Episode III: Revenge of the CISO – The CISO, the Sales Person

By Mark Dorsi, CISO | Advisor | Mentor

If you’ve been following along with my previous articles, you know one thing at this point with absolute certainty — I love any and all things Star Wars. Original trilogy? Check. But I’m no purist, turning my nose up at the prequels. There’s some great stuff in those films. Obi Wan and Anakin’s final fight scene? Come on. It’s epic.

These days, in my role as a CISO, I find myself thinking about one particular moment in that ultimate showdown. Obi Wan stands above a critically injured Anakin, shouting down to his former Padawan and friend, “You were the chosen one!!” His voice is full of pain, resentment and disbelief. How did it all go so wrong for his promising young protege? I think most CISOs have a similar moment of self-reflection when they come to a realization there’s simply no getting around. We’re not just CISOs. We’re storytelling salespeople.

The Dark Side

One of the chief complaints shared amongst CISOs is how and why we are being sold to, and I think in large part that’s because it’s essentially forcing us to look in the mirror. There is a whole podcast on this relationship / duality I’m quite fond of called the CISO Series (formally the CISO/Security Vendor Relationship Podcast).

Internally, we are constantly selling the business on investing money or time into what we bring to the table. Whether that’s convincing an engineer to spend their time helping us build something, lobbying the CTO for specific tools, or demonstrating security progress to the executive board, it’s all sales at its core. We rarely have the resources within our team to affect the type of change required to address the copious amount of issues at hand.

Externally, we have to be able to convince customers and partners that we’re addressing the most pressing security concerns in a strategic way. This includes demonstrating security compliance, penetration test results, and building trust through effective communication.

The High Council

At the core of this issue is that most vendors and products only cater to the CISO’s team. But the CISO’s team already understands the subject matter inherently. They are the High Council. The real challenge lies in communicating the value and outcomes to stakeholders who don’t come pre-programmed with that understanding.

Modern founders in the cybersecurity space need to sell beyond the CISO—to customers, partners, executives, and even the board. Have you talked to the decision-makers who actually sign off on security budgets? Have you framed your security value in terms of audit readiness and revenue protection?

Jedi Mind Tricks

Steve Zalewski, former CISO of Levis, famously asked vendors, “How will your product help me sell more Levis?” This simple question forces security vendors to think strategically. CISOs don’t just need another security dashboard—they need tools that enable business growth and operational efficiency.

Imagine if every security vendor provided CISOs with well-crafted, board-ready materials that articulate risk, investment, and outcomes in a way that decision-makers understand. Instead, CISOs often have to do the translation themselves, consuming valuable time and resources.

Rebels to the Rescue

As a coach and mentor for more than 20 years, I’ve seen firsthand that competition drives improvement. The same applies to security: Organizations need to benchmark themselves against peers to determine whether they are accepting too much or too little risk. The ability to assess industry baselines, understand cost implications, and quantify security investment is critical.

For example, while a board might need a high-level risk overview, an engineering manager will need a detailed breakdown of how their team’s efforts affect security posture. The right security product should dynamically tailor these insights for different audiences.

The Force of a First Impression

All too often, security products present users with a generic, one-size-fits-all dashboard full of blinking lights. It might look impressive at first, but if it doesn’t provide actionable intelligence, it quickly becomes noise.

Effective security tools should:

• Personalize dashboards: Show executives risk exposure and ROI, while showing engineers remediation guidance.
• Enable informed decision-making: Help CISOs justify security investments with data-driven insights.
• Reduce friction: Streamline workflows so security doesn’t slow down business operations.

Embrace the Path of the CISO

Security vendors need to stop selling just to CISOs and start selling to the broader business. Today’s CISOs are under constant pressure to justify investments and quantify security impact. They need tools that provide a clear, compelling narrative that translates security into business value.

Filling this gap is the job of security vendors. Everything we implement must be done with extreme care, as the wrong tool or policy can hinder business velocity. We need security solutions that help us understand risk in the context of Zero Trust, compliance, and competitive differentiation.

Final Thoughts

CISOs are not just defenders; they are storytellers and salespeople. Security vendors must step up and provide solutions that help CISOs articulate risk, justify investment, and sell security as a competitive advantage.

As always, I’m more than happy to work with each of you to refine your value proposition. Let’s make the world a better place—one security conversation at a time.

May The Force be with you!