop? And the second one is often a question that stumps salespeople. I'm like what's the rack rate? Like a hotel? It's like what's the most I'm going to pay, say, per user per month? Because if you're dealing with startups, like I often do, $5 per user per month might be a very good amount for, say, a word processor, but it's not for an EDR product, for example, because we've only got 50 people and we have to watch our money. So I always want to know, well, what's your pricing structure? I'm pleased to see some companies put some of that stuff up on their websites now, but I'm not asking because I'm trying to be nasty or because I'm trying to be awkward. I'm asking because I'm not going to introduce your product to someone who is never going to buy it. It's pointless for everybody, and I think that goes over people's heads as well. I mean, I do that when it's not security products. I'm like what's the cost? Because it does matter. You can have all the best features in the world, you can have a really fancy. You know you've got that Veyron, that beautiful car, but I can't afford a million dollars for a car. So and I don't think most of us can and so you pitching me on that million dollar car is like, well, that's lovely, it's beautiful. You know I need a sugar daddy or something because I can't afford it. So you know, but I think you're right. I can't afford it, so you know, but I think you're right. I mean, I think vendors need to. In my opinion, any vendor needs to approach this from a business point of view and front and center for your salespeople and their training, needs to be this is the value that we add. This is how we're going to make a difference. It isn't necessarily this is how we're going to save you money, because you know security products and insurance don't save you money, but they help you in other ways and it's a balance.

Speaker 1: 10:39

And it's tricky for very early stage startups who are really pricing is I mean, the word I always use is one I shouldn't use on a podcast. Pricing is troublesome, let's say, but let's say it begins with B and it's a really difficult thing and I think a lot of early stage startups and startups and companies in general constantly wrestle with pricing. You know you price it too low and you're going to go out of business, price it too high and no one's going to buy it. Sometimes you have to price it higher than you want because otherwise people don't think it's worth anything. But you know all of that kind of mess is extremely tricky and extremely difficult to get right and I think you know, in a market awash with security products, especially in certain areas like GRC, there's so many products you know are you going to compete on price or quality or a combination of both, and how are you going to do? It is uh interesting, shall we say yeah, market perceptions.

Speaker 2: 11:50

That's, uh, an art in itself and it's something that we don't put a lot of emphasis on as vendors and as sales folks, and you really have to approach this market with empathy. I think that that is the key. There is that you have to put yourself in the shoe of someone who has to. Like you said, they have to budget, they're sacrificing something in order to spend time with you and in order to use your service or your product. Therefore, you need to approach with an abundance of empathy. Where do you think the buying, the buy-in needs to occur? What? What do businesses, what? What is the idea that they need to buy into? You know, ie, what is the first thing? That you need to sell the concept in order to be successful in cyber security?

Speaker 1: 12:47

you know that's a very tricky question. I mean, it really does depend on where your product sits in the market. So you know, your GRC product is very different from your EDR product, is very different from whatever. Also, we haven't even touched on how now everything suddenly has ai bolted onto it, because that's what apparently everyone needs. Now there's an ai enabled toothbrush and I still can't work out what it actually brings to the table. Um, I'm like, yeah, is, is your, is your product an ai enabled toothbrush?

Speaker 2: 13:32

but it's you slap AI on anything you want to sell.

Speaker 1: 13:36

Right, I mean, you know there was a period of at least slapping AI on everything so you could get more venture money, because all the VC companies wanted to have some investment in AI, but I, you know, that's sort of shaking itself out a little bit now. Um, what do you really need to do? I mean, I think, I think, especially in larger companies, you really need to focus on relationship selling in the sense that you you need to build. If you've got a product that's got to be deployed as you know, products I've worked with before across a whole organization and you're talking to a company with 100,000 employees you've got to build a relationship because they've got to trust you to be reliable enough to not break all of their desktops and it can happen. And it can happen for all kinds of reasons.

