Hello, I'm Kerry Guard and welcome to Tea Time with Tech Marketing Leaders.
Today I'm joined by Matt Hathaway. You may remember Matt as he joined our live roundtable, where we discussed what it means to put your audience first. Matt and I discussed how to communicate, what problems you solve, and why you're the best at doing it. He makes it sound so easy. But we all know that while beauty and simplicity exist, it's a lot of work to get there. And that breaks it down for us.
Matt Hathaway is obsessed with establishing trust between security professionals and their potential vendors. He would never join a software company that didn't understand and address real security problems. His mission is to help the technically innovative find the security professionals who are sick of false promises. He joined TrueFort because the founders identified the gaps in their own data center environment and built a platform that analyzes all activity, an easily automated response in any application runtime environment.
Grab a pencil, folks, grab a notebook, or maybe take notes on the computer where ever you need to jot things down, so you don't forget. Make sure you have that on hand.
Here's my conversation with Matt.
Kerry Guard: Hi, Matt. Thanks for joining me onTea Time with Tech Marketing Leaders.
Matt Hathaway: Thanks for having me. I'm excited to have you and for our conversation.
Kerry Guard: Before we get there, share your story with us, Matt. What do you do? How did you get there?
Matt Hathaway: I'm the Chief Marketing Officer at a company called TrueFort; we're in cybersecurity with a focus on protecting data centers in the cloud. I came across a very unusual path to marketing. I was a computer engineer for about five years after college. I then got into product management by way of essentially an invention that we later patented for a company called RSA. I've been in security ever since. About fifteen years, which is a lot of time in product management, have been primarily focused on spending time directly with customers and users and getting to understand what their challenges were, how they tried to manage an overall security program, and continuing to move more and more toward the buying path and working with sales from there. And eventually, here I am, leading a marketing team and taking advantage of what I learned from spending so much time on the phone and in the office with those security professionals.
Kerry Guard: Fifteen years, the industry is just sort of really taking off. So you've seen some things. How has the security industry evolved since you began?
Matt Hathaway: It's funny to think back to the RSA conference and Blackhat, two big annual events. And I remember, it feels like there were like 50, or maybe 100 vendors, and now it's 678. One hundred vendors yearly. It hasn't just exploded, and everybody's doing the same thing. A couple of key areas, like endpoint protection and SIM, have been there the whole way. They've had second and third iterations of the same technology of adapting it to new kinds of attacks, new infrastructure securing, and new types of attacks. But in the middle, there are all these different kinds of areas, sub-markets, new problems to address, and new types of solutions, especially as so many companies have started migrating to the cloud. It's a whole new type of attack surface to protect a new type of technology to adopt. Is it just continuing to get very confusing for many people? They have to say, “Why does all the software I already have isn't protecting? What does my team need day to day? How do we manage all of it?” This becomes the bigger and bigger managed services approach because this is just overwhelming. The number of tools to implement and the number of people to hire is a big change because it was originally thought of as you need security. It's not something that people generally want. It's very much moving into sometimes a company can differentiate because they have the best security and their end customers can feel safer.
Kerry Guard: So you're saying that companies need to build full teams dedicated to just security that's been the shift last?
Matt Hathaway: I mean, to manage all the tools they need. Some organizations, enterprises, and the world's largest banks, have hundreds of people just in security and all day, every day, trying to continue to take the tools to build what they need. On top of it, there's a lot of software developers in security organizations that are that size so that they can make sure it fits their organization because every company has slightly different networks and slightly different technology that they've given to their end users, and that makes them differentiate the customer experience. There's that, and then there are the companies that simply can't afford it. They have no one person trying to do security and finding a way to augment with managed services externally and finding other experts elsewhere to do it for them because they can't hire because it's such a competitive market. It's been talked about a lot about the security skills shortage, but the reality is that there are a net negative unemployment and security professionals. There are more openings, and our people are there to fill them.
