bwtech Blog

Written by: Nicholas Zajciw

CISO Do’s and Don’ts

The majority of startups in the Cyber Incubator aspire to get facetime with CISOs. To make that time most effective, it’s important to understand the roles of CISOs. They are tasked with defending corporate networks, and reporting to boards or CIOs of the organizations they serve. They enter the role with dozens of security tools in use across the network, a backlog of patches to manage, and a need for greater amounts of staff to assist them. In the ever-crowded security marketplace, it becomes imperative to understand the Dos and Don’ts of CISO outreach.

The Cyber Incubator at bwtech recently held a day of activities focused on gaining a foothold in the security market. CEOs of Cyber Incubator companies spent the time asking questions across three panels and presentations to glean insight into how they can position and effectively entice CISOs to purchase their product. We’ve compiled a list of the Dos and Don’ts for CISO Outreach below.


  • Be Direct and Brief in your Messaging, using as few words as possible.
    • Avoid broad descriptions with buzzwords. Your description should not be one that a competitor could use to the same effect. Explain what differentiates your product.
  • Replace existing tools with your product (saving time and money).
    • Almost all CISOs have more tools than they can possibly use. Another way to view this: Don’t be an additive solution.
  • Be a force multiplier/Automate
    • If you can assist one of a CISO’s few analysts and automate some of their work, that’s very compelling. A good example of this is the rise of Security Orchestration Automation and Response (SOAR) technology.
  • When pitching, founders should be telling CISOs a story.
    • Building a narrative helps them remember your product and gives founders a chance to establish credibility.


  • The quickest way to lose a CISO is to say, “We’re the next best thing since sliced bread”.
    • Avoid absolutes, and be able to back up claims with data.
  • When pitching CISOs, avoid knee-jerk reactions when discussing competitors.
    • Avoid the urge to say, “No, no, no, we are not like X company, we’re better” Instead when asked if like a competitor, take time to reframe the question by saying, “Sort of, but here’s where we are significantly better and why that’s relevant to your organization”. It becomes an opportunity to add context.
  • Don’t expect the CISO to make the case for your product’s purchase.
    • Your startup should be providing the details and case for a CISO to justify the purchase.
  • Don’t try and have your product purchased through another unit. CISOs are not fond of those who bypass them and try to get in through other business units.
    • That being said, when working with the security team, there is no harm in bringing up the benefits across additional business units.


Below are some parting words from Bill Sieglein, Founder of CISO Executive Network, whose experience and discussion informed many of these recommendations.


“A mistake many new cybersecurity technology firms make is assuming the problem their technology solves is actually a problem CISOs are ready to solve.  In a lot of cases, CISOs are still doing basic blocking and tackling and aren’t prepared to implement solutions that are more sophisticated.” – Bill Sieglein