Speaker 1: 14:36

I've witnessed recent unpleasantness for a company that shall remain nameless, but I always read the post-mortems of those things when they're available, because, you know, I worked on a product that could blue screen your computer for a number of years and it was one of our sort of horrors was that we were going to deploy everywhere. People loved the product, they wanted the product. We had one large company. We told them. This is a trial for 100 desktops and by the following Monday they deployed it on 1500. And we told them not to, but fortunately it didn't go badly.

Speaker 1: 15:20

But it's you know you. I think there needs to be a trust there and it's difficult, especially for very early stage startups, to build that. I think friends and family matter and I don't mean like you're selling this to your mother, well, if your mother will buy it, sure. But what I mean is you need people that you've worked with or built trust with in the past to not and I'm coming from a startup mindset to to engage them in getting your product you know out there and engage them in getting your product out there and engage them in showing them that your product can actually add the value you say. It can not crash their entire network and then you'll get the testimonials that you need for other people that you don't know to buy it.

Speaker 1: 16:10

I think startups leverage their contacts and their venture capital companies and so on, I think larger companies. It's really just a lot of pavement pounding. The cone-shaped diagrams of this is what we're putting in, and I guess they're that way Cone-shaped diagrams with the big top. You put a thousand leads in and eventually you get three sales out. Those are for real and I think to be a frontline salesperson in any market, but especially cybersecurity market, requires a lot of ability to smile and nod and move on when you've been rejected.

Speaker 2: 16:49

Rejection is abundant in the security market and you know what.

Speaker 2: 16:54

I. What I find is like insurance companies and maybe we, if we had more time and I had more brain cells. I can come up with a few more examples, but selling a preventative measure is not easy, so insurance is probably the other industry where you have to sell a problem that hasn't existed or doesn't hasn't happened yet. But we know, when you're selling life insurance, we do have past data that is a hundred percent reliable, that the probability of someone passing away is a hundred percent, unless you're like you know Elijah, or from the, from one of the prophets from the Bible who walked with God and was no more.

Speaker 1: 17:37

But yeah, and even then, when does your life insurance end? I would say that at that point you would have classed as dead and his spouse could have cashed in on his insurance. You know right, we're all going to die. You know, when you sell insurance to an 85-year-old it's different from selling it to a 25-year-old. But you're right, there are actuarial tables and one of the reasons for that and this actually jives in with the Coconut Grove example in certain fields like actuarial tables or architecture or engineering, we've had a long period of experience. You know, I found out that the basic programming language, which was the first one I ever played with as a kid, is literally only 60 years old, whereas, like we've been building you, building arches on buildings and things that require a lot of engineering for thousands of years. So you also have to acknowledge that the whole technology field is very, very young and we don't really know what we're doing in a lot of ways.

Speaker 1: 18:48

Coming back to insurance, I think insurance a lot of people wouldn't buy home insurance unless the bank made them buy it. People buy it because they have mortgages, some, you know, cars. People buy insurance so they can get the plates. I know in Massachusetts, if you don't have insurance, you can't get plates, and if your insurance is canceled, they will put your plates on the these are no longer valid list and you'll get pulled over at some point. In other states that's not true and in other countries that is or isn't true. But you know there's a balance between regulation and sense. Shall we say sense? Shall we say it's like?

Speaker 1: 19:37

At some point people might say, yeah, you know, maybe I should get life insurance for X, y, z, like if I am saving for my kid to go to college and I want them to go to college whatever happens, maybe I need life insurance on myself so that if I unexpectedly die, the shortfall in their college fund will get made up by life insurance. So I might actually buy life insurance that pays to the college fund and not to the kid. But would I buy life insurance on a kid? Probably not, because no offense to people whose children die, but if a kid dies they don't owe anyone anything, whereas if I do, I probably owe people, and so there's balances to be struck in insurance and then take that and pick it up into cybersecurity.