Kerry Guard: Is that because there's a basic skills gap, or hasn't been spent training people? Or is it because technology is changing so rapidly that new skills always come into play where there's an opportunity, but not necessarily the people yet?
Matt Hathaway: It's definitely a combination of both. My father became a programmer in the 1970s when nobody went to school to be a programmer. He was a part of that 10- 20 year gap where software programmers were just picked out of the factory or elsewhere in the company, and that's kind of where security has been for a while. And I think it's only in the last five years that there have started to be master's programs and other educational programs to become a security professional. But before that, somebody in it was curious and interested enough and make that transition. We'll see that for a while, and there are new skills all the time. Ten or fifteen years ago, when I got into it, you would never hear somebody talk about writing scripts. In a security job, they primarily manage tools and work with the rest of the organization. And now, almost every security professional I know has a basic skill set in Python and other scripting languages. It's often in a job description to say, "Do you know which languages you know?" It's difficult to find that diversity of candidates and enough of them.
Kerry Guard: It's interesting that you talk about your father and engineering because I've been learning that they teach languages in schools now. They have mandatory computer programming classes, where you learn how to write code, which is so cool, and I wish I was going to school now. And then that was offered to me. So I imagine it'll make its way into universities next. As they decide to be engineers, they'll have some diversity in terms of what kind of engineer they want to be in cybersecurity. I'm sure there will be something they can study. They'll have to because it's huge and complex. Would you say that's the current challenge you're facing, specifically for you? Matt, I know you talk a lot about your buyers' problems, but for you specifically, is this the challenge you're also facing? Or is there something else that's keeping you up at night?
Matt Hathaway: On the vendor side, our challenges are very different. It's a lot more about helping those security professionals that are employed and are in these roles and are trying to protect their organization, helping them understand what they need. There's a lot of over-promising in the security industry, and they've heard for a long time that if you just bought this, it's the only thing you need. And we're kind of competing with that and just trying to communicate, “You have 75 things you need; here's the one we solve for you, or here are the five, or whatever it is.” And to be concise with it and to be trusted, first of all, trustworthy to say, “These are things we can solve. We don't do those others; here are the partners we have that do that. Here are technologies we integrate with to help you because there's no silver bullet, no matter what some companies tend to promise. And there are so many startups that some of them,” And that's the way that they try and get in, telling you this is all you need. A few companies fall for it and then get burned. They don't have the money to buy what they truly need. There's that foundational, and then the security program matures. They need more and more as they change what they're doing as a company and grow and shift to the cloud. They continue to have to figure all these acronyms out there, which ones are the ones I need now, which ones are for later, and which are nice. And that's the real challenge we face on the vendor side.
Our job as cybersecurity marketers is to communicate the words buyers use every day, what they are planning for and budgeting for, and what they promised leadership and the board. Because it's become a board conversation security, what have they promised them? This is what we need this year, and it's our number one priority. And how do we identify and tell them? Your priority is something we do and not get into that kind of noisy confusion of only you can buy anything, this is the only thing you should buy. It doesn't help anybody, but companies still continue to do it.
Kerry Guard: I imagine as that company coming in, who wants to be trustworthy and who doesn't want to promise the world like yourself. You're talking about this audience now being skeptical, given the snake oil they've essentially been sold. How do you break those barriers down? How do you get to that conversation and say, “ We want to help you get what you need. Let's figure that out together.” But you got it. You can't just open up with that one-liner and have a great conversation.
Matt Hathaway: Thankfully, the process of search engine optimization and top-of-funnel questions that people have naturally gone toward building trust. There was a time where if you bought the most Google ads, you moved up on results for when somebody searched organically, but they stopped that. It's good because a lot of building that trust is where they go for what some people call a learning center. Everybody has a different name for it on the website, but cloud workload protection would be relevant for us. And that's somebody a year and a half or two years from buying something. But if they find your website, it helps them understand and identify that this is the thing we need, and we got to put it in planning, and next year, we'll make a purchase. But then they'll return to your site, and you will become more trustworthy. You build up Google's trust as well, and then more and more people will find your site, reach there, and just come back. It's the best you can do.
