Pieter VanIperen, Chief Information Security and Technology Officer at AlphaSense, shares what it really means to simplify security by focusing on context, value, and relevance—not volume or complexity. This conversation challenges the assumptions vendors make and offers real-world principles that security leaders can use to make better decisions.
⬥GUEST⬥
Pieter VanIperen, CISO and CIO of AlphaSense | On Linkedin: https://www.linkedin.com/in/pietervaniperen/
⬥HOST⬥
Host: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com
⬥EPISODE NOTES⬥
Real-World Principles for Real-World Security: A Conversation with Pieter VanIperen
Pieter VanIperen, the Chief Information Security and Technology Officer at AlphaSense, joins Sean Martin for a no-nonsense conversation that strips away the noise around cybersecurity leadership. With experience spanning media, fintech, healthcare, and SaaS—including roles at Salesforce, Disney, Fox, and Clear—Pieter brings a rare clarity to what actually works in building and running a security program that serves the business.
He shares why being “comfortable being uncomfortable” is an essential trait for today’s security leaders—not just reacting to incidents, but thriving in ambiguity. That distinction matters, especially when every new technology trend, vendor pitch, or policy update introduces more complexity than clarity. Pieter encourages CISOs to lead by knowing when to go deep and when to zoom out, especially in areas like compliance, AI, and IT operations where leadership must translate risks into outcomes the business cares about.
One of the strongest points he makes is around threat intelligence: it must be contextual. “Generic threat intel is an oxymoron,” he argues, pointing out how the volume of tools and alerts often distracts from actual risks. Instead, Pieter advocates for simplifying based on principles like ownership, real impact, and operational context. If a tool hasn’t been turned on for two months and no one noticed, he says, “do you even need it?”
The episode also offers frank insight into vendor relationships. Pieter calls out the harm in trying to “tell a CISO what problems they have” rather than listening. He explains why true partnerships are based on trust, humility, and a long-term commitment—not transactional sales quotas. “If you disappear when I need you most, you’re not part of the solution,” he says.
For CISOs and vendors alike, this episode is packed with perspective you can’t Google. Tune in to challenge your assumptions—and maybe your entire security stack.
⬥SPONSORS⬥
ThreatLocker: https://itspm.ag/threatlocker-r974
⬥RESOURCES⬥
⬥ADDITIONAL INFORMATION⬥
✨ More Redefining CyberSecurity Podcast:
🎧 https://www.seanmartin.com/redefining-cybersecurity-podcast
Redefining CyberSecurity Podcast on YouTube:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
📝 The Future of Cybersecurity Newsletter: https://www.linkedin.com/newsletters/7108625890296614912/
Interested in sponsoring this show with a podcast ad placement? Learn more:
⬥KEYWORDS⬥
ciso, appsec, threatintel, trust, ai, vendors, bloat, leadership, tools, risk, redefining cybersecurity, cybersecurity podcast, redefining cybersecurity podcast
[00:00:00] Sean Martin: And hello everybody. You're very welcome to a new episode of Redefining Cybersecurity. This is Sean Martin, your host, where I get to talk to cool people about cool topics, and, uh, someone I met not too long ago in Las Vegas at, at Black Hat, at a, at a great networking event. Mr. Peter, how are you
[00:00:20] Pieter VanIperen: I am good. How are you?
[00:00:21] Sean Martin: doing?
Very good. Very good. You've been, uh, you've been on the road traveling a lot since then.
[00:00:27] Pieter VanIperen: I have.
[00:00:28] Sean Martin: Mul multiple places, multiple, uh, I don't even know what you were doing, but, uh, maybe we'll get into some of that. Um, but we had, at that dinner, we were together. We had, uh, a lot of interesting conversations and some, some real down to earth, in my opinion, uh, views on.
What security looks like? Operations, AppSec, um, yeah. Vendor relations with CISOs. You name it. I think we touched on a lot of stuff there and, uh, I'm, I'm thrilled to pick a few of those things, [00:01:00] uh, today and who knows, maybe have a chance to have a few chats. Um, before we get into it, maybe your role at, uh, as a CISO at AlphaSense and maybe a brief overview of some of the things you've done leading up to, uh, to that role.
[00:01:13] Pieter VanIperen: Uh, so currently the ciso, also CIO at AlphaSense, so I own security, NIT, um, which is interesting. It's a good way to get in a fight in your own brain. Um, so, um, and, uh, prior. That's right. There's, it took all like three days to get to, to that point. Um, uh, prior to that, I, I was the CISO at, uh, own, which was acquired by Salesforce.
Prior to that, um, deputy CISO at Clear, like at the airports. Uh, I was a managing partner of an 80 person boutique consultancy for two years. Prior to that, uh, deputy CISO at. Disney and Deputy CSO at Fox. Uh, first head of cloud and cloud [00:02:00] security at Fox. Um, and then bucket of different technical and security roles at Ameritrade.
Co-founded a couple startups, exited to probably not as big exits as I would've hoped, but exited nonetheless. Um, and uh, yeah, I've been, so I've been kind of on the tech side, CTOs. CIO ciso, CITO once tried that on. Uh, and, and, and so yeah, I, I, I, I think that, um, I actually think that's part of what kind of grounds, a little bit of, of my viewpoints in, in kind of security, uh, and, and the realism is, is like having lived and breathed kind of the pressures of the different aspects of a business.
Um. Kind of really takes, uh, the wind out of the sails of kind of, um, you know, traffic cops, or is actually, I was at an event last night and, uh, [00:03:00] it was, it was a Yankee game. You have a
[00:03:01] Sean Martin: There you go.
[00:03:02] Pieter VanIperen: and, um. A, a guy caught a ball, the crowd booed at him because it was a home run from, from the White Sox. So he threw it back on the field, and then some security person decided this was like their mission and had a field day and like kicked him outta the game.
And, and you're like, this is the exact kind of thing you wanna avoid as like a ciso, right? Like there is context to what occurred there. Like Sure. It wasn't the greatest. Decision, but like there is context there. This guy was not there. He was not making a scene. Otherwise there was nothing else going on.
And like, Lord knows what happened to that person, but I'm just like,
[00:03:40] Sean Martin: off camera.
[00:03:41] Pieter VanIperen: you know, but this is, this is like that, that, that kind of, um. There, there is no place for zealots in, in security. Um, it just, it makes a mess real fast. And I, and it was just like the exemplification of that last night, just, and, which was funny 'cause I'm at an event [00:04:00] with like, I dunno, 50 other CISOs and we're all watching this in the, in the suite, right.
And this is our job. And we're all like, that's crap. Like, what, what is, what is that? Right? Like,
[00:04:10] Sean Martin: Yeah.
[00:04:10] Pieter VanIperen: like, oh, I'm surrounded by good CISOs. This is good. This is good.
[00:04:14] Sean Martin: A little common ground there. That's cool. That's cool. So you mentioned. A lot of different roles, but, um, and you highlighted the fact that you are in a lot of different roles that keep you grounded and, but you also mentioned a lot of different industries and sectors and size of organizations and I'm, I'm wondering.
Because there's, there's been a lot of talk. Of course you hear it, I'm sure that CISOs know, need to know the business and they need to know their, the market and the customer that they're serving and the risks that come with that and be able to speak that language while also understanding the, the technology aspects of it and translating the risk into how that impacts, uh, operations and, and back to the business.
And. [00:05:00] So all those different roles, all those different sectors, also all those different size organizations, how do you, how do you shift your view? How, how do you get that understanding and maybe is it a general understanding business, a core set of things you need to know that applies to everything regardless, or, I don't know, maybe, maybe some thoughts on that just to
[00:05:21] Pieter VanIperen: I think, I think there's a couple of things. One, um, I, I think there's, it's, it's funny because I'm gonna say something and I bet you CISOs who might be listening are gonna dispute what I say, but like, um, you have to be uncomfortable. Uncomfortable in being uncomfortable. And I think that a lot of CISOs feel like they're comfortable being uncomfortable, but the reality is a lot of CISOs are comfortable in emergencies.
Emergencies are not the same as being uncomfortable. Right. Emergencies. Actually, I think a lot of CISOs like emergencies because emergencies are very easy. It takes [00:06:00] kind of everything. Now I'm gonna get a lot of hate mail, but they're not easy.
[00:06:05] Sean Martin: I, I know where you're going. I know where
[00:06:06] Pieter VanIperen: From a, from a strategic and mindset standpoint, you're very clear-eyed.
You go into kind of like training you've had, you facilitate priorities really quickly and critically. And you, you take action and there's, there's like a, a dopamine loop that goes along with being, um, in an emergency, which I know again, might sound weird to listeners, but like there is, um, way, way, way back in my career, I was actually an EMT trainee.
So like I, I was, I've, I've run the gamut, like there's probably a personality trait here that we're, we're unearthing, but um, at the same time, there is. The like uncomfort and discomfort I'm talking about, which is like kind of being out of your zone of genius, not really knowing, having to kind of like learn on the fly, [00:07:00] figure stuff out.
Um, becoming an expert in a day on things kind of stretching all day long. Um, that kind of like. Marathon type training exhaustion, that that occurs. And I think that is one of the biggest traits, right? I, and I think there are different types of folks who gravitate to this role in leadership roles. And I think there are people who, uh, they're kind of more like fixated on problem solving and fixing things and, and.
Holding standards and things like that. Um, there's people who are, you know, like their zone genius is very technical and they feel like at a certain point I can't grow anymore technically. So I manage and there's people who very much manage but they don't want to do and, and everything in between. And the reality is to, to have been in as many environments as I've been in, you have to be [00:08:00] comfortable kind of with the fact that like.
There is no ideal mix. You're gonna walk in and every minute, every day. What skills are coming to the forefront and how you have to handle that is, is shifting. Right. And, and like, if you are not comfortable with that, it's very hard. Right. And, and I think there are people who, you know, are very well suited for like small startup life and there are people who are very well suited for big corporate only and like trying to shift around there.
Is going to be too uncomfortable for them. Um, and I, I think that kind of answered your question, but I'm not sure if I did.
[00:08:42] Sean Martin: It does and, and actually the. Leads me back to a time when I was building product and the whole, I was a program manager. The whole point of my role was to be comfortable with ambiguity and lead a team, lead a team through that and. It's easier said than done, [00:09:00] right? Because you kind of, you, you don't know what's coming where and where the hiccups are gonna be and who's involved.
And of course, we're all people. So personalities and, and work ethic, you name it, it all comes into play. And of course, same, same for a ciso working with the team and the business and threat actors and the like.
[00:09:16] Pieter VanIperen: Well, and, and I think that the, when I say being comfortable with being uncomfortable, I think it's, we all have propensity when we're uncomfortable. To find comfort. But I think to your point of like comfort with ambiguity or being uncomfortable, or being comfortable with being uncomfortable is no, you have to lean the other direction.
Like I could go and just say like, I'm gonna go and like code a, a way to go sniff out secrets all day. And I would love that, right? But that's, that's not doing my job. Right. I would have a hell of a lot of fun, but that's not doing my job. And so like. There is, there is an internalization of kind of when it gets uncomfortable fighting your instinct to kind of [00:10:00] run towards what you find comfortable.
[00:10:03] Sean Martin: And I think the, another trait, uh, in the industry, I don't know if it's changing maybe your thoughts on this as well, but, um, kind of being the, the, the level of comfort and di versus discomfort, I think generally we're looked to as being experts. In cybersecurity and it's, we have a question. What's the answer?
Right? And, and it's hopefully because it's tech, it's zero, one, black and white. What's the answer? Uh, not always reality. And so we see a lot of change and of course we see a lot of transmission transformation over the years from, from desktops to cloud to, you know, how we have AI and all this kind of mobile and AI and all this.
Um. Where leaders don't understand cyber leaders may not understand ai, leaders may not understand, um, automation and orchestration with agents regardless of if AI is built in [00:11:00] or not. And I'm wondering how, how do you as a CISO kind of tapping into some of the other roles, help educate the business and business leaders of.
Here, here's what you need to be aware of. You think you might know what you're talking about. You think you might have the idea of how this is gonna shape the business, but here's what, here are some of the things you need to consider as well.
[00:11:22] Pieter VanIperen: So I, I think that there's the, I don't know if I'm the best person to answer this, but I'll tell you how I deal with it. I, I would say that, uh, I think it's a really important for leaders to have a trait of, um, going deep. Right. Um, which may sound like the opposite, right? But, but there's, there's two ways to lead, right?
And, and, um, sometimes you rely on others and you rely on your kind of circle of experts, right? So like, look, I am the first [00:12:00] person to say like. I don't know everything there is to know about legal. I don't know everything there is to know about hr. There, there are places like I really, I, I work with all the time in my career, but I've really never played like in those zones.
And I quite frankly, don't really have a deep interest in playing in those zones. But when something is material to me, right, um, I don't particularly have a great interest in hr, but insider threat falls under me. I have to deeply understand how insider threat works and. There is something to say that I don't have to understand as deeply as my head of insider threat, but I have to understand it deeply enough.
And so I think what people tend to, uh, miss when something like AI is coming around that's so ubiquitous, right, is that it's going to be ubiquitous. To our world, right? And just like our business is ubiquitous to our world, or using basic computing apps is ubiquitous to our world. If I'm going to lead people through that, I [00:13:00] need to go deep.
And I might have a different angle at going deep than say someone who's the CMO, but. I would also have the expectation, the CMOs going deep and that we are going to have a commonality in being able to speak to each other in the things that are common amongst our verticals. Usually tied to understanding the business and what is important to the business.
Then you need to have that breadth across everything else. But you have to be willing to dive deep and lean into those places of breath where it matters to the business, right? And so if you are in a, my favorite thing in the world is like if you're in a highly regulated business. And you don't understand compliance and regulations, you probably shouldn't work at a highly regulated business, right?
Like it's core to what you do. So if you are not leaning in and learning about it, you are making way more work for other people, right? And part of your job as a leader should be to remove hurdles and [00:14:00] to simplify and keep things fixed. And that's really hard to do if you don't understand these, these core components of your business.
And so to me, I think like. When you see these big tech revolutions, to your point, they're, they're ubiquitous now, right? Like name a company that doesn't have stuff in the cloud. Name, a company that doesn't have a mo like mobile presence. It's like you have to lean into those things then because they are part of your business language now.
[00:14:27] Sean Martin: Yep. Yeah, and I, I like the point you make. Um. With respect to removing roadblocks and keeping things simple, I think a number of the things we talked about when we met in person were along those lines. Um, CSO leading their own team. So not not the broad business aspect, but just more of what are all the things I'm being pitched.
For all the problems I'm being told I have. Um, how does that relate to reality? How does that relate to how I [00:15:00] drive my team? And you mentioned threat intelligence. Um, I'm, I'm doing a lot on AppSec, so AppSec in my head. And I think we talked a little bit about AppSec as well that day. So what are, what are some of the things that you think. Your peers or the role in general, even yourself, um, as you continue to learn, right? We're
[00:15:20] Pieter VanIperen: Yeah.
[00:15:21] Sean Martin: Um, what are some of the things you think we dig into that adds complexity to our own lives as, as a team of security practitioners that perhaps we should rethink or reconsider?
[00:15:35] Pieter VanIperen: I, I threat Intel is one of my favorite things to talk about. Threat Intel should be helping all of us, all the threat Intel vendors are about to get mad at me. Threat
[00:15:51] Sean Martin: There we go.
[00:15:53] Pieter VanIperen: should be helping us. However, the idea that there is [00:16:00] generalized threat intel. Flies in the face of what the definition of threat intel is, right?
And we see that across a large swath of security products, right? There is this, um. Idea of kind of cross application and broad purview. And don't get me wrong, the community with insecurity is critically important, and the fact that we do share information and share understanding is critically important.
But my problems have overlap with your problems. They're not the same problems. My stack is not your stack. Who cares about attacking us is not the same as who cares about attacking you except when everyone's being attacked, right? Which does happen. But like generally speaking, there are distinct differences.
And I think one of the biggest distracting things [00:17:00] is not understanding those differences in what applies to you and what doesn't. And I think that happens in tools in the way that vendors present it to us. I think that happens in information. Um. I think that happens in the idea that we're going to platform everything.
Like the, the thing that actually works is what works. And that sounds like I said nothing. But what I mean by that is if I. I like to take a lot of things that we do in the digital world and kind of take them out into the real world and shop them around and, and think about them through the lens of the real world.
And, um, one of my favorite things that I see people who are less experienced in security do is put like 47 locks on the door. And, and you're like, look,
[00:17:55] Sean Martin: Right.
[00:17:56] Pieter VanIperen: one, maybe two.
[00:17:58] Sean Martin: 40. Good.
[00:17:59] Pieter VanIperen: For, [00:18:00] yeah. Right. Like it was just those last seven. Right. And, and so I, I like to think about it and it's like if you go to the real world and you think of every single way you've ever been screened to like get into an event or something, right?
And you stacked all of those things up in a row and said, okay, go get into this event. You would absolutely hate it. And 90