Speaker 1: 20:28

If everything your company does is inherently public, let's say, you know your business is. You make a public website that anyone can use. You know your Wikipedia, you want people to be on your website, you want people to modify it and you provide them with a way to modify it. It yes, they need cyber security because we don't want people going in and taking, you know, the, the ian pointer page or the or the josh burning page and and and changing it to say things that aren't true, but actually it's crowdsourced anyway. So sometimes you do find things that aren't entirely quite right on wikipedia, but it's balanced. But if you're dealing with, you know, national security, it's a whole different ballgame.

Speaker 2: 21:18

Much higher risk and you know what you just did there, Ian. That, I think, is I don't even think that we planned that, but I don't think that you even realized that you just solutioned insurance that was a solution. That was a solution based approach to insurance and that's the kind of lesson that I'm talking about, that we can learn probably from other industries.

Speaker 2: 21:42

In that, yeah, yes, insurance, even if it's something that is common, everybody knows it, everybody wants it, there are tricky niches within secure, within insurance such as being able to sell insurance to someone who has a very low probability of dying anytime soon but, there's a way to do it in in such a way that the policyholder hairs. There are stakeholders, there are people who are emotionally vested in this and that's the approach we should take.

Speaker 1: 22:12

You know, there are companies that you know find people who've had children and then sell them insurance on the children and I'm like, why would you want that Other than, oh, my kids are dead and now I've got $10,000 to buy myself a commiseration present. It's ridiculous. It's a stupid way of looking at it, in my opinion. But the other way around, it's like if you've got kids and you want them to have a certain set of opportunities that you're saving for like you want to pay for college, or you want them to have enough money to take a year off and go travel the world when they're 18 or whatever it is then if you're saving money for your kids, insurance is a way of hedging against something horrible and you can get people to think about it in a different way by framing it that way. So it's like you know, if you own a house and you don't care if it burns down, why did you buy insurance? You know you own a house that's I don't know in the country that you're never going to live in, you're not sure what you're going to do with it and it's kind of falling down. Would you care if it burned down? And if you wouldn't, then would you buy insurance on it, maybe the land is what's worth the money. And so I think, teasing those things apart again, we're back to technology in general and cybersecurity in particular extremely young industries and so, consequently, we're still learning. You know, we're still building the plane while we're flying it, and we're especially doing that with AI, which is a whole topic for another day. But you know're we're learning how to do this thing, and I think you know cyber security insurance is actually a good cross section to look at, because it's become increasingly difficult to buy insurance for cyber without um, without having some kind of something, some kind of, even if it's a self-assessment. Some insurance companies are asking for things like SOC 2 and ISO 27K, and that's going to continue because they've got to have some way of compensating for the fact that we don't have cybersecurity actuarial tables that are published.

Speaker 1: 24:35

You know, with life expectancy, you can look up what your life expectancy is as a you know 29-year-old man or a 47-year-old woman, and you can get a bell curve of. You know, you might be that woman that lives to 110, but you're going to be way up the end there. When you look at it on a bell curve, it's pretty obvious to anyone with a little bit of mathematical background that you're probably not going to be that person, but you're also probably not going to be the one you know. You're already not, when you were 27, the one that died in childbirth or was infant mortality Worldwide. Most kids you know. Life expectancies are much lower worldwide because a lot more people die before their fifth birthday.

Speaker 2: 25:28

So you can't take a world average. It's a whole different ballgame, you know. Yeah, so you can't. On a positive note, before I get to that positive note, one more dismal thing, yes, okay. Or maybe just an objective, neutral observation. Insurance companies are, before they even insure companies these days. They to your point. They're making them take these assessments, they're making them have certain cyber security measures before they even issue a policy. They will not issue a policy to a company who does not have prudent practices, and so there is somebody putting their money where their mouth is. And so it's true or not, there are lots of lessons that we can learn from the insurance industry.

