Making “Channel First” Work (And Pay!) in Cybersecurity

[00:00:00] Hey, it's Andrew here. Just quickly before we start the episode, I want to tell you about one of my favorite newsletters. It's called Strategy of Security. If you want to understand the companies, ideas and trends shaping cybersecurity and its submarkets, you should take a look. Cole Gromos runs the newsletter and he has spent the last 20 years in cybersecurity, including stints at PwC and Momentum Cyber, the investment bank dedicated to cybersecurity.

[00:00:27] Recent articles I'd like include how could platformization work in cybersecurity, where he talks about there being lots of single vendor platforms, but not a multi-estate platform. And also one called demystifying cybersecurity's public companies, where he explores the pure play ones and also hybrid companies, which are in cyber. He lists all of them and then breaks down the numbers in all sorts of different ways.

[00:00:52] Now, this is not a paid promotion. I just simply enjoy what Cole is publishing. Check it out at strategyofsecurity.com. Now on with this episode.

[00:01:12] Here we are for another special episode of the Cybersecurity Go-To-Market Podcast being recorded at RSA 2025 here in San Francisco. And right now we're talking with Scott O'Rourke, who is the CRO at Contrast Security. Scott, welcome to the podcast. It is great to be here. Thank you. It sounds like you've just been on an epic trip around the world in different places.

[00:01:35] I have. So prior to my week here in San Francisco, I was actually in Tokyo for customer meetings last week. So as we were talking off mic, my body time is a little messed up at this point. But bear with me. So my challenge is to ask you such great questions that you don't just fall asleep on me. I think we'll be fine. Good stuff. So you recently joined Contrast as a CRO.

[00:02:03] Now, Contrast has been running for a little bit, though. So I imagine you're coming in to do something specific with the company. What's the focus? Yeah, great question. So basically, the real mission is we've launched ADR, Application Detection and Response. And because it's a new offering and we believe to be transformative and disruptive potentially to the application security market,

[00:02:31] they were looking for a sales leader to come in and really have sort of a builder mentality. So almost a startup mentality, as it were, for the go to market focus. And so that's essentially why I was brought in. My history in the past has been very much building sales teams from the ground up and starting at, you know, essentially almost pre-revenue numbers and building teams up from there.

[00:02:57] So that's essentially the type of culture they are looking to build at Contrast. And so hence why it was attractive for me and they were attracted to me. And you had a great run at Xerofox back in the day. You took a company from small to big, dominating a category. I'm wondering what you're taking from that experience specifically that you think can apply for Contrast.

[00:03:18] Sure. I think one of the main lessons that I'm taking and bringing with me to Contrast is essentially building that collaborative and competitive culture within the organization on the sales team side. And what that really means is in order to build the right winning culture, especially as it relates to that building phase and really figuring out the product market fit

[00:03:43] and a lot of the experimentation that's required for a new product launch, you have to be collaborative as a team. And so that those lessons learned between the sellers back to product from sales engineering, you know, back to product and within the sales team of what's working, what's not working, how do we need to tweak?

[00:04:04] Those that culture is required in order to essentially get through the challenges that that that really present themselves when you're trying to do this. And you mean, a contrast for four months now, is there something specific you can point to the way you're trying to get that collaboration that wasn't perhaps there before? It's it's it's actually from the from the from the type of archetype that we're looking for from a seller.

[00:04:27] You need to you need to essentially hire the right people and hiring the right team to come in and have that same type of mentality. Additionally, in order to be able to sort of have those experimentations, you have to have sort of constant variables. Right. And so building a framework and sort of that playbook mentality of here's the way we're going to go to market that allows us to then iterate off of that.

[00:04:51] If everybody's doing essentially their own thing, it makes it very difficult in order to then experiment because the variables are too great. So trying to reduce the number of variables. And so, again, it's it's bringing in the right type of archetype from a personnel standpoint and and then also building the framework in which to operate from. So that's essentially what I focused on in the in the first four months. And for a selling team, as you're trying to launch a new area, ADR.

[00:05:19] Right. It's not just the same as ESPM or whatever before. Right. Right. That puts a lot of stress on the sales team to try and figure out the new message as well. I'm wondering what what they're going through as they're trying to really figure out that marketplace because they're going to hit numbers as well. It can't just all be experimentations. Right. That's right. Yeah. For them, I think it's a it's an exciting time.

[00:05:39] Because we do have a great core offering that we've had for, you know, that differentiated contrast 10 years ago, essentially in the market. And so we still have our core offering. And then this gives them yet another avenue in which to actually sell and try to solve the application security challenges that organizations have.