I found that the first question people ask if you're not communicating is they'll walk up to your booth and ask everybody there, what do you do? So you need to use plain, simple terms on the booth. It doesn't create buzzwords. Don't call yourselves next-gen or whatever, but just articulate. We do this, and we do that. It's common terms and uses cases that they might identify with, and then they'll come up and say, why are you better at cloud workload protection? Why are you better at micro-segmentation? All these are things that we do. If you don't use those terms in the booth, and again, nobody will ever stop by, and they'll never try and understand and start to get that trust and say, “Oh yeah, I've heard of you. I know this company, and I've been trying to understand more. I'd like to see a demo.”
Kerry Guard: There's a ton of work that goes into even just that same simple language. Starting with a brand study felt like taking something as complex as cybersecurity, specifically around the problems you solve. And then doing too, I heard you do say two things. One is you simplify the language, but you also talk in the language of your customers about what they're talking about it every day. How do you even begin? You spend time in front of your customer, so it sounds like you have a good handle on that. Do you bring that to your brand team or brand strategy team? What's our messaging here? And then you push that down through the company, so everybody is saying the same thing.
Matt Hathaway: Ideally, it becomes something that works with the entire leadership team to agree on what it is that we do and use that to build your overall high-level positioning statements and say that this is how we're different from the acronym I mentioned. There are just so many different types of tech. If you can't delineate why you're not endpoint protection, which we are far from, then the buyer is never going to, so you have to get agreement, at least on the leadership team across the entire company executive team. If you can't get that agreement, nobody will ever say the same words and come off and have the same. I won't say pitch, but overall language, what is it you do, and then you can build everything from central messaging docs to the framework to a messaging map. Your boilerplate that you use everywhere, all of that is much easier. Once you've established and agreed as a leadership team on what you do, that becomes something that people repeat. It goes into the standard first-meeting sales deck. It becomes a key part of building website content and everything else. Nobody is going to repeat it if they disagree. You need to get leadership to all walk through that exercise and have that healthy debate over what we don't do. You're also marketing to investors; that's just the reality of the vast majority. There are those rare privately owned security companies, but the vast majority of vendors are either VCs or some other type of investment, and they don't want to hear, "Hey, we're just doing vulnerability management," because that's an established base. You've got to be more than that. You have to have a compelling story that works for the investors and shows them that you have differentiation, are cutting edge, and are doing more. If you invent terms and only use those, then the buyer will not come running for a bunch of words they've never heard of.
Kerry Guard: Yes, messaging. I love how you were talking about being clear, and I feel that there's a lot more standardization around companies needing a brand strategy. The approaches that people are taking are interesting and relatively the same, but slightly different. It's nice to share how you come at it, which is helpful, especially when talking about the leadership team. Because I feel that sometimes, especially as marketers, we tend to treat ourselves like islands and take it all along and decide that we're going to figure it out, and it's just nice to be random. You're not an island, and there were a bunch of people who started this thing and start with them figure out why they started it, get on the same page, and then go from there.
Matt Hathaway: One reason I chose my current organization is having leadership familiar with the overall security space. They came from that role; they were much more the buyer in the past and were the vendor and part of the go-to-market, the revenue organization. We are broken into revenue. Marketing isn't on an island; it's a part of the sales organization. It's really important so that you don't hear the normal complaints at some companies where sales say, "Well, marketing doesn't do anything for me. They didn't send me any leads today. There's a lot more that they're doing for you."
Kerry Guard: Messaging is key to sales and sales being successful. So, having that out of the gate, having everything be the same thing, being very clear about what your niche is and why you're different in that, yes to all of that. Let's go back to the buyer because I think what's interesting about the buyer today is that the market is clearly exploding from everybody realizing they need cybersecurity and that they have to get started. But to your point, there's a wide variety of people who can't afford it to enterprise or are trying to figure out their budget. It's much easier to sell something to people who have marketers, and MarTech is probably a great example of this. Probably ten years ago, we didn't have marketing budgets, specifically for tools and MarTech. And that’s like..