Speaker 1: 26:35

Just do care being one Right. Well, they learned that lesson by getting seriously burned, and ransomware has upped the ante on that. Because it used to be, people would get broken into, but there weren't that many consequences other than thoughts and prayers. Now your whole network can potentially be completely shredded, and insurance companies have had to pay out for that, especially in the early days of ransomware. So now they have tightened their standards to make sure that they're not giving insurance to people that aren't at least doing the barest minimum. I mean, self-assessments are kind of interesting. An insurance company gives you a self-assessment. People use, shall we say, creative answering techniques.

Speaker 2: 27:22

Right. You're the monkey holding the bananas.

Speaker 1: 27:26

Well, and then what they don't realize is that their creative answering techniques will be used against them if it ends up in court. Then they make a claim against their insurance. It gets denied. They go to the insurance commissioner in their state or possibly to a court and the insurance companies say well, they said on their form and here it is, that they do this and this that they had 24 7 monitoring of their network and we don't see any employees there in the middle of the night and they don't have enough people to run a 24-hour sock and they haven't outsourced it. So, consequently, they violated their contract by lying on the form and we're not going to pay them. And the courts will say, yeah, you don't have to, because they said they were doing X, y, z. They said they put a fence around the swimming pool, but they didn't, and then it kept drowned. It's like, okay, fair enough. So they've learned the hard way.

Speaker 1: 28:28

Insurance companies Some of them were seriously toasted by ransomware and if it weren't for the reinsurance market, which is a another can of worms to delve into, they probably wouldn't have continued in business. But insurance companies insure themselves against insurance problems in the reinsurance market, which is even more fun. It's interesting how these things play out, but you can't necessarily think of all of that when you're a vendor. When you're Josh, and you're going to someone and saying I've got a great solution for you to your problem in this area of cybersecurity, you can have thought about all these things, but you're not going to sell it by approaching it that way.

Speaker 1: 29:17

As a consultant, sometimes I've told people don't lie on this questionnaire and I won't lie on it for you, so don't ask me to fill it out, unless you want me to tell the truth, because I don't think it's good to lie on questionnaires that might later come and haunt you. It's much better to say well, we don't have this now, but we will have it. Here's our security timeline that we put together, and we don't have XYZ right now, but we will have it in six months or we will have it in three months. Tell us if you want us to change the priority of our security timeline.

Speaker 2: 29:54

Yeah, now that we've bludgeoned the security folks. You know we've been very hard on the vendors because we started with. Thoughts and prayers are not enough, but we are culpable and we're to blame in the way that we approach and we need to be more empathetic. No-transcript. And that's the only way that both sides of this equation will balance.

Speaker 1: 30:53

Well, and I think you know the ideal, the ideal customer for someone trying to sell a security solution. The ideal vendor is one who actually adds value and can speak clearly about that value. And the ideal customer is someone who understands the their security timeline and their needs vis-a-vis the risk level and risk profile of their business. And you know, basically, they're coming to you, to your company, and calling up and saying you know, I really need a solution in this space. I'm looking at three of them have a salesperson talk to me and you're coming to talk to someone who's completely ready to listen. But I think the reality is that, because of that cone we were talking about before, of the thousand people that go in the top of the cone, not many of them are coming. From that point of view, Right.

Speaker 2: 31:51

I mean, what can we do to make that better? It is better if someone approaches you because but I think that buyers, or you know organizations at large, they don't know what they don't know and they're not invested in knowing more about something that they don't know, that they need to know.

Speaker 1: 32:07

This is where good marketing comes in, because you really do have to have good marketing Right, because you have to be communicating to the market the things that you do and that you do well and what your value prop is in an overall sense, so that they know to even talk to you or listen to you in the first place. Because if you're a CISO and I know a lot of CISOs basically any email that's coming into you or phone call that's coming into you that's not from someone you know. Hence the building relationships with people. Once you do connect with them, you're just going to ignore it because it's just too much. So you know that you're against as well.

