Field CISO Work is More like Courtship than Sales
Field CISO work is closer to courtship than sales. And what I mean by that is, by the time a CISO has an urgent project, the field of trusted vendors has already been chosen, which means the year before the buying moment is the entire game.
The most underused word in cybersecurity is courtship. We have a thousand words for the same idea: pipeline, motion, sequence, ABM, demand gen, nurture. Every one of them assumes the relationship has not started yet. They describe the chase but courtship describes what the chase is supposed to look like.
I have spent most of my career on both sides of this. I have been the CISO ignoring fifty vendor emails a week, and now I am the field CISO writing some of them. The view from both seats has convinced me of one thing: the people who win the long game in cybersecurity are not running sales cycles. They are running courtships and I haven’t seen this talked about much yet, so let’s talk.
The Night a CISO and a Founder Customized a Sneaker Together
I host an event called Cyberkicks. Security leaders and founders come together to customize sneakers, with paint, markers, whatever they want. We have done it in Boston and London and are expanding to more cities. I assumed at first it would be a gimmick or not received well, but hey, at least I come home with new shoes. But I quickly realized that the reason I want to keep doing these is that something happens at these events that almost never happens on a Zoom demo.
Two people who are theoretically on opposite sides of a transaction sit down across a table and try to figure out the right shade of red for a swoosh. They argue about it. They laugh about how bad they are at it. They talk about their kids. By the time the shoe is dry, both parties have stopped pitching and let down their guard to open up to a real relationship. The sneakers are cool, but they’re not the point. The sneaker is the artifact of a relationship that did not need to be sold.
A month later, when one of them sends the other a note, it’s not a cold message. It’s a continuation of the courtship that has already started.
What the CISO Community Already Knows (and Almost Says Out Loud)
The cybersecurity industry has flirted with the relationship frame before. David Spark has been calling his podcast “couples therapy for security practitioners” for years, and the frame is sharp enough that it stuck. Phil Venables, in a piece he co-authored this past September, put the same instinct in plainer language: “Good CISOs play long-term games with long-term people. They understand the power of their peer network, contributing as much as they take.” The bad ones, he wrote, “are transactional. They tap their network only when they need a quick answer or their next job. They are takers, not builders.”
Both framings are pointing at the same thing from different angles. But “couples therapy” is a frame for a relationship that already exists and is potentially struggling. It at least assumes a marriage. And Phil’s framing, which I think is right, still describes the long game without quite naming what the long game is.
The long game is courtship.
Most of what breaks between vendors and CISOs is not a marriage problem. It is a pre-marriage problem. It is the courtship, the part before either side has agreed to anything, when the only thing on the table is whether two people want to keep talking. The entire vendor-CISO trust problem in our industry sits in this pre-relationship window. Once a real relationship exists, both sides usually figure out how to talk to each other. Reaching that point requires real, intentional work, because the damage is done before anyone has agreed to talk.
Four Behaviors That Build CISO Trust Before the Sale
When I think about the founders and field CISOs who have built real relationships with me, the ones I would take a meeting with at 8 a.m. on a Monday, they all do four things, and almost none of them appear in a sales playbook.
They show up before they have anything to sell me. The first time I hear from them, there is no ask. They are at conferences, they’re in Slack, they’re commenting on my LinkedIn posts with genuine interest and not followed up with a pitch in my DMs. The relationship begins before the relationship is convenient.
They remember things. Not in the CRM-prompted way (“How was your daughter’s recital?”) but in the real way. They remember the side project, the half-formed strategic idea, the thing I was annoyed about last quarter. People know the difference between a note that came from a CRM field and a note that came from a person who was paying attention.
They make introductions that do not benefit them. This is the rarest one I see in the field. A founder I would trust tomorrow is one who introduced me to a peer at another company because she thought we would get along, with no expectation of anything in return.
They are willing to disagree with me. This sounds backward, but the people I trust most are the ones who push back when I am wrong, gently and specifically. The ones who never disagree are also the ones I would never call for real advice. Their job description is to nod. A vendor who tells me my priorities are off is doing more work for the relationship than one who tells me my strategy is brilliant.
None of these behaviors scale. You can’t automate them or template them. They have to be done by an actual person paying actual attention.
Why Over-Personalized Cybersecurity Outreach Fails
The Oxford trust researcher Rachel Botsman has a definition I keep coming back to: trust is “a confident relationship with the unknown.” Simply meaning, not knowing what to expect. Or, the willingness to engage with someone whose response you cannot predict in advance.
Most cybersecurity outreach is trying to do the opposite. The instinct, when you want someone to like you, is to mirror them. To agree with everything. To become whatever they seem to want. It’s the cybersecurity equivalent of a bad first date. One person nods through the whole evening and afterward can’t be remembered.
The vendors I trust have a point of view and I respect them for that. They argue with me, they tell me when they think I am prioritizing the wrong thing and they have their own gravity. That gravity, the unknown of what they actually think, is the thing I want to connect to. If you sell to me by pretending to be me, you have eliminated the very thing trust is supposed to navigate.
This is, I think, the single biggest failure mode of cybersecurity outreach. Vendors over-personalize to the point of disappearing. But don’t twist that: the personalization isn’t the problem, the disappearance is.
How Field CISOs Scale Relationships Without Faking Them
Here is the part of the job that surprised me when I stepped into it: the math of field CISO work is much closer to a social network problem than a sales problem.