[00:06:00] So I think the way that that I would frame it is this gives them yet another sort of arrow or arrows in the quiver, so to speak, to have conversations with organizations. So instead of now, instead of before, just having conversations with DevOps, AppSec teams, we can now have conversations with the security operations teams. So, again, we can kind of solve this problem in two different ways. Essentially, you say that.

[00:06:26] So what I've experienced is that it's hard for sellers to work across effectively across two or three different teams. Right. Mentioned three different groups right there, each with the competing, perhaps. Sure. Yeah. Things are trying to do. Is there one area where the team seems to kind of gravitate towards and do very well as a starting point? Or is it really truly they could start anywhere? So historically, we started on the sort of the pre-production side, right?

[00:06:54] So with DevOps, AppSec, depends on how organizations are actually built and constructed. Some of those teams are very collaborative. Some are separated. So it really depends on the organization. Where we are really shifting our focus is more to the security operations team. And we believe our new messaging really resonates with those teams.

[00:07:17] And so that's essentially the focus, because if we have that conversation with those teams, that also then transcends into the AppSec and in some cases, the DevOps teams. And again, it's very specific to the organization.

[00:07:33] But then I go back to that's essentially why we're looking for a certain archetype from a sales perspective that really can navigate those various conversations and understand how to construct their conversation, depending on the audience that they have. Because in some cases, they might have all three of those audiences in one single meeting, and they need to be able to speak to all of those folks and understand their priorities and how we match up.

[00:07:59] So in some of the archetype that I've heard, collaborative, competitive, complex sale, right? Three different groups. What else are you looking for as you expand a team this year? That's a great question. Those three adjectives typically cover most of what we're looking for. One of the big changes that we've made from a company standpoint is we're now channel first. Okay.

[00:08:23] And so operating within that framework and, again, making sure that we're getting people to join the team that understand that's a priority for us, have worked successfully in the channel before. I would say that's essentially the fourth foundational piece that we're looking for. Yeah, when I think about channel, traditional security channel is very much the post-production side, let's say, right? That's right. Perhaps not the console on the pre-production side. Is that something you're trying to navigate with who are the right partners to work with?

[00:08:53] That's exactly right. And in fact, it sort of mirrors what our journey is on around this ADR new journey that we're on. And most, if not all, of the security partners that we're working with in the channel have been selling to security operations. So we believe it's a great fit for us to not just announce that we're channel first, but then really lean into the channel as an organization because they're already having conversations with our targeted buyer for this new offering.

[00:09:23] And so as they're going to market with, you know, the EDRs and NDRs, CDRs, et cetera, we believe that ADR is a natural sort of add-on and fit. And is it the big players that your channels that you work with? Is it boutiques? What's the ideal partner for you? It's, as you know, the channel is relationship-based. So at this point, we're really focused on what I would say would be the regional channel players.

[00:09:51] And again, it really does depend on those relationships. So we have great relationships with certain partners in certain regions and other partners in other regions. And so it's a balancing act of, you know, how we are focused on those individual regions and leveraging relationships that our sellers have with their counterparts at those specific partners. But, you know, it's not the large, the super large players at this point, simply because they're not going to pay attention to us at this point.

[00:10:21] So we need to gain traction and really perfect our sales motion around this as we take it to the channel. So then we can essentially hand them the playbook and do less co-selling because that's what we're doing right now is a lot of co-selling with our channel partners. Well, let's get specific. So Justin White is the main longtime salesperson at a regional bar called Derserk out of Denver. He's been in that territory for Derserk for 25 plus years. He knows a lot of people there.

[00:10:52] Why would someone like Justin want to get involved with the Contrast Security Program and how is he going to make money with you? Sure. Great question. I would say, first and foremost, that's actually the exact reason why we're investing in our Channel First program is because the channel, I would say, Justin, that's an incredible tenure. Right. And the relationships that he and others like him have in the market with organizations carry such weight. Right.

[00:11:21] So in order for us to get our product offering in front of customers, they're going to the customers are going to lean on the relationships and the trust that they have with these channel partners. For Justin and others like him, I think the real benefit of working with Contrast is this is a new way to solve application security. There is in the operations side of businesses, they don't have visibility into the application layer.

[00:11:48] So they are trying to essentially solve that problem with different solutions and essentially trying to get telemetry around the application. However, they just don't have that application layer visibility that ADR provides them.

[00:12:02] And it's very similar to what EDR and some of the other DR solutions provided over the years, which is not just visibility into that layer, but then actually response and really solving that issue of, OK, if something happens, how do we respond to it quickly? And make sure that at the end of the day, the folks in the SOC and the CISO aren't spending an entire weekend responding to something because it wasn't protecting.

