CISO says: “Don’t contact me” (or do they?)
“Please don’t contact me,” said the CISO. Or did they? Vendors almost always complain about buyers’ openness to new solutions. Something that everyone takes for granted. After all, the CISO’s role is to lower risks, and new tools inherently come with new challenges.
So, we tested this. How many CISOs actually ask not to be contacted by vendors? Spoiler alert: not many.
Interested to learn more about CISOs? Read my previous analyses:
- There is a bigger difference between CISO and CISO than you think –
- The role of the CISO: mainly risk and audit
Research methodology
This research is based on publicly available LinkedIn profile data of CISOs in the Netherlands. The dataset includes organizational information such as company size and industry, all sourced from public profiles. All data was anonymized to protect privacy, with personal identifiers removed during analysis. Important limitation: the analysis is limited to CISOs that have a LinkedIn account.
Beyond the myth
Looking through hundreds of CISO profiles, only four mentioned sales messages. Their comments focused not on rejecting contact but on the quality of engagement: “Note for sales: Provide me your best movie quote […] otherwise, I assume your message was automated and will be ignored. I love seriously interested partners, as we need partnerships, not salespeople who ship the product and forget the customer.”
This sentiment was consistently echoed in our research. None of the CISOs we interviewed for Security Innovation Stories avoided vendor contact entirely. Instead, they emphasized the need for transparency and relevant engagement. The issue isn’t vendor contact itself—it’s the approach many vendors take.
Many CISOs expressed frustration with vendors who clearly hadn’t done their homework. They described receiving pitches for products their companies already use, or solutions completely misaligned with their sector. This isn’t a “don’t contact me” problem; it’s a “contact me intelligently” request.
The value of genuine engagement
CISOs aren’t just open to vendor contact – many actively seek it out. They clearly also have to stay updated on industry trends. Multiple CISOs mentioned that vendor presentations at industry events are among their most valued sources of information about emerging technologies and innovative approaches to security challenges.
These leaders view vendor engagement as crucial to staying current with industry developments. One CISO noted that vendor presentations often provide insights into emerging threats and solutions that haven’t yet made it into analyst reports or academic research. Another mentioned that seeing how different vendors approach similar problems helps inform their own strategic thinking.
This openness to vendor insights extends beyond events. CISOs often appreciate being included in early discussions about new security approaches or emerging technologies. They value the opportunity to influence product development and ensure solutions address real-world challenges.
Consider these two outreach approaches:
| Generic AI “personalization” | Dear [first name], I’m sure that you have lots of risks at [company name]. With the increasing number of cyber threats, it’s crucial to have robust security measures in place. Our AI-powered solution has helped companies like yours reduce their risk exposure by 75%…” |
| Genuine personalization | Dear John, Your post last week about app security challenges really resonated with me, and took me to check out your profile. We’re in the early stages of building something to help with [specific issue they mentioned], but honestly, we’re still figuring out if we’re on the right track. I noticed that you’ve been on both sides – first as a dev and now running security at a SaaS company – would you be up for giving us some brutally honest feedback? No sales pitch because there’s nothing to sell yet – just looking for someone who gets both the dev and security side to tell us if we’re solving the right problem. All I can offer in return is coffee and eternal gratitude! |
The second approach shows an understanding of both the individual CISO’s background and the organization’s specific challenges. While it might not guarantee a response, it shows respect for the CISO’s expertise and offers value beyond just making a sale.
CISOs as business enablers
An interesting fact: many CISOs actively highlight their sales-supporting role in their profiles. This isn’t just about procurement – it’s about being business enablers who can translate security requirements into business value.
This sales-supporting aspect appears in multiple forms. Some CISOs mention their role in supporting their organization’s sales processes, particularly in B2B environments where security capabilities are a key differentiator. Others highlight their ability to communicate security value to business stakeholders.
Perhaps most telling is that 7% of all CISOs work with security providers, serving as both security leaders and proof that their organizations “walk the talk.”
The CISO-procurement relationship
The CISO’s relationship with vendors often centers around procurement, but this isn’t just about checking boxes. While they might not control the entire budget, CISOs significantly influence technology decisions through security assessments and risk evaluations.
This influence extends beyond simple yes/no decisions. CISOs often guide their organizations’ security technology roadmap, helping to identify gaps and opportunities. They evaluate not just individual solutions but how different tools and approaches fit into their overall security strategy.
Many CISOs see vendor evaluation as a critical part of their role. They’re not just looking at features and prices – they’re assessing vendors as potential long-term partners who can help advance their security objectives.
What to learn from these insights?
The message is clear: CISOs aren’t anti-vendor – they’re anti-irrelevance.
- They understand that vendors have to sell to keep their companies going and need buyers; they don’t want to be spammed with automated messages. (Who does?) Or worse: you accept a LinkedIn connection request, and you end up in an automated sequence of messages with generic questions like: “How does your organization incorporate security?” Try to be specific, relevant, and honest.
- Be transparent and ask questions. If a CISO replies to your messages, don’t overwhelm them with a sales pitch. Ask why they’ve accepted a meeting request, and ensure that whatever you discuss is relevant to them so that you respect their time and expertise.
- There is a time and a moment for everything. Try to meet CISOs when they are in the consideration mood. They visit events to learn about new products, and that’s a great moment to engage in conversation.
For vendors, this means rethinking the approach to CISO engagement. Generic AI-generated personalization isn’t fooling anyone. Instead, success requires building genuine relationships based on understanding each CISO’s specific context and challenges.
This might mean fewer outreach attempts but more meaningful engagements. It requires research, preparation, and a willingness to invest in relationship-building rather than immediate selling. Some vendors might need to shift their metrics from the quantity of contacts to the quality of engagements.
The next time you hear “CISOs don’t want to be contacted,” remember: they do want to be contacted – just not spammed. The difference between spam and valuable outreach often comes down to one simple factor: did you do your homework? In a world of increasing AI-generated outreach, genuine personal engagement might be the key differentiator.
Michelle is an expert in understanding target audiences in security and IT, and transforming the product positioning of complex products into sharp, compelling marketing strategies that hit the mark.