Speaker 1: 32:47

Actually, getting your name out there is very hard because it's a very saturated market now, but it hasn't really had I don't think it's really had a complete house cleaning yet, but it's consolidating and I don't know if that's necessarily good. So there are a lot of very big companies who want to have one of everything and so if your startup is lucky, you get bought by one of the big companies that wants to have one of everything because you're one of something, to have one of everything because you're one of something. But do I want to buy absolutely everything from one company or do I want the best solutions available. That's a trade-off, because there is no one big company that has the best of everything.

Speaker 2: 33:32

And we all know that big kahuna who thinks that they do? And I've got a lot of friends who work over at that big kahuna, so no offense do. And I've got a lot of friends who work over at that big kahuna, so no offense to them. But yes, there are plenty.

Speaker 1: 33:43

You know there are. There are still two or three or four kahunas, and they've changed over time. I mean, it's the 1950s slash, 60s adage of no one ever got fired for buying from ibm, and so people would just buy everything from ibm when it came to technology, because you didn't get fired for that and you could always blame ibm for not having a good enough solution. And I thought, well, that's nice, but is that really the right way to run technology or run security on behalf of your business? Oh, we're just going to buy whatever prevents me from getting fired and then we're going to put the rest of the stuff in the you know, in the ignore folder or the don't show to IRS folder or whatever it is. And you know it's.

Speaker 1: 34:32

Yeah, I mean, it's tough being on either side of the equation and it's um, it's tough making a name for yourself as a company, even if you have an excellent solution, especially if you have something that is a revolutionary, not evolutionary. So occasionally you come across a startup that's doing something that's truly different and you're like, wow, doing something that's truly different. And you're like, wow, you know, because, because you're a technical person or because you're immersed in a certain part of the industry. You see something you're like, wow, this is just different and imaginative and amazing, and they're just as likely to go out of business in two years as they are not to go out of business in two years because people don't pick up on. There's the, the whole, you know, crossing the chasm, the, the, the book, that that, uh, still is relevant, even though you know the writing style isn't quite what it was. But you know, there's, there are, there are, I'm sure, a lot of amazing security solutions or technology solutions in general that have just gone down the toilet because nobody realized that they were revolutionary or that they could really change things and nobody bought and so the company shut down and everybody went somewhere else.

Speaker 1: 36:03

And you know I mean I worked in what became application whitelisting in the days before it was called that, and it was, you know very much it was like, oh well, you're just another antivirus, but it's a different approach. And now it's like, oh well, you're just another antivirus, but it's a different approach. And now it's like the core of everything. And you know, knowing what should be on your network and fingerprinting things and all the other stuff is like a no brainer. But go back some number of years and it was revolutionary. It was not something that most people thought about, so it's kind of. It's interesting. And that's true in all markets and technology. The best products are not always the ones that survive, right? Um, just ask xerox park, or you know. I mean the apple lisa kind of came around again as the mac, but Xerox, xerox PARC had their computer with a mouse and Windows and everything else before anyone else did, and Xerox made basically nothing out of it.

Speaker 2: 37:09

It is a very complicated issue, and we've demonstrated that here before we could even get to the buyer side. You have problems that you need to address, just namely understanding your solution but, more importantly, understanding the problem that you need to solve, and understanding that businesses have to make sacrifices, they have to give up something in order to get something, and so you're not just approaching a blank slate. You're approaching something that has a history and has needs.

Speaker 1: 37:43

I've been in situations where somebody has pitched a product, either for a client of mine or you know, and occasionally for someone I was working with, and I'm like this is a great product and I really love what you're doing and I'm not going to buy it. And I really love what you're doing and I'm not going to buy it because we're not ready for it or it's not appropriate, fit for where we are and what we need right now. Or, you know, the price point is wrong for now. And it's like I'll tell people you've got an amazing product but I can't buy it. And you know, here's why. And it might not be anything to do with your product being bad. Or you know it's probably your product is great and I like you and I like your product, but I can't buy it because you know it's like I don't know you're trying to sell me a swimming pool and I don't have a backyard, you know, and it's like I love your swimming pool and it's really nicely put together and it's stylish and I like the, the, you know the solar heating and everything else, but I don't have a backyard. So where am I going to put it?

