Crafting Precise ICPs for Better Cybersecurity Marketing Outcomes with Sri Sundaralingam

[00:00:00] Hey, it's Andrew. And just quickly before we start this episode, I want to tell you about one of my favorite podcasts. It's the Bare Knuckles and Brass Tax Podcast. Not only does it have a great name, it also has a really good format that's interesting. The two hosts are both named George. That's not what's interesting about it. It's that George K is on the vendor side and George A is a CISO on the customer side.

[00:00:24] And they have real conversations, sometimes with guests, about the world of vendor-customer interactions. They're not afraid to call out bad behavior on both sides and talk about the weird and wonderful nature of this world of ours in cybersecurity. Recent favors of mine are the one about building trust called Taking a Flamethrower to FOD and Buzzword Mumbo Jumbo.

[00:00:46] And also the one with someone who's a field CISO, an advisor to startups called How Security Buyers Think and Go-To-Market Strategies for Young Companies. I'm not getting paid for this promo. I just really enjoy the show that two Georges put on. Check it out. It's the Bare Knuckles and Brass Tax Podcast. Now on with this episode.

[00:01:36] Yeah, let's go for it, Andrew. Sounds really fancy right there. Ah, good one. My first job as a kid was a paperboy in Toronto. I grew up in Toronto, Canada. And man, it was a fun job. I got to meet my neighbors. So some great memories from that.

[00:02:10] Sometimes I had to. If the payments were overdue, that was found on my duties. Most of the time I had to just deliver the papers. Yeah. Yeah. And yeah, and sometimes it may not be, you know, an easy conversation. But, you know, folks are usually polite when they know they're overdue.

[00:02:32] So, but it was a good lesson, you know, in terms of, you know, not just like, you know, how you make some money, but how you deal with different people of different backgrounds and, you know, how to be polite and be firm when you had to go remind folks that they were overdue with their payment. Yeah.

[00:03:09] Yeah. Maybe a memorable moment early on, you know, look, I got into cybersecurity 25 years ago in, you know, early 2000s at Cisco. And one of my memorable moments was I helped one of the sales teams at Cisco crack into Wake Forest University. Cisco was trying to get into that account.

[00:03:30] And I had no idea how important that, you know, customer was, but I was simply helping doing my best from the product side, from the headquarter side, working with the sales team. And when they won the account, they nominated me for a breakfast event with John Chambers. And then I came to find out his daughter actually went to that college and he was tracking that account. So it turned out to be a memorable moment in a positive way.

[00:03:59] The big takeaway. Oh, I mean, man, doesn't matter whether you're running a 40 to 50 company or a small startup, be humble as a leader. John Chambers was one of those folks. It doesn't matter who you were. He ran into you in the elevator or, you know, a customer meeting or whatnot. He was a great individual as a leader.

[00:04:45] Ah, good one. Yeah. So as I mentioned earlier, Andrew, so back in, this was 25 years ago, I was working early 2000 at Cisco for the desktop enterprise networking group, actually. And we had integrated Wi-Fi into the enterprise networking portfolio. And if you remember back then, Wi-Fi security was broken. You know, web was a basic security that was broken. A lot of enterprise customers were nervous.

[00:05:14] They needed somebody from the desktop business unit, desktop switching, the Wi-Fi business unit to work with the security team to come up with, you know, good sort of architecture options for the enterprise to adopt. So that's how I got into security. I started working with the security business unit at Cisco. And, yeah, never looked back. That's, you know, getting in from the product side in a more of a technical evangelist type of function.

[00:05:42] And it's been a fun ride. Mm-hmm.

[00:06:45] Mm-hmm. Yeah. Yeah. And specific to, I think we're focusing on pipeline generation as a key initiative, let's say, Andrew. So, but let's say even beyond pipeline generation, some other areas that needs to be looked at. But pipeline generation, first and foremost, you know, thinking about it, looking at, you know, your ICP, right?

[00:07:10] Based on what's the technology you're bringing to market, what would be your ICP, what's the current definition of it, what have you learned, how can you evolve it? That would be the first area, right, to look at. The second one is your messaging, positioning, and overall value proposition. I mean, that's important, right, to position the company, you know, to the broader audience, as well as to help drive meaningful pipeline generation.

[00:07:38] So, so I would look at that as a second area. And, you know, third area is what I found through my experiences, you know, when companies are in these stages, you only have limited amount of investments. And it's not, even when you get beyond 10 million in ARR, it's not like you're given unlimited budget on the marketing side, right? So you have to prioritize, scrutinize your investments, right?