[00:12:29] So Justin could help his existing clients with some of the challenges that I have, maybe get into a slightly different area on the pre-production site as well. What about brass tacks like deal regs, margins? Oh, sure. What do you got for him? That's going to say, oh, that's worth my time. We're edging. We're offering 20 percent if you're if we're and I'm actually compensating my team to take deals through the channel.

[00:12:56] So, you know, we have at this point, we've made it comp neutral for the team to take deals through the channel. So when we're saying we're channel first, we're we've removed the barriers for why certain things won't happen. And we have commitment again from from the very top. Right. So my CEO, CFO, the entire executive team is committed to the strategy. And but yeah, for Justin, it's it's your typical thing. It's, you know, deal reg 20 percent.

[00:13:22] And and then the other piece is we believe that there is real opportunity for real sized solutions as it relates from an ASP perspective to drive real revenue. And again, that deal reg continues on through the renewal process as well. So you're looking at the additional 20 percent for the following years on the renewal. So brought up something there, getting the buy in from the exec team on they might view it as double comping on a deal. Right. We're paying the channel partner and we're paying our reps. Right.

[00:13:53] The cost of sale kind of goes up a little bit of that. Sure. If we got some listeners who are founders or really early stage and they're looking cross-eyed a little bit of that going, is that how it works? What would you say about the idea behind doing that so it actually is good for the company? I would say the one lesson that is across the board is everything takes more time than you want it to take. And so if the channel allows you to scale your organization, however, it does take time.

[00:14:22] It's not a light switch. And so the channel, because the channel has seen so many fits and starts with organizations, they are going to be naturally hesitant and careful. Because, again, to the Justin example earlier, over 25 years, Justin has curated relationships and he's going to be very careful about who he brings in front of his customers.

[00:14:46] And if he doesn't feel like he's got the full weight and support of the organization that he's working with, he's probably not going to bring that organization in front of his customers. And so I think that respecting and understanding that is really important because when organizations want to lean into the channel and they want to do this, they have to understand that it's not just a two-quarter process, three-quarter, or even a four-quarter process. You have to look at it in two to three years.

[00:15:12] And so that reciprocity that you expect from the channel is going to take 18 to 24 months. You know, get it. It's all dependent on the type of transactions, the size of deals, things of that nature. But it's going to take some time. And I think that's where organizations, especially early on, get challenged because they don't realize the level of investment they need to make and they can't expect instant reciprocity to take place again. Yeah. I love that perspective, though.

[00:15:42] I mean, as a founder, as an earlier stage company, you do have to think about why on earth would a partner want to work with us? Because you're one of 3,800 vendors. You know, they're not short of vendors to work with, right? That's right. So you've got to figure out, well, how can I make this advantageous for them? And you talked about taking some friction out of the model maybe before where it wasn't comp neutral. What else have you done in terms of enablement for partners that is trying to reduce some of the friction involved? Sure.

[00:16:11] So we also focus on the enablement aspect. And in some cases, you know, we're gamifying some of that as well to make it interesting and rewarding for partners to engage with us to actually learn our products and services.

[00:16:25] The other piece to it is we also focus on being an easy company to work with, which means our reps, our RSMs, not only are incented to work with the channel, but we are very much focused on training them to be great partners to our partners, which means understanding when we should be bringing channel partners into sales early in the sales cycle.

[00:16:50] So they can learn along with the team and understanding the sales process and the sales playbook from our sellers themselves. So then they get more comfortable naturally. They learn a lot during that process, understand what customers want and need to see from the solution. So then it makes them way more comfortable to talk about us, even if we're not in the room. One of the hot topics, RSA this year, as everyone knows, is AI. I want to talk about AI, though, in terms of a sales team.

[00:17:19] So I'm wondering what contrast, if I'm a rep at contrast, what's the company doing to help take out a lot of the friction or a lot of the admin work, let's say, in selling by using the AI tools right there right now?

[00:17:31] Sure. I think one of the most powerful things from a salesperson's perspective now that everyone, I think almost everyone is leveraging at this point, is really sort of the conversation intelligence platforms that's either native to the sales force or a gong or a clary, etc.

[00:17:54] And essentially making sure that those recordings of the interactions that you're having with customers then turn into action items and transcripts. And there's a lot of information and helpful material that comes from those interactions and from those platforms. And then leveraging that to properly support the customer journey and follow-up activities, sharing the calls with products.

