Dani Woolf, Director of Demand Generation at Cybersixgill and Host of the Audience First podcast, brings her marketing expertise to Hacker Valley to talk about what’s broken in the marketer-buyer relationship. Dani’s tried and true methods of cybersecurity marketing involve clear messaging, authentic communication, and building trust in an industry where not trusting anyone is the norm. How can cyber marketers break through the negative stereotypes and show cybersecurity buyers that they’re authentic?
[00:00] Fixing the broken relationship between cyber marketers, sellers, & buyers
[04:58] Unrealistic marketing goals vs incorrect marketer perspectives
[10:23] Better conversations between marketers & practitioners with Audience First
[15:12] Connecting with curious cyber practitioners instead of dismissing them
[23:37] Advice for cyber marketers looking to start fresh with content
Thank you to our sponsors Axonius and Uptycs for bringing this episode to life!
The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley
Uptycs, analytics for the modern attack surface, observability for the modern defender. Check out Uptycs by visiting them at uptycs.com
What messages are practitioners receiving (or not receiving) from cybersecurity marketers?
One of the domains Dani actively uses is hilariously titled, “WTF Did I Just Read?” This project, inspired by the contextless and confusing messaging cyber practitioners receive everyday, aims to show marketers how to adopt better tactics and more authentic communication with potential buyers. Truth be told, Dani has seen the worst of cyber marketing, and she understands why many marketing teams get a bad rap in the industry.
“Frankly, [marketers] are just sending messages that have absolutely no context or need to the buyer, which is just lazy. You have to identify the problem, do a little bit of legwork to see what the buyer is interested in. Who are they really? What are they trying to solve?”
Where do you think we all went wrong, from a cyber marketing perspective?
Two factors have contributed to incorrect and inauthentic marketing tactics in cybersecurity, according to Dani. The first is pressure to achieve stressful goals and unrealistic KPIs on marketing teams that should be focusing on quality of communication over quantity of calls or outreach methods. The second is marketers coming into the cyber industry with the false mindset that cyber marketing is just like any other marketing, when in reality, the methods of communication and the relationship with buyers is completely different.
“A lot of professionals coming into cybersecurity think that what they've done in other verticals works in cybersecurity, when in fact it doesn't. I know for a fact it doesn't, because that's how I made mistakes in the security space and that's how [my podcast] Audience First was born.”
Is there a lot of conversation and communication happening between marketers and cybersecurity practitioners?
Marketers and practitioners are not communicating in a trustworthy and authentic way, in Dani’s opinion. Many marketers fall into the mindset trap of letting the “smart people” in the room talk during meetings and calls, instead of engaging in the conversation. Dani explains that when cyber marketers shut themselves out, they don’t learn anything about cybersecurity or about their clients. Not knowing creates a lack of trust and confidence for both sides.
“If we continue to just click on buttons and look at numbers, we're not going to do our jobs any better. I urge anybody listening to foster that bidirectional relationship, to be open to marketers speaking to you, and to be open to speaking to practitioners and asking for feedback.”
How would you compare the average cybersecurity buyer to, for example, other buyers in the technology space?
Despite the stereotypes of cybersecurity buyers being tough or unapproachable, Dani admits that many of her cybersecurity clients are kinder and more empathetic than in other tech industries. However, this kindness and empathy has to be earned, and security professionals aren’t always the easiest people to gain the trust of. Dani explains that credibility and authenticity reign supreme in messaging to cyber buyers, because that is the only way to break through the caution many practitioners are trained to have.
“Why would I scratch your back? Or, why would you scratch mine if I don't even know who you are? Like, the whole point of security is not to trust everything that you see. So, trust and credibility is a huge part of that, and establishing authentic relationships is a huge part, too.”
Check out the Cybersixgill website
Purchase a HVS t-shirt at our shop
Continue the conversation by joining our Discord
Hacker Valley Studio 00:08
Who says tech can't be human?