[00:08:04] In most of the situations, what I've seen is most of the investment is going to go towards pipeline generation investments. But regardless of, you know, whether how much is going to pipeline generation, how much is going outside of it, you know, look at the overall investments, scrutinize it, you know, make sure you're not peanut, you know, you're peanut buttering your investments, right? And not getting the ROI you need. So those are the sort of three areas I would go through, you know, with the CEO to help them.

[00:08:53] Right. Yeah. I mean, there you go. You nailed it. Like if you go too broad, right? If you, you know, if you sort of move with an assumption, you're going to go broad across, let's say, large enterprise. And you're going to go target every, you know, industry, right?

[00:09:22] And then you're going to be able to get to C level within those industries. It's going to end in tears, right? So one of my learnings is, you know, you have to figure out like for the technology products that you're bringing to market, which specific industries would be of the best target, right? You know, even within a large enterprise. Sorry? Yeah. Yeah.

[00:09:49] And, you know, not, I would say a lot of the times it works in cybersecurity because now it's a very competitive market in cybersecurity. So many vendors, so many different solutions. So I do believe in going verticals, regardless of, right? Whatever you're bringing to market. And, you know, so in addition to the verticals, the industries, you know, it's still important to map out the personas because if you're targeting large enterprise, everybody, to your point, will want to go after the CISOs.

[00:10:17] But the CISO is already super busy, right? Right? Firefighting, helping, you know, as our team scale, run day-to-day business as much as focusing on strategy. So you got to figure out, okay, in the security organization, who else, like who else, you know, who do you need to target? Who are key technology decision makers, who may also have budget authority, right? In addition to kind of, you know, sharing that with the CISO for key purchases.

[00:10:44] So, you know, that ICP definition, don't fool yourself, right? Really scrutinize what are your key strengths of your technology, right? And which industries can you succeed and which personas? And sometimes you may even go beyond the security team if you're able to sell it to the business unit to get the budget allocated for a security initiative. And I can give you an example that I learned at Shape Security.

[00:11:09] Yeah, so at Shape Security early on, we were having a lot of success with e-commerce and financial services organizations. So Shape Security had brought, you know, a very large-scale, advanced, sophisticated bot prevention, bot mitigation capabilities to market, right? And initially, the real traction was in, you know, large e-commerce type of companies.

[00:11:36] You know, Starbucks was one of our clients early on, financial services customers. And, you know, trying to sort of understand what's the value for, right, for them to deploy this technology. Well, fraud prevention was the biggest value profit, right? So like in e-commerce, a company could be, you know, losing, you know, tens of millions of dollars on an annual basis due to, you know, fraud.

[00:12:01] And a lot of that could, you know, originate from account takeover attacks, you know, your threat actors basically targeting consumers, right? Taking over their accounts and cashing out valuable assets in those accounts. Ultimately, the brand that's dealing with it has to pay the price for it because those people are going to complain back to the brand that, hey, you know, my account got stolen. Even though it may have been their fault, you know, they used a weak password or whatnot.

[00:12:29] So one of my early experiences at Shape Security was when I was studying the market, you know, what I realized is, hey, this bot prevention technology can apply outside of e-commerce and financial services, right? So without broadening too much when we started to scale, you know, sales and marketing, you know, really looking at which other verticals would be relevant.

[00:12:52] And what we found out, you know, working with the sales team, you know, with some initial inquiries and conversations, you know, travel and entertainment industries were getting hit with similar problems, right? Where, like if you're an airline company or hotel company, you know, threat actors are targeting their, you know, end users, right? Their customers and cashing out travel points or, right, you know, valuable, you know, points that can be transferred to cash.

[00:13:21] So it was really important to try to understand, okay, what is the technology, what is the key value prop, right? And, you know, how do you justify that purchase? And then try to map that across, you know, to industries where you can succeed early on.

[00:14:08] Yeah, great question, you know, Andrew. And I think founders should have that strong vision, that broad vision. And what I try to educate is, yes, let's put together the messaging and positioning and the value prop, you know, to that to be more broader. That's fine. I wouldn't, you know, overly kind of fool yourself there either. But, like, be real. If it's a large enterprise focused play, you can put together a messaging positioning to be a little bit more broader.