Speaker 1: 38:48

And and that sometimes, you know, I think that can be. I think as a salesperson, you have to learn to take that thing as positive. It's like well, like well, okay, that's actually good, even though I didn't sell anything. You know they're not saying I'm not going to buy this because it's total crap, which you know most people wouldn't say out loud. I might, but you know it's it's.

Speaker 1: 39:14

It's getting getting the balance right and understanding that business comes first, profit comes first. I mean, in a nonprofit it's not profit coming first, but it's mission comes first, organization comes first. And it's like oh well, we were going to spend that $100,000 on daycare for everybody at work and so we're not spending it on this security solution Isn't how it usually works, but ultimately decisions like that get made. So you know you have to bear in mind that businesses work like businesses and they have decision-making processes and take off the blinders that make you think that security is front and center for everyone, even though it is for you. You know you may love security passionately, you may not, but you know you probably if you're selling security, you love it passionately, but not everyone else even thinks about it. You know, just because you love your favorite baseball team to death doesn't mean that other people even think about baseball. Not only do they not think about your team, they don't think about baseball at all. I rarely think about baseball. I did more when I lived in Boston.

Speaker 2: 40:39

That's so true. That's such a great analogy. You know what, ian? I've got to get you back on this podcast for another show. I think there's so much that we could still talk about and discuss in this space. I'm sure we can find something controversial.

Speaker 2: 40:53

Oh my gosh. And for a show on cybersecurity economics. This is just. I've learned so much in the past hour. I really appreciate your time and you being here. It's been a pleasure. Let's leave it with that. If people want to get a hold of you and they want to get a hold of Kalahari Security for particular services, how do they reach you?

Speaker 1: 41:21

I mean, I'm easy to find on LinkedIn so you can hit me up there. From there you can find Kalahari's page. We have a webpage. That's very minimal. You can contact me via the webpage. You can also read the things I rant about on Substack, including Coconut Grove. So yeah, if you want to find me, I'm pretty easy to find. From a professional point of view, I'd say either LinkedIn or KalahariSecuritycom. And then there's you know, message me, contact me, whatever works for you.

Speaker 2: 42:00

All right, and Ian told me off camera and when the mics weren't on, that he loves to get calls at 4 am, and so I will give you his phone number 555-555-5555. He loves it.

Speaker 1: 42:17

What you'll be pleased to know is my ringer is always off when I'm asleep. This is part of the I don't want to do. You know, don't want to do things where I need to be on call anymore. So yeah you can ring all you want. But I'm not going to answer it until the next day at the earliest.

Speaker 2: 42:39

Yeah, you know who else said that. When I made that quip, dov Yorin also said that and he was like yeah, you can call all you want, but I'm going to be asleep at 4 am, so I sense a theme here.

Speaker 1: 42:51

Well, you have to know which time zone I'm in, to know when. 4 am is as well, so you know that could be a challenge. Right, right, 4 am is as well, so you know that could be a challenge.

Speaker 2: 43:05

Right right, All right. So for everyone who has listened to this episode or watching this episode, thank you so much. It means a lot to me and a lot to the Security Market Watch Network that you listen and that you watch. You can follow me on LinkedIn. It's linkedincom slash Josh Bruning. Watch, you can follow me on LinkedIn. It's linkedincom slash joshbruning. If you have any inquiries, you can shoot it to info at smwpodcastcom and I'm looking in the camera here as I say this to all of the sales folks who suffer from rejection it's me, not you. Sometimes it's you, but sometimes it's me on behalf of you. Know all the companies who have said no, Ian. Once again, thank you so much for your time. Oh, you're welcome. Thanks for having me. All right, Bye.