Analysts briefings weren't helping me, reading articles. It wasn't deep enough for me. I wanted to ask very specific questions and to probe. It's just reinvigorated my whole career, re-energized me, and I urge anybody to just be open to that and not be afraid.
Hacker Valley Studio 00:30
Welcome to the Hacker Valley Studio podcast.
Axonius Ad 00:36
When it comes to IT and security, we can all agree on two things: complexity is increasing, and the manual asset inventory approach no longer cuts it. It's time to adapt, and that's where Axonius comes in. Axonius correlates asset data from existing cybersecurity and SAAS solutions provide an always up to date inventory, uncover gaps, and automate actions, giving you the confidence to control complexity. Sign up for a free walkthrough of the platform at Axonius.com/Get-A-Tour.
What's going on, everybody? You are in the Hacker Valley Studio with your hosts, Ron and Chris.
Welcome back to the show.
Glad to be back again. In the studio today, we have with us a guest that is all about fixing a problem that is massively broken, and that is the relationship between marketers, sellers, and the buyers of cybersecurity technology. In the studio today, we have with us Dani Woolf. Dani is the Director of Demand Generation at Cybersixgill, and also host of her own podcast called Audience First. Dani, welcome to the Hacker Valley podcast.
Thank you so much for having me on, guys.
Absolutely. We had to bring you on because you are somebody that really, really puts the customer, the practitioner at the forefront of everything that you do. I would say there's nothing more indicative of that than one of the domains that you own and use is "WTF Did I Just Read" and you use that for folks to bring you the messages, the emails that practitioners receive on a daily basis that aren't the best. Where did that idea come from, from your perspective?
It came from a request from one of my guests on a podcast episode, Joseph Carson. Early on in the season, he told me, "Well, I wish there was a way that I could flag bad messages and email messages." And I just listened and I'm like, "Well, I can't do something very sophisticated, but I could create an email domain for you and you could just forward that to me and I'll see what I could do. Reach out to anybody who's bothering you and tell them, 'Hey, guys, this is not the way you should be doing things. Here's an alternative. Here's a way to do things a little bit better.'" Listen to this episode, first and foremost. If you don't want to listen, here are some steps you can take to improve your outreach and your messaging towards cybersecurity buyers. So, it stemmed from just listening to what the frustrations and the pains of my audience and executing.
Tell us a bit about that frustration. What kind of messages are people receiving, or not receiving? What have you seen so far?
Oh, man, what have I not seen? And by the way, I do urge anyone listening, and this is a shameless plug, to go to Audience First and look at the different methods that are poor methods, if you will, anywhere from bribes for meetings, which is pretty prevalent in the industry, to making the prospect feel bad because, quote, unquote, they don't have time to answer the message, to using prospects as a stepping stone to get to the actual either economic buyer or champion in the industry, or frankly, just sending messages that have absolutely no context or need to the buyer, which is just lazy. You have to identify the problem, do a little bit of legwork to see what the buyer is interested in. Who are they really? What are they trying to solve? Before you even outreach them. So, there are many poor methods out there, unfortunately, poor tactics out there, and some of them, sadly, are funny. I like to have a laugh here and there, but at the end of the day, I'm trying to help people who are trying to do a good job, do things a little bit better, and I know that a lot of security practitioners want to help us marketers and sellers do things better. So, that's the whole point of Audience First and WTF Did I Just Read? I still can't say it really well, WTF. It's hard. A lot of people want to help out and that's the whole point of the content and the resources that we're providing.
When you look at what folks are doing today, from a marketing perspective and outreach perspective, it seems like there seems to be more wrong than good. Why did that become the case? Why does it seem like folks are indexing on messaging that doesn't hit the mark, doesn't really speak to the practitioner, maybe they're using some scare tactics or trick tactics to get meetings? Where do you think we all went wrong, when it came to this place?