[00:14:36] But at the same time, you can also invest in, you know, things like content and in your website to target the specific industries, right, where you're going to have traction. And drive your pipeline generation that way and drive your, you know, sales team, you know, in terms of, you know, getting the qualified leads and meetings that can produce, you know, qualified deals and start to succeed early on.

[00:15:02] So there's nothing, you know, to your point, there's nothing wrong about actually being, you know, broad and having, you know, a story that can resonate. But at the end of the day, when the, you know, when the rubber hits the road, be real in terms of, you know, where are you going to win your initial deals and where are you going to invest your dollars, right, for pipeline generation, as an example.

[00:15:35] Yeah, yeah. No, it's a good point. And, you know, at startups, I think there is, it's good to have that, you know, curiosity on the sales team side. Right. So, and what I found is, you know, yes, you need to go do that exploration, but let's do it in an educated way. Right.

[00:16:30] Yeah. So, you know, this is where, like, I think about brand, right. You know, developing a strong brand for the company is important from early on. Now, you're going to continue to evolve in terms of what your, you know, key messaging, your positioning and overall value propers. And that's okay, as you learn in the market. But I think, you know, having, you know, a more concise story in terms of what your capabilities are, right.

[00:16:58] And being able to talk to your buyers is important. I think if you come across, you know, too broad, too generic, you're going to get lost in the noise. Right. So, you know, again, you know, we're a couple of thousand vendors now in the cybersecurity industry. Everybody, you know, sounds like the same buyers and I can distinguish. Why do I need to, you know, engage with you versus I have, you know, tools, you know, security controls X, Y, and Z already.

[00:17:26] So, you do need to be, you know, more focused in terms of, like, what problems you're solving, right. And, you know, what's the overall value you can bring to your key target buyers in your messaging. A website is one of the important investments that you have to make early on.

[00:17:45] And, you know, really do a good job at that because, you know, as you're starting to do outreach in different channels, you know, your potential interested buyers are going to come to your website to kind of validate because there's not going to be other places they can validate you. So, they will initially come and try to make sense of, okay, you know, what does this company actually do? What capability do they actually, you know, bring to market?

[00:18:10] Yeah, great question.

[00:18:56] Maybe I'll go back to my shape security and provide that example. Early on, when, you know, the founders and the team had launched shape security, there was great messaging they had used about fighting, you know, AI, the bad AI with good AI. Great messaging from a brand perspective, you know.

[00:19:16] And they were one of the companies who had operationalized, you know, how AI can be used by the good guys, right, to protect against, you know, different type of adversaries, right? The problem with that was it's good from a brand perspective to get media attention and get the market excited. But when you start talking to the buyers, usually the conversations start to kind of derail, what exactly do you do, right, in terms of protecting against bad AI? Like, what are the specific security controls?

[00:19:48] Yeah, exactly. Exactly. So, now what we did there is what we realized the biggest value add we're bringing with, you know, the bot prevention, bot protection technology is, you know, we were really providing advanced. One of the strong use cases initially, we were providing advanced, you know, website security, right? You know, advanced website protection.

[00:20:12] So, when we kind of pivoted to that as a central theme over value proposition and started talking about how we can protect from, you know, account takeover attacks, right? And we can protect from, you know, even like website scraping that could be an issue for certain type of companies in certain verticals.

[00:20:33] So, then it's, you know, there's an example where your value proposition is more focused in terms of how your technology can be applied to solve problems in terms of the target audience you're going after. Then, you know, the education started to become a lot easier, whether it was, you know, educating in a first meeting through a pitch deck or through the website, right? In terms of offering relevant content, right? In terms of use cases, right? In terms of case studies and stuff like that.

[00:21:03] Then, you know, you start to unlock that potential in terms of engaging with more and more interested, you know, buyers.

[00:22:07] Yeah, great question, Andrew. And I think, you know, I think about more like the funnel, right? You know, the early stages of the funnel. I think you're trying to educate the audience, right? Like, you know, in terms of just building awareness, like what problems are you solving, right? And talking about it in terms of the end user's language, right? In terms of specific problems they're dealing with and what are potential solutions.

[00:22:36] Differentiation is important there, but not as much in terms of trying to get them to, you know, trying to get them to kind of, you know, engage with you, right? In terms of, okay, where can I engage this company in terms of what problems can they help me solve? When you start to move down the funnel a little bit, like middle part of the funnel, right? As you engage more and more potential interested buyers, what you're saying totally makes sense.

