We’re thrilled to announce that Greg Crabb, who served as Chief Information Security Officer (CISO) for the U.S. Postal Service (USPS) from 2015 to 2021, has recently partnered with the W2 Communications team as one of our first CISO advisors. Crabb is the first of many industry veterans of his ilk that we will work with to provide the best guidance for our clients – because there’s no better way to know the mind of the buyer than talking to one.
Crabb also acts as CISO in Residence for Ballistic Ventures, where he advises portfolio companies on their best approach to security, and runs his own consultancy 10-8, where he assists clients with post-incident roadmaps, cybersecurity assessments, threat preparedness and other complex cyber needs.
“I work with clients to reduce organizational stress,” he says. “I help them understand what happened from an incident perspective and how to respond to it, and then how to build a resilient cybersecurity practice moving forward.”
In a recent conversation with W2 Communications Co-Founder Evan Weisel, Crabb elaborated upon the distinct roles of CISOs and how vendors can most effectively reach them to earn credibility, maintain empathy and build long-term business relationships:
Either in your consulting or your CISO in Residence role, how do you advise portfolio companies to invest their marketing dollars? What is most critical?
Crabb: I suggest to my portfolio companies that they invest in content that demonstrates value and builds trust. This includes in-depth case studies, proof points that demonstrate how the solution measurably lowers risk, and thought leadership that positions the brand as an expert in its field – solving the problems that buyers care about. It is useful to connect with the community through webinars, conferences and mutually beneficial relationships. The key is to find a satisfactory balance between demonstrating product capabilities and building the brand.
What do CISOs really need from vendors to make a purchase decision?
Crabb: It’s all about truly knowing the unique business, technology and cybersecurity challenges of customers. CISOs are primarily risk reducers. They must demonstrate tangible value with every product they buy, and that value must positively impact all three of these challenge areas.
What do you think has changed most about the buying journey in the last 3-4 years, either as a CISO or former members of your team who might’ve been on the buying committee?
Crabb: The process of buying has spread across organizational groups. The CISO no longer makes decisions alone; IT operations, compliance, procurement and often top executives participate. With more people working from home, digital outlets like webinars, virtual conferences and online demos have become more important in the buying process. Peer reviews and informal networks are also getting more attention, since buyers depend on recommendations they can trust.
As you alluded above, peer reviews and informal networks have been critical. We know a lot of buyer discussions happen in private social media now – Slacks or Discords – while marketers cannot often get into those, is there a way to influence the discussions?
Crabb: Although marketers are not able to directly engage in private social channels like Slack or Discord, they can impact those conversations by making content that is useful and shareable. Influencers often share thought leadership pieces, how-to tips and infographics in these spaces. Getting important people in the community involved or giving trusted groups exclusive content can also direct the course of discussions.
What publications, social media and additional resources have you most relied upon as a CISO to make the best purchase decisions? And why is third-party validation so critical in the decision making process?
Crabb: It’s a multi-layered approach. First, I need to know what the threat actors are doing, so I go to the trade publications which cover that ground.
I also have to stay on top of what’s going on in the technology landscape. So analyst reports and additional resources that Gartner, Forrester and others put out are very helpful there. Including vendors in reputable third-party sources such as Gartner or Forrester is crucial as it enhances their credibility.
CISOs must exercise caution and avoid taking undue risks, and the inclusion of a product in trusted analyst reviews demonstrates its reliability. It also gives CISOs a structured way to make decisions, which is essential when there are a lot of technology options in the market.
In addition, I believe you have to get out of the office and connect to people. I like to go to forums and events in which peers have discussions about their approaches to their own particular technology infrastructure, architecture and control requirements. I always want to find out what my peers are doing, and how they’re doing it.
How much vetting will you devote to a purchase decision?
Crabb: I always put in plenty. At the USPS, I had a five-person technology evaluation team. They made sure any security solution would align with our required controls and our IT architecture. Then, they vetted the product to verify that it would integrate properly with our other security tools … A purchase decision is much more complicated and involved than simply believing solution providers when they say “Our product is the best.”
What would make you respond to a marketing email or a cold call from sales vs. going hunting for a solution?
Crabb: Many busy professionals don’t read marketing emails, but I’m more likely to engage with a personalized marketing email or cold call that demonstrates your understanding of the issues my organization faces. It’s simple to spot emails that are short, offer a unique answer to my problems, and make a direct value proposition. Busy professionals don’t respond to generic, long-winded content that isn’t relevant to them.
How critical of an influence is brand recognition?
Crabb: It can make a big difference. Trust is a cornerstone, and a well-recognized brand will go a long way by conveying proven success, expertise and reliability. To me, a strong brand is backed with quality content, thought leadership and visible engagement in the community.
One common mistake in branding is making too many promises and not keeping them. When vendors force cyber solutions through business packages, like when they bundle weak security options with broad IT suites, this can make people not trust them.
On the other hand, brands that are transparent with their capabilities, share valuable content, and engage deeply with the cybersecurity community tend to be more appealing. Strong thought leadership, showcased at industry events, and real case studies are all beneficial things for your brand.
What do marketers get wrong when they approach CISOs?
Crabb: They use too much jargon. Just be transparent – tell me in plain language what you’re going to do, and how it’s going to solve my problems. Your white papers and product information should explain to me these things, without a bunch of jargon and acronyms to wade through.
What whets a CISO’s appetite for trying new technologies on the market versus waiting for them to get adoption? Is it a risk appetite?
Crabb: A CISO’s appetite for new technologies depends largely on risk tolerance and the unique value the technology offers. I’ll be one of the first people to use a solution if it solves a major problem that current tools are unable to solve. We are more likely to adopt technologies that offer significant improvements in cost reduction, efficiency, security, or measurably reduce risks – especially ones that have worked well in proof-of-concept tests.