Matt Hathaway: Sizable portion.
Kerry Guard: Yes. So there has to be, and I'm sure security will get there. But as it stands right now, do companies generally have a budget in mind? Do they know what they need? Or is it triggered? What is the framework and setup of these organizations who are trying to figure out how to get started with?
Matt Hathaway: I'm so glad you asked that because it's a bizarre obsession of mine. When I talk to industry analysts, when I talk to our own very successful sales reps, the thing I don't want, and it's key for sales to understand the buying trigger, like what gets them to say, “Okay, we will sign a contract.” We went through proof of value. We went through the process. But for me, the trigger I want to know about is what made them realize they need to budget and acquire something to do this. And it's usually one of two areas in security. One is a regulator, a cyber insurance company, or somebody who says you need the following tools to pass an audit or be insured. And that's becoming more and more common. There have always been things like PCI regulation, which is key to process any credit card data. So that was a big driver for years, but that only hits 10-20% of companies. But now, with these major ransomware outbreaks and other types of breaches that are constantly there, they don't discriminate; they'll hit any company, anyone that they can, and that's becoming a bigger thing for companies to get cyber insurance. They want to get it and can't qualify if they don't make sure they have the key 5 or 10 different technologies deployed and staff around them. The other side is when a company is just security-minded. They've committed to be at the cutting edge. The most secure company you can trust. A lot of companies that do this are already regulated. They're banks with advertisements out there that you can trust with your data and things that security-minded organization usually justifies budget years before a regulation or cyber insurance catches up. And they're just literally saying they can't sleep at night.
To perform better and be a competitive company, we need more of the latest technology running in the cloud. But what we already had for tools won't secure that. We got to go out and find it, and those are the early adopters. Those are any classic business books you read about the challenge of innovation. Finding those early adopters is great, but now you want to get more and more people into the mainstream if you're going to be able to sell your cutting-edge technology to them.
Kerry Guard: So, the triggers or insurance, trust messaging, is there anything else that will trigger somebody to go and say, “Oh, I need this. I need to start thinking about security.” I'm assuming breaches would be because it's after the fact.
Matt Hathaway: That's a great point. It's the organization in between. We're on the cutting edge of security, and our regulator said those companies are the ones that said, “Hey, we just saw this other company that's kind of lose business for a month because ransomware took them down. They couldn't access their key systems to deliver to their customers and even just have their website online selling well. Whatever they sell.” So that's compelling to them to say, “Okay, what can we do?” They often fall back on various frameworks that may not be PCI-level disk prescriptive. Here's what to do to secure your organization as a minimum bar, but there are companies or organizations, I should say, not a company, but like NIST and a few others, like the Center for Information Security (CIS). These organizations are just third parties that try and give overall best practices and guidance on how to secure your organization. And from the cloud to your laptops to servers that you have in your building, how to secure them, what kind of system configuration to use, what kind of technology to put on top, and how to build out a security operation center, they have all of this guidance. And that's usually what people fall back to. Because if you're worried about a breach and don't have a security team, you have to start somewhere, and that's often the best way to go. It's also another thing as marketers that we can say, “Here's what part of NIST or CIS we help you with.” And again, not saying, “You're completely fine. We got the whole thing.” Because no company, no vendor does, but often, that's what they want to hear, and that creates that gets you into proof of value, and then moving on, but they're talking to 5-10 vendors to try and hit their list. It took 12 requirements that they have from that set of best practices.
Kerry Guard: It seems overwhelming.
Matt Hathaway: I can only imagine it because usually, when I meet a security team of one or five people, they have to set the top priority, then go and justify it to their management team and say, “Hey, this isn't going to make our company more agile. It's not going to make us deliver faster to the customers. But here's why we need the security purchase, what it will do for us, and why it's worth this amount of money.”