This is my own theory. There may be other assumptions or opinions, but I think largely that it stems from the stress, the fear, and the anxiety that sellers and marketers feel in these cybersecurity startups and companies that are largely fueled by investor profits. When you have investor money in there, you have to produce and you have to produce quick and you have to produce a lot. And so, you have the boots on the ground, sellers and marketers who are trying to double revenue, triple revenue, 5x revenue, running around like chickens with their head cut off trying to fuel pipeline. Lots of them aren't educated, or don't know how to approach cybersecurity buyers because they haven't taken the time to understand the buyer in the first place, which stems from doing initial audience and buyer and customer research. That's one.
Two is a lot of professionals coming into cybersecurity think that what they've done in other verticals works in cybersecurity, when in fact it doesn't. I know for a fact it doesn't, because that's how I made mistakes in the security space and that's how Audience First was born. It was from a realization that the way you do things in cybersecurity is completely different than in other verticals. The buyers are dealing with some very stressful, serious, threatening challenges, more so than the average B2B or even B2C buyer, right? Depending on what kind of cybersecurity product you are. I deal with high consideration B2B buyers, so again, it stems from that realization and understanding that identifying what the pain is of the buyer, and then realizing that you cannot approach things the way you've done in other verticals with security buyers, it just doesn't work. So, if you're not identifying that in the first place, which a lot don't, how do you know if your strategies and tactics are going to work? You're just going based on
assumptions and guessing.
It seems like we went somewhere really, really wrong along the way, because I remember being a kid, and every now and again, we would get a random call and it would be of a telemarketer. I remember my parents going nuts, they would get so upset about someone invading almost our space, our home, to sell a product on the inside. Typically, you had to do it from the outside, way back in the day, knocking on doors, but when telemarketers got the strategy to reach people at their homes, it gave them a new level of access. I think it's the same thing in LinkedIn and social media, even our phones and emails, that we're giving people a level of access to reach us that is a little bit more personal than being outside of our house, but salespeople, marketers are still taking advantage of not being authentic, not really doing their research of the person to begin with. How did we ever think that was going to work? I'm sure you've worked on so many teams, seen a lot. Has someone just thought like, "I'm gonna
random dial 100 people, 1 will pick up and I'll have this amazing sell?" Does that happen on teams?
It does. It happens because the managers who are defining the strategy and the KPIs are setting the wrong KPIs.
How many calls are you going to get today? You got to send 100 calls in order to hit your quota. No. Okay, let's take a look at the actual results. How many calls did I make? I made 100. How many actually picked up the phone call? 3. How many turned into a meeting? 0. That's not even qualified meeting, that's just meeting to understand if there's need and fit. So, companies and teams are measuring the wrong things. It's not about quantity, it's about quality. As a demand marketer, I much prefer to bring in less demo requests and less meetings, but that are going to close at a higher rate and at a higher average sales price. Obviously, I'd like to see that incrementally grow, quarter over quarter, year over year, which it should, given you're putting in more money, you're figuring out what's working, you're dialing down and up specific things. But I don't expect to bring in 150 opportunities in one month.
That's crazy, especially for a series B company. It stems from: What are the right things that we should measure? And then, looking back and actually seeing: Do we actually have the analytics in place to measure the right things as well to understand if we're spending money and time in the right places?
You just brought up a lot of really good points that I think we need to double click on. For the folks that are listening to this right now, a lot of these people are cybersecurity practitioners, not a ton of markers, I'm sure, but there are some that listen to our show. But when we look at something like say, brand and brand awareness-type marketing, versus demand gen, how do you differentiate between the two?
Brand awareness brings demand. You're not going to capture demand or create new demand, if people don't know who you are and what you do and what value you're going to bring to them.
Very, very simple. It makes 100% sense. When we look at marketing, I feel like for cybersecurity practitioners, it is somewhat of a black box. With sales, the practitioner, they're working with the salesperson pretty regularly, they're giving them feedback, telling them what works about the relationship between them and he salesperson, and what also works between the relationship between them and the product, or them in the service. But for marketing, it almost seems like there's not that two-way street. I wanted to get your perspective on it. Is there a lot of conversation and communication between marketers and cybersecurity practitioners? Or, is it more marketing out, cybersecurity practitioner in, where we're looking at the news or the blogs that the marketing team is driving out?
