Enough with the Noise – An Open Letter to Security Vendors

by · September 1, 2024

Open letter to cybersecurity vendors prelude

It starts the same way every time. Another vendor email lands in my inbox, promising to “revolutionize my security posture” with a “next-gen, AI-powered, zero-trust solution.” If I had a dollar for every time I heard that pitch, I could fund half of my security program.

As someone responsible for defending an organization against a never-ending stream of threats, these emails are not just a nuisance – they’re a missed opportunity. A better approach is possible, but many vendors refuse to see it.

Years ago, John Masserini penned his three-part Open Letter to Cybersecurity Vendors, and it felt like a rallying cry for security professionals everywhere. It was brutally honest, refreshingly direct, and packed with insights vendors still haven’t absorbed. I remember reading those posts and thinking, “Finally – someone said it.”

Now, nearly a decade later, I’m saying it again, in the form of an open letter to cybersecurity vendors. Because the same missteps keep happening, and it’s time for vendors to hear it straight from the people they’re trying to sell to.

So here it is – from the trenches of the enterprise, from someone making the buying decisions and living with the consequences: if you want to earn our attention, our time, or our business, you need to do better. Here’s how.

Cut the Fearmongering – We Already Live in It

Let’s get one thing straight: we don’t need a primer on how bad the threat landscape is. We see it every day. Ransomware, insider threats, credential abuse, supply chain risk – you name it, it’s on our radar. What we don’t need is a sales pitch built on fear, uncertainty, and dramatic “what-if” scenarios.

Fear-based marketing assumes we don’t know the stakes. That’s insulting.

If you want to make an impact, start by acknowledging reality. Then get specific. Show us how your product helps us detect faster, respond smarter, or reduce risk in a tangible, measurable way. Don’t tell us the sky is falling. Help us build a stronger roof.

Do the Homework Before You Hit Send

Every time I get a cold email that refers to my company as if it were in the wrong industry – or pitches a solution that’s clearly not aligned with our stack – I know one thing: the person reaching out didn’t do even the most basic research.

And that tells me everything I need to know.

Security leaders are time-strapped and pressure-loaded. If you can’t spend five minutes understanding who we are and what we do, why would I give you thirty?

You don’t need to write a thesis. But know what we’re up against. Read our press releases. Scan our job postings. Check the regulatory landscape we operate in. Come in informed, or don’t come in at all.

Kill the Buzzwords, Keep the Substance

We’ve reached a saturation point with security marketing language. “Next-gen.” “Military-grade.” “Zero trust fabric.” “Unified intelligence.” It’s all white noise now.

And here’s the reality: if you can’t explain your product in plain language, I don’t trust you understand it well enough to support it.

Cut through the fluff. Tell me what your product actually does. Not what your marketing team dreams it might do someday. If it automates alert triage, great. If it reduces false positives by 40%, I’m listening. If you’ve deployed at scale in an environment like mine and cut MTTR by half – show me how.

Speak plainly. Be specific. Credibility starts there.

If It Doesn’t Fit the Stack, It’s Already Out

Integration is everything. We’re not starting from scratch. We’ve already got a SIEM, an EDR, a ticketing system, and dozens of other pieces that form our security ecosystem. If your product creates a new silo – or worse, breaks the flow – we can’t afford to bring it in.

Before you pitch, ask yourself: where does this fit? What does it replace? What does it improve? Can it ingest and export data cleanly? Is it API-friendly, or is it a black box?

If your product can’t integrate, you’re not helping. You’re creating more work for an overworked team. That’s a fast no.

Don’t Disappear After the Sale

Let’s assume you’ve gotten past the pitch, the demo, the POC, and the procurement process. Congratulations – you made the sale.

But now the real work begins. Because nothing tests a vendor’s value more than what happens after the contract is signed.

Too often, vendors go radio silent post-sale. We’re left to fend for ourselves with vague documentation, canned support replies, and account managers we only hear from at renewal time.

That’s not partnership. That’s abandonment.

We want to work with vendors who stay involved. Who help us tune policies, fix bugs, and adapt as our needs evolve. Who show up when there’s a problem – not just when the quarter ends. Support is a competitive differentiator. Treat it like one.

Respect the One Thing We Don’t Have: Time

There is one resource more limited than budget in security teams, and that’s time. We’re juggling constant fire drills. We’re coordinating across silos. We’re reporting up, down, and sideways.

When you ask for our time, make it worth it.

Don’t request a 90-minute discovery call unless there’s real depth to explore. Don’t follow up three times in a week asking if I’ve “had a chance to review the deck.” And for the love of all that’s secure, don’t send a calendar invite without context.

Want to stand out? Lead with value. Send me a threat brief tailored to my industry. Share a case study with operational results. Give me something I can use – even if we never talk again.

Earn my time. Don’t assume it.

We Don’t Want Vendors. We Want Partners.

At the end of the day, we’re not just looking to buy tools. We’re looking to build relationships with people who can help us defend our organizations. That means transparency, honesty, technical depth, and a commitment to our success beyond the sale.

We remember the vendors who stuck by us during tough audits, critical incidents, or overnight upgrades. We remember the ones who picked up the phone at 2 a.m. and the ones who fixed bugs before we had to ask. And we reward those vendors with renewals, referrals, and trust.

That’s the long game. And it’s the only one worth playing.

Final Word

John Masserini said it best in 2015: vendors can be part of the problem, or they can be part of the solution. Unfortunately, too many are still stuck in the same old habits – leading with fear, drowning us in jargon, and failing to show up when it matters.

If you’re in the business of selling to security leaders, here’s the playbook:

  • Respect our intelligence
  • Understand our environment
  • Speak clearly
  • Prove your value
  • Stick around when it counts

That’s how you get in the door. That’s how you stay in the stack. And that’s how you become more than a vendor – you become a trusted partner.

Because in this field, trust isn’t just a buzzword. It’s the whole deal.

Tags:

You may also like...

Categories

April 2026
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
27282930  

Disclaimer

The views and opinions expressed on this blog are those of the author(s) and do not necessarily reflect the official policies, positions, or beliefs of any individuals, organizations, or companies referenced herein.

The content provided on this blog is for informational purposes only and should not be construed as professional advice.

By reading this blog, you acknowledge and accept that the content is provided "as is" and that the author(s) are not liable for any damages or losses resulting from the use of any information contained herein.