[00:18:22] So some of the stuff that we talked about before, which is how do we share actually the real feedback from customers when we're talking about our solutions? Before, it was very much a telephone game of this is what the customer said. Now you can actually just email the call over to product or over to other members of the team that need to react to something that a customer said.

[00:18:46] And so that piece of it is really important, I think, transformational for the sales team. Because before, it was really the requirements of or up to the responsibility of the seller to take copious notes to ensure that they recorded everything that they did during a call, which can be distracting as well. So then, you know, that takes it out of. Yeah, it seems, I don't know if a golden age is the right word, but the support we have to sell now compared to 10, 50 years ago is completely night and day.

[00:19:16] It's incredible. Yeah, what a lot of time to be in sales. Well, Scott, it was good to meet you. A great week ahead for you here at RSA. I'm sure you've got a bunch of prospect meetings, customer meetings lined up as well. All the above. That's awesome. Well, thanks for joining us. Yeah, my pleasure. Thanks for having me. All right, we have our next person for visionary or smoking crack. Who are you and what do you do? I'm Mike Ferrari. I'm the Senior Vice President of Worldwide Sales at Doppel.

[00:19:42] All right, Mike, I am going to throw out some bold predictions about the future of sales and cybersecurity sales at you. You tell me, am I a deep thinking, insightful visionary? Or did I inhale just a little too deeply on the walk through the Tenderloin this morning on the way to the conference? Are you ready for your question? I am ready. All right, first one.

[00:20:03] By 2030, so just in five years' time, 80% of cybersecurity purchases under 100K will happen without a human seller or a human buyer. Just AI agents buying and selling. Is that visionary or smoking crack? Or smoking crack. Tell me why. People buy from people. That'll never change. Relationships matter. They do. All right, next one.

[00:20:26] In five years' time, more CISOs will report to the CFO than report to the CIO or CEO. And sales will shift to being a finance-first discussion. Visionary or smoking crack? Smoking crack. Tell me more. Listen, cybersecurity is going to be a board-level problem for years and years to come. There is no end in sight as it relates to the challenge.

[00:20:53] And in particular with AI and large language models and the threat actors having easy access to these things. There is cybersecurity. Cyber defense will not be about pennies and dimes and nickels. It'll be about strategy. And I believe that that will continue to be led by the board and C-level executives. All right. Next one. The biggest threat to a cybersecurity seller's success right now isn't the competition.

[00:21:23] It's a seller's own ability to inspire prospects to want to make a change. Visionary or smoking crack? Visionary. That is so true. That is so true. That is really, you know, I think cybersecurity sellers' biggest weakness is selling features and functions. And, you know, a lot of the companies, cybersecurity companies are engineering-founded companies. And engineers like to talk about the features and functions of their product.

[00:21:52] And far too often they enable their sellers to do a really good job of that as well. And so it is 100% spot on to say that, you know, if a seller can't do, it can't impart that kind of message on their buyers, they are not going to be successful. All right. Next one. By 2030, Shadur Saunders will have won a Super Bowl. Visionary or smoking crack? Smoking crack. Why is that? I really, because of Dion.

[00:22:23] You'll have to move teams first of all. Yeah, he will have to move teams. And then again, likely. And somehow become the second quarterback, not the third or fourth. He's a talented guy. I just hope that for his sake that he's able to focus on the game and commit himself to it and avoid the distractions associated with not only his brand, but his dad's brand as well. All right. Last one. Recently, Google acquired Wiz.

[00:22:50] And we have some coming friends over at Wiz that have done nicely out of that. Yes. And some hacks in the industry called it gee whiz. So, question for you. Within 12 months, Island, the enterprise browser company, will acquire the Cyber Heart platform from Dow's Technologies and rename the company Love Island. Am I a visionary or am I smoking crack? Smoking crack. But why? That's a good one, though. It's so obvious. It's very obvious. Very obvious.

[00:23:19] I hope that they do do that, actually. In a world when cyber needs to transcend into other spaces, people will remember Love Island, the cybersecurity company. That's so good. I love it. All right, Michael. Thanks for playing along. You betcha.

[00:23:45] It would mean a lot to me and to the continued growth of the show if you'd help get the word at. So, how do you do that easily? There are two ways. Firstly, just simply send a link to a friend. Send a link to the show, to this episode. You can email it, text it, Slack it, whatever works for you and is easy for you. The second way is to leave a super quick rating. And sometimes that can seem complicated, so I've made it as easy for you as I can.

[00:24:12] You simply have to go to ratethispodcast.com slash cyber. That's ratethispodcast.com slash cyber. And it explains exactly how to do it. Either of these ways will take you less than 30 seconds to do, and it will mean the world to me. So, thank you.