Kerry Guard: Imagine nowadays, it's a little bit easier to justify the cost because it's becoming a selling point to the end user. If you don't have security proof points in place, but you house a lot of their personal data, and you're not being very clear about your security policies, there's going to be this shift in the universe.
Matt Hathaway: It's even a common question in RFPs. For other types of IT technology, software, or any purchase, you'll get an RFP. There's an entire section on how you're securing this data, and that's business to business. But in B2C, it's the same consumer who wants to know, and you probably have a webpage and a trust portal on your website saying, "If you're a big enough organization, here's why we won't give away your personal data, but also how we're protecting it." So that is one way to justify it, and that certainly helps them, but it's still like, "How much is the right amount to spend?" is an ever-growing challenge that they face, like, "Okay, but you need this tool, and you just bought that one last year. Why is that not enough?" and it's not an easy process. It's great when you can assist them with this kind of business justification. Don't just send over a blank spreadsheet with a proposal to pay this amount. But here's what you'll get and what we found with other pieces from your peers: how they've justified it, how they've found ROI, how they've calculated that, because you can't just say, "Hey, if you know, there's a 1% chance you'll be breached, and that'll be a trillion dollars. It's like that is meaningless to people. This makes our job easier. We can't hire fast enough; this makes it so we don't need as many people as we can go with, mostly with the people we have today.
Kerry Guard: I imagine this comes back to the problem you were talking about earlier, where it is really hard to hire, especially in these niche sort of technical aspects of finding people with even these skill sets that don't even exist yet. Technology is a great way. You can't just say, "This is such a problem, and MarTech, this is the time where this technology will just take care of this problem, and we'll set it and forget it." Please don't do that. I imagine, especially with security tools, it's not set.
Matt Hathaway: I won't name any of them, but CRM vendors are perfect. This is the best, and it's in the cloud. So you're all set, and it's like, "Okay, but then why do I need somebody to spend six months customizing it for me?" And the answer is yes. Investing in a new user experience is important for us as a vendor to try and make it faster to deploy less effort to manage. There's never a "just click here," and it's completely installed perfectly. It's not like Pandora's service, where you say, "I like this band," and they'll play music forever; that doesn't exist in technology. Every organization is different; they all have different laptops and different people. It always takes some sort of customization and adaptation to their organization, and that's something that's definitely a challenge that they have to face most of all, but we have to try and help them with it, and it's not a marketing problem. It's a technology problem. It's a product problem.
Kerry Guard: Even once you install it and get it set up, you can't ignore it. You got it in; that's where the team comes in, and there is overhead. When they're talking about budgets, I imagine these budgets grow pretty quickly, especially once you get insurance involved, and who's dictating what you need and what needs to be secure. These are big.
Matt Hathaway: And again, what you just mentioned is why you will never catch the attention of a security professional if you say your technology is all they need because they know they need it. There's always been talk about the pyramid of people, processes, and technology for security. And they know that people in the process are the most important to. Tech has to fit in, if you just sold them, it's just going to sit there and not stop any ransomware attacks or anything else that they're worried about; it has to be managed, and it has to be something that a human can interpret on the other end to act when they need to or not act when they don't need to; and that fit into their overall just ongoing programs. Security is a program in a company. It's not a technology stack, just like marketing. The marketing stack does nothing on its own.
Kerry Guard: Is security becoming its own extension within an organization, or does it roll up under it? Or does it start under it and then eventually break off? It sounds like it's becoming its own entity.
Matt Hathaway: For years, security was reported to IT. It was almost consistently, you'd hear a CISO, the chief information security officer, report into the CIO, the chief information officer. That's not 100% of the time anymore. Sometimes they report to a CTO. Tech is so important to the company—maybe they're a high tech company—that security needs to be a part of the overall development process and the thinking of day-to-day operations. Sometimes they report directly to the CEO because security is such a common topic with the board of directors. And we hear more and more of that. Boards want to know the security approach, what's the spin this year, and why you're not worried about whatever newsworthy security issue was recently in the news. Why are you not worried about that? And how are we making sure that we won't be that name in the news for that negative reason? We won't be impacted. As that becomes more of a board conversation, you have more business-minded CISOs and more CSOs who they don't even have the information in their title of Chief Security Officer. More of them are just reporting directly to the CEO.
Kerry Guard: And that makes a ton of sense for where this is headed. Thank you, Matt, for sharing all of this information with us about the buyer. as we all try and understand who we're trying to market to and what problems they're really having, especially to your point in two years for them to buy a tool, from starting to ask some questions to pull the trigger and making a decision. And understanding where that trigger is, where that budget comes in, is the pinnacle of helping them out and being available when they're ready to make those tough, just tough decisions. Am I going to go with this, and what problems are they going to solve for me? And how many tools do I need? And how much is this going to cost us? I mean, those are big challenges for these security CISOs to figure out, and I love your approach; I think it's so human, so real, and really what they need. Thank you for sharing that with us. What sort of advice do you have for anybody who's looking to get started, whether that's selling to these buyers or even those who are starting to think about security needs?
Matt Hathaway: It's tough to have just one left behind, but I think it's a lot. I can identify much more with the people trying to sell to them; I would say, not necessarily go to a certification program, but go somewhere those buyers would go to. SANS Institute is just one example. But there are a lot of places that have third-party security training. You should know what they're learning and hearing if you want to sell them. Otherwise, you won't be speaking their language, and you're one of the 1000 vendors sending them an email saying, "Hey, can I get five minutes of your time?" And I know what you do for me, why would I spend five minutes with you?
Kerry Guard: I love that. And you mentioned it at the very beginning, too. I'm glad we circled and you gave us the institute's name. If you think of any more, be sure to send them over. I'll drop them in the show notes. Because anybody who's listening is trying to figure out how to get into security and knowing that there's a big market coming up and people are looking for jobs, it's a great place to start. So good. Before we wrap up here, I have my people's first question because your person is more than a marketer, so it's nice to get to know you a bit more. Are you ready?
Matt Hathaway: Sure. I think so.
Kerry Guard: Okay, my first question is: have you picked up any new hobbies in these last few years, given COVID? And the new order of things?
Matt Hathaway: That's a great question. I have done much more lawn care than I ever thought. When I’m isolated to this small plot of land, as opposed to traveling, I listen to podcasts, which I never did before, walk the dog, and have a home gym. When I used to have an actual gym, I would be a member, so I wouldn't say it's like any one great hobby. I do cook a lot more. I'll say that it tends to only be on weekends, so I don't help that much. But I have gotten into cooking different dishes from scratch, including one I was just curious to make. I've recently made a chicken marsala that came out authentic, and that's not the most challenging thing, but just diversifying the kinds of foods I've been making.
Kerry Guard: You must share the recipe with me and some of your favorite podcasts. So you can share those. Thank you, this was awesome. I appreciate you joining me.
Matt Hathaway: Absolutely. It was a lot of fun. Thanks for having me.
And that was my conversation with Matt Hathaway. If you'd like to hear more from Matt about how better to connect with your audience, check out our roundtable. The link is in the show notes. You can also find that on LinkedIn. Be sure to connect.
Thank you for listening to this episode of Tea Time with Tech Marketing Leaders. Please like, subscribe, and share if you found this conversation helpful. I appreciate the support.
This episode is brought to you by MKG Marketing the digital marketing agency that helps complex tech companies like cybersecurity, grow their businesses and fuel their mission through SEO, digital ads, and analytics.
If you'd like to be a guest please visit mkgmarketinginc.com to apply.
Matt Hathaway is the Chief Marketing & Strategy Officer at TrueFort.