[00:23:02] The differentiation is key because, you know, when buyers, you know, move into consideration phase, there's a lot of ways to solve specific problems, right? But that's where you have to make the case in terms of, you know, what are the differentiated capabilities that you're bringing to market that's going to be, you know, really materialistic to them, right? Whether it's, you know, more capabilities or you're solving the problem in a different way, right?

[00:23:26] That can accelerate time to value, you know, for the end users or whether you're saving money, right? Whatever those differentiators are, I think that's when you start to talk to your interested buyers to kind of solidify their interests so that you could kind of further move that conversation.

[00:24:33] Yeah, so I think, first of all, pipeline generation without investing in brand won't succeed, you know. While the stage, you know, that you're in, you know, leading to 10 million in ARR, pipeline generation does matter a lot. So majority of your investment is going to go towards that. But if you complete this, you know, start your quote-unquote brand investments, then you're not going to succeed.

[00:25:02] So we talked about the website, right? So, you know, the brand investment doesn't have to be as, you know, highly, you know, expensive. But, you know, making sure, again, your website is properly invested in with good content, right? You know, that's for the different sort of phases, right? As I mentioned earlier, that's key. And then, you know, there may be some other brand investments you may want to do, but don't totally starve it.

[00:25:29] And then just put everything into your pipeline generation because you're not going to help yourself. So specific to pipeline generation investments, don't peanut butter either, right? Because I think in the security industry, there is a temptation to, you know, go after some large conferences, you know. And you may want to spend a lot of money in these large conferences, but what is the ROI going to do, right?

[00:25:54] So you really need to think through for pipeline generation investment, you know, back to mapping back to your ICP. How can you get to your, you know, key buyers, right? In those key industries. And how can you produce, you know, meaningful, you know, qualified leads for your sellers that can convert to pipeline?

[00:27:05] Because, you know, purchasing, if you think about it, as much as there is a lot of logic is involved, a lot of, you know, structured way to decide who you're going to, you know, buy. There's emotions that are involved as well. Like cybersecurity is a business where, you know, buying cybersecurity, you know, security controls, it's kind of like you're buying insurance policies, you know. So who are you going to trust? So emotions are involved. And I couldn't agree more.

[00:27:31] So I think being able to make sure the buyers, you know, can, you know, sort of relate to you and they can, you know, giving that, you know, impression or, you know, enabling them to be able to trust you is really key. And you can't do that without thinking through what, you know, some, you know, important investments you got to do on the brand side. Right.

[00:28:02] Absolutely.

[00:28:43] Yeah. And I think, you know, it's not just RSA, there's Black Hat, there's other conferences, right? So those are tough decisions, I think, you know, in this particular scenario, the cyber donut scenario, the march up to 10 million ARR, like if you got limited overall funding, then, you know, investing in a large conference, you know, could cost you an arm and a leg. And, you know, we're competing for attention with hundreds of other vendors.

[00:29:11] And, you know, it may be good for your brand in some way to be there, but will it really result in not a qualified pipeline? Right. So that is a type of tough decision you need to wrestle with. What I can tell you, you know, I've done, you can participate in these large conferences because, you know, you can submit for papers, right? That's free of charge. Right. And, you know, they have other, you know, sort of programs.

[00:29:39] They highlight, like, RSA has their sandbox, right? Innovation sandbox and other programs. They highlight upcoming, you know, technologies and innovation. So I think you engage in that. And you can also be creative in terms of some events you can do outside of the conference, some auxiliary event. You know, when I was at JAP Security, my team had proposed a bunch of options for RSA. This was seven, nine years, eight or nine years back, sorry.

[00:30:08] And, you know, one of the auxiliary events they had proposed was to work with, you know, this company that ran an experience, you know, sailing experience on a yacht. And this yacht is actually a retired yacht from, you know, Larry Eliasson's Oracle Team USA, one of the cup winning yachts. And you get to have the guy who was the manager for Larry Eliasson as a skipper for the yacht.

[00:30:36] And, you know, I was like, I'm like, why not? Let's give it a try. I mean, whether the weather is going to be predictable or not. And I mean, who knows how many CISOs would be interested in. And I swear to God, Andrew, we packed up a yacht with, you know, I don't know, close to 20 CISOs, having a great experience learning from the former manager of Larry Eliasson's Team USA. And so those are the things that you got to challenge yourself.

[00:31:04] Like, what can you do, you know, outside of the kind of the normal boundaries where you can be creative and, you know, get the excitement and help generate qualified pipelines. Okay.