The sociologist Mark Granovetter, in 1973, defined the strength of a tie as a function of “the amount of time, the emotional intensity, the intimacy (mutual confiding), and the reciprocal services which characterize the tie.” His famous finding was that weak ties carry more new information through a network than strong ties. Acquaintances, friends-of-friends, people you know but don’t see often. Strong ties are great, but they’re dense. The people you talk to every day already know what you know — the same news, the same vendors, the same opinions. Weak ties are the ones that bring something into your world that was not there before. They are how the world gets bigger.
Field CISO work, done well, is the practice of cultivating a large number of weak ties and being patient about which ones to invest more deeply in. You can’t have a strong tie with every CISO in the Global 2000, but you can have a real weak tie with a lot of them. The courtship is the discipline of knowing which weak ties to nurture into something stronger, and when. The when is usually unannounced: a new role, a new problem, a vague memory of someone thoughtful at a conference a year ago. If you have been showing up steadily, you are the person they call.
Strategic Generosity: How Field CISOs Scale Without Burning Out
Adam Grant’s book Give and Take sorts people into three groups: givers, takers, and matchers. Givers contribute to others without expecting anything in return. Takers try to get more than they give. Matchers keep the score even.
The headline of the book is that givers cluster at both extremes, the top and the bottom, of professional success. Generous people either win bigger than anyone else, or they burn out. The difference between the two outcomes is strategy. Successful givers are not generous to everyone. They are generous in ways that compound, with people who don’t take advantage of it, in moments when their attention can actually help.
This is the missing nuance in most “be more human in your outreach” advice. The advice isn’t wrong; it’s incomplete. Generosity without strategy is exhaustion. But generosity with strategy is how courtship works at scale. The field CISOs and founders I respect most are not infinitely available. They’re specifically available, to the right people, at the right moments, in the right ways.
The math of it is slow and quiet. A thoughtful introduction here. A piece of research shared before it was asked for. A reference call taken on a Saturday for someone you respect. None of it adds up to anything visible in a quarter, but over years, it adds up to the rarest thing in cybersecurity: a small group of CISOs who will return your calls, take your introductions, and back you in conversations you are not part of. That’s the asset every vendor wants, but almost no vendor knows how to ask for it. It’s built one specific moment at a time, by people who never made it the goal.
Why the Buying Moment Is the End of Courtship, Not the Start
Here’s the math that, once you see it, you can’t unsee. By the time a CISO has an urgent project, they have three to six weeks to make a decision. They will not, in that window, evaluate a stranger. Instead, they’ll evaluate the small handful of people they already know, trust, or have heard of from someone they trust.
Which means the buying moment is not when the courtship starts. It’s when the courtship ends.
A vendor’s entire strategy can be optimized for the buying moment: send the email at the right time, catch the right intent signal, land on the comparison shortlist. They can hire the best AEs, run the best ABM plays, and build the best demo in the category. They will still have shown up at the end of the story. Courtship was the story, but they missed it.
The vendors I’m most likely to buy from next year are the ones I’m building a relationship with today, when I have no project, no budget, and no urgency. They’re investing in a relationship that has no immediate ROI. That investment is exactly what makes it credible.
What’s Actually Broken
We’ve built a cybersecurity sales motion that is optimized for the buying moment and starved of everything that comes before. Put another way, we’re using transactional tools to solve a relational problem. And then we’re surprised when CISOs stop responding, when reply rates collapse, or when the pipeline number goes up and the conversion rate goes down.
The people sending the cold emails are not the problem, the system around them is. The fix isn’t to send better cold emails. The fix is to stop treating the year before the buying moment as a waste. The year before the buying moment is the entire game.
What This Looks Like, Day to Day
When I describe my field CISO work, I struggle to make it sound like work. Most of it doesn’t sound like work at all to most people. Most of it is showing up: at the dinner, at the conference floor, in the small Slack thread where five CISOs are arguing at 11 p.m. on a Tuesday. Most of it is reading more than writing, and asking questions whose answers I don’t actually know.
When it does look like work, it looks like making sure the founders I introduce CISOs to are worth their time. That the events we host don’t waste the room. That the follow-up note I send the next day references something we actually talked about, not something a CRM logged.
You can’t fake any of this past a thoughtful CISO. They have seen every play in the playbook. What they actually respond to is sincerity, patience, and the willingness to be useful before being useful is convenient.
The Real-Time Relationship
The world we sell into has changed. Buying committees are bigger, project windows are shorter, the information available is overwhelming, and the trust required to close anything is higher than it has ever been.
In a world like that, real-time security demands real-time relationships. You can’t build them on the timeline of a sales cycle. You build them on the timeline of a friendship: over months and years, before there is anything to sell, with people you would still want to talk to if no one ever bought anything.
The next decade of cybersecurity will reward the companies that figure this out and the ones who don’t figure this out, will quietly sink to the bottom. Not because they’ll be doing something wrong. They’ll do exactly what they have always done: they’ll run a transaction in an industry that has turned into a relationship business.
Jake Martens is the Field CISO at Upwind. He hosts Cyberkicks events for security leaders and founders in cities around the world. Follow him on LinkedIn for the next one. More of his writing on cloud security, runtime intelligence, and the field CISO role lives at upwind.io/blog.
Key Takeaways
- The buying moment is the end of courtship, not the start. By the time a CISO has an urgent project, the field of trusted vendors has already been chosen.
- Four behaviors build trust before there is anything to sell: showing up without an ask, remembering specifics, making introductions that do not benefit you, and being willing to disagree.
- The cybersecurity sales motion is optimized for the buying moment and starved of everything that comes before. The fix is not better cold emails. The fix is treating the year before the buying moment as the entire game.