I think the latter. The whole point of Audience First is because not enough marketers are talking to cybersecurity buyers. And this is my opinion, right? So, others may think otherwise. I frequently see other colleagues of mine, not specifically within Cybersixgill, but within the industry, right? All cybersecurity marketers are colleagues of mine, saying, "Oh, you know, I'll just mute my mic in the meantime, and the salespeople can talk or the sales engineer can talk." But no, why? Why are you muting your mic? Talk. Speak up. And I think that there's the stigma. "I'm not smart enough to talk." Well, hell yeah, you are. I mean, why should you sit down because, quote, unquote, the smart people are talking? That's ridiculous. And if we remain in the marketing cave, and continue to click on buttons and look at numbers, we're not going to do our jobs any better. So, I urge anybody listening who's a marketer on this call, and I urge anybody listening who's a practitioner on this call to foster that bidirectional relationship, to be open to marketers speaking to you, and to be open to speaking to practitioners and asking for feedback. Again, shameless plug, there has been great success with Audience First. In four months, I cannot believe how much the message and the mission has resonated and it stemmed from me just kind of like sucking it up and literally unmuting my mic and asking for feedback. That's how the whole podcast happened, and I wanted to know how to do my job better, because analysts’ briefings weren't helping me, reading articles wasn't deep enough for me, I wanted to ask very specific questions and to probe, and it's just reinvigorated my whole career, re-energized me, and I urge anybody to just be open to that and not be afraid. Take the plunge.
How did it really reinvigorate you?
I'm much more creative these days, than I was before. I'm thinking about how to do marketing
differently. There's validation, because the buyer is telling me what doesn't work for them and what does. I just posted about this, about what we're going to be doing at Black Hat, and I know that it's going to work, and we're already seeing the results, right? We're already seeing the right people coming to us and saying, "Hey, I want to learn more and I want to see how this works." And we're coming from an authentic place, where we want to help the industry do things better and we want to teach the industry something that they haven't learned before. And so, it's really powerful, and I'm an athlete, so being able to see numbers go up kind of innately drives me, and I see those revenue numbers go up. I see those opportunity numbers go up, the demo numbers go up, the meeting requests for Black Hat go up, right? I mean, who doesn't want to feel that kind of sense of accomplishment when you see what you're doing is impacting a whole organization? And this is just from four months, collaborating with my team and sharing with my team what to do. I won't say that all of the Black Hat strategy is on me, but a lot of the message that I externally present to my audience on LinkedIn, and rarely on Twitter, but mostly on LinkedIn, it's just overwhelmingly satisfying to see that, and not only that, your ability to get a seat at the table increases exponentially once you have those insights in your hand. I mean, I can't believe I didn't do this earlier, to be honest, and I don't know why I was hesitant to do it.
Uptycs Ad 14:33
The complexity of cloud infrastructure means every organization's security challenges are unique. Whether your challenge is threat hunting, policy management, cloud workload protection, or all of the above, Uptycs helps you quickly identify and eliminate observability gaps in your security program. That's Uptycs, analytics for the modern attack surface, observability for the modern defender. Check out Uptycs by visiting Uptycs.com Thank you, Uptycs, for sponsoring this episode.
I feel the same way, and that's exactly why we wanted to have you on the podcast. That's part of the reason why we do it in the first place is we have these realizations after speaking to amazing practitioners in all walks of life and realize, "Oh my God, there's so much that we can take and use in our current day to day." Working with marketers, they can give you so many ideas for amplifying your own message. If you have a great technology, or a great open source project, really working with a marketer and understanding their world is going to help you with your messaging, and vice versa. Marketers are doing such an amazing job at pushing things out, but what about understanding the cybersecurity practitioner, building those relationships is so important, and I see that you're doing that constantly through your podcast, through your LinkedIn. Since building relationships with cybersecurity practitioners, what have been some the things you've learned and are taking into your own day-to-day?
Recently, I learned that cybersecurity practitioners are equally curious to understand how to
communicate internally to their audience, which is huge. So, if I'm interested in probing, asking the right questions, learning how to build authentic relationships with my audience, I actively have a framework for that. How can I help my audience, the cybersecurity practitioner, do that within— Not just, how can I not just help them the marketers and the sellers, but how can I help the practitioner, who's innately kind of in a technical spot, develop those soft skills and communicate in terms that resonate with their audience? They're equally curious to learn how to do that. Many, not all, but many, because you either have to communicate to your CFO, or you have to communicate to the Board, or you have to communicate to sales or to the CMO, right? When you're in the organization as a security practitioner, you have to be able to support the business. It's not just about the technical side of things. So, I talk to a lot of people who are not used to translating numbers to speak that resonates to their audience. They're not used to translating tech to business speak. So, it's interesting, and it's really also very rewarding to be able to say, "Hey, here, this is how you could do it." It stems from understanding: What is their challenge? And it stems from understanding how to ask the right questions, so that you can essentially sell your story to them. In words that mean something to them.
I couldn't agree any more with what you just said. One thing that I have to be a little self-reflective when we're talking about cybersecurity practitioners as buyers is, honestly, I think we're a tough bunch. We are a tough bunch to get through to. We're tough bunch to have conversations with at times. How would you compare the average cybersecurity buyer to say, other buyers in the technology space? Is it harder? Is it easier? Are there quirks that you tend to see more often than not?
Interestingly enough, the buyers that I speak with in security, versus other industries, you know, I worked in the pharma industry, the big pharma industry— Don't even get me started with that industry. I worked in IT industry, selling cloud tech. Security buyers actually are much nicer, to be honest. I mean, again, I have my opinions and maybe it's because a lot of the security practitioners that I speak to have this mission to really help people at the end of the day, because their job is to protect. And so, I'd say that there's a heightened sense of sensitivity to these people that they have, or empathy, if you will. In some, not all, there are some sharks out there. But yes, they are a tough bunch to crack in terms of going in for the ask. And there's a process to going in for the ask, and I have that process. I'm developing that process. It's pretty universal, to be honest, it's not social engineering, but it stems from being innately curious, genuinely curious to developing a relationship to then being able to ask for
something in return. It doesn't happen on the fly. That's why cold outreach doesn't work, because how can I trust you if we haven't established a relationship? I have no idea who the hell you are. Why would I scratch your back? Or, why would you scratch mine if I don't even know who you are? Like, the whole point of security is not to trust everything that you see. So, trust and credibility is huge, ahuge part of that, and establishing authentic relationships is a huge part of that. And then, again, why it doesn't work all the time, because it stems from that initial problem that we talked about in the beginning of the
I want to go back to demand and brand for a second, because what you said was very interesting just now. I think it kind of goes to the marketing challenge, you're describing almost building a relationship with the problem space of an industry, but also with the people working in that industry. But what about when you're on the marketing, whether it's the brand or demand side, and you're trying to get people to do something, but you actually don't have access to them? You're not speaking to them in their inbox or on the phone, you're doing it through another means. How do you build that level of trust in relationships that way? If you look at marketing, and maybe compared to sales, sales people, they have access to the buyer. They're supposed to reach out to them, whether it's through the form of a call or an email, LinkedIn even, and build a relationship, hopefully, like you're describing, or sell the product or sell the idea. But what about, for marketers, that don't have access to the buyers typically? How do they build that level of trust that you were just describing? Like, that people typically do through building a relationship one-on-one.
I will counter and ask: Why should marketers build relationships with buyers? Why should it be siloed between marketing and sales? Because it's essentially one function, you're trying to make money.
Right, you typically hear the terms marketing and sales. I don't think there should be any silos. That's really what I'm getting at. Is there a way to break down that perceived silo? How do we do that? Because if a marketer reached out to me, I will say it would be less surprising now, because I have a podcast was a lot of collaboration. Years ago, it might have been very out of the ordinary. I might have not known how to approach that conversation as someone that was so technical and in the weeds.
Yeah, it comes from approach within organizations. There's a problem when you look at it as a
conveyor belt. Marketing, then you have the SDR function, and let's pass it on to sales to handle the actual relationship. When it should be all across the board and deep, because who says that if you're let's just say, I'm a marketer, and I'm posting something technical on LinkedIn, and the Head of Threat Intelligence reaches out to me and asks me a question. Why should I pass it on to sales? Why shouldn't I understand their pain first, right? And then, provide them an answer myself, because who says they're going to have time to actually reach my sales guy or talk to my sales guy next week? It'll probably take X amount of time. I could shorten that time and give them the value they need right away, if I, initially before even that conversation, identified the pain, established the relationship, had a conversation with people, and would understand what is the need of a head of threat intelligence, and to be able to probe for questions and give them the answer they need right away in that LinkedIn post.
It made me think back for a second. If that were to happen, with any of the salespeople I worked at, if I was working as a marketer and reaching out directly to the buyer, the sales rep might actually be upset. They have their own agenda, they're trying to do things their own specific way, and reaching out to them might cause friction, but what you're describing is like, hey, there should be that relationship. We're all working together, even with the buyer to make things just right and as they wish.
100%. And to be frank, I don't get commission. I get a yearly bonus, it is in my best interest to help accelerate that deal, right? So, I'm just trying to help out. Hey, guys, here's some foundation work, did a little bit of legwork, explored this, added it into your Salesforce notes. Here's some context that you should understand. Please take it forward, and you better bet that I'm going to follow up on that because I'm invested now.
Love it. Committed to doing the right thing. It sounds like the bonus is a nice to have, but your
commitment to do the right thing, to learn, and to also educate others is so evident from all the work that you're doing on the podcast and Cybersixgill. But I gotta ask, there's someone that may be down on their luck, where they feel like they're not establishing those meaningful relationships. Maybe it's due to their communication, but they want to reset and start over and try something new. What would you recommend for someone to start fresh when building their network and building these relationships?
Identify your bleeding neck challenge. What are you trying to improve right away? Write it down on paper. Identify who you're trying to reach at the end of the day. Who is your ideal customer profile, as they say? Or, who is your target audience? Look in your network, see if you have anybody in your network, or even look, by the way, look at a prospect who might have converted recently within your CRM, take a look to see if they're active on social media. Reach out to them on LinkedIn and say, "Hey, I'm not trying to pitch you. I just want some feedback on some messaging," or, "I just want some feedback on [insert your problem here]. Would you be open for a 7 to 13-minute conversation on how I could do better? Because I feel like I'm not hitting the mark here." And try it out, see if that person answers you and see if they become a trusted adviser to you, or vice versa become a trusted adviser to them. That's how it started for me, to be honest, I just frankly asked. "I made you mad. Okay, well, what did I do? Can you tell me? Because I don't want to do that again, it's not a nice feeling." And this person
was, frankly very, very generous in giving me his time, 60 minutes, to be exact, on the list of 99 problems that I have caused, and that I should not do again, and the alternative. It's not about identifying only the problem. It's identifying the alternative, and that's the point here, is for you to reach out to these people, these buyers for feedback on what to do differently.
Outstanding. It's those incremental improvements that really makes anyone great at what they do. Dani, just wanted to say thank you so much from the bottom of our hearts for taking time out of your busy schedule to hop on the mics with us. We are going to drop all of your links to your podcast, and even if folks want to submit a message or two to WTF Did I Just Read? Again, thank you so much for hopping on the mics with us, and we will see everyone in the next episode. Thank you.
Hacker Valley Studio 26:19
If you found value in this content, it would mean the world to us if you shared it on social media, sent it to a friend, or talked about it over coffee.