[00:31:34] Yeah. There you go.

[00:32:12] Yeah. Yeah. True experience. I'll give you one more example on the events. You know, Andrew, this is a tough thing to wrestle with for a lot of early to mid-stage startups. And, you know, one of the things you can do is you can, you know, back to the ICP, right? Figuring out which industries you're going to go target. Like, at Zage Security, early on when I came in, we were targeting oil and gas industry, right? So it was one of our key industries.

[00:32:40] So as I did more research on that with my team and talking to my sales team at Zage, what I found out is there's an institution called American Petroleum Institute. I don't know if you heard of them, ATI. They were founded more than 100 years ago to define spec for oil and gas pipelines, how to transfer oil and gas. And along the way.

[00:33:18] Exactly. So, well, credit to this organization, American Petroleum Institute. They've established many working groups, right? So it's a nonprofit organization. They've established many working groups. And one of them is cybersecurity. It became more and more important to them, you know, a couple of decades ago as oil and gas pipelines. And, you know, whether it's even drilling sites, right? Everything is interconnected now, right?

[00:33:47] We call it upstream, midstream, downstream. When you look at oil and gas, everything is, you know, interconnected. So they started the cybersecurity practice a couple of decades ago. And it's grown and grown. And they do an annual event in Houston, API Oil and Gas Cybersecurity Summit. It's attended by security architects to managers, directors to CISOs who are in the oil and gas industry. So that's the type of research you got to do and challenge yourself and figure out, okay, you have limited amount of dollars.

[00:34:17] How are you going to invest, right, in pipeline generation that can be, you know, really materialist, you know, to help grow the business?

[00:34:52] Exactly. And one last thing I would add is, and I've learned this the hard way in pipeline generation, you know, having a business development, a BDR function is key, right? And I think early on, you know, you may not be able to fund the heads, right, if the company is small enough. You're at the stage where, you know, you need to hire key salespeople, right? You need to fund pipeline generation activities.

[00:35:18] You may not be able to hire, you know, a BDR inside a business development team. You could work with an outsourced one. And this could be a separate topic itself, you know, but I think, you know, it's okay to do that early on. You know, you allocate part of your pipeline generation dollars towards an outsourced BDR firm.

[00:35:40] And, you know, I think there is a point in that journey as you approach 10 million ARR, you will want to switch to an inside team. It becomes, you know, I think it's a transition you can work through. But, you know, having a BDR team, right, a business development team is key because it can be just about, you know, from a marketing perspective, generating, you know, qualified leads. And then as your salespeople get busy, as you know, not every lead is going to get followed up.

[00:36:10] So having that BDR function becomes also critical in your journey. Well, yeah, absolutely. You could staff, you know, BDRs at your events. They do a really good job. Why not? Yeah, yeah. I mean, they're essentially, you know, a typical profile of a BDR is you're early on in your carry as an account executive, right?

[00:36:39] Now, you may be, you know, doing it for a while as well. There are a lot of, you know, BDRs who have kind of stayed the course and they just like doing that. But regardless, you know, I think they're very capable, you know, to go to an event, help your, you know, team engage with prospects.

[00:37:18] Yeah. I don't know if there is like one particular spend, you know, Andrew. There's like there's no silver bullet, unfortunately, because cybersecurity, as we talked about, have become a highly contested market, you know.

[00:37:31] But I think the one thing, again, I'll go back to hammer on is it's really being, you know, honest yourself and really, you know, sort of having those tough conversations to figure out, you know, what is the right ICP, you know, and mapping that to your key investments. If you're not honest to yourself, what is your right ICP, where are you going to be able to win? It's not going to progress the company.

[00:38:29] Exactly. Yeah. Couldn't agree with you more, Andrew. Yeah.

[00:39:17] Absolutely. Thank you, Andrew. It's been my pleasure. It would mean a lot to me and to the continued growth of the show if you'd help get the word at. So how do you do that easily? There are two ways. Firstly, just simply send a link to a friend, send a link to the show, to this episode. You can email it, text it, Slack it, whatever works for you and is easy for you. The second way is to leave a super quick rating. And sometimes that can seem complicated.

[00:39:45] So I've made it as easy for you as I can. You simply have to go to ratethispodcast.com slash cyber. That's ratethispodcast.com slash cyber and explains exactly how to do it. Either of these ways will take you less than 30 seconds to do and it will mean the world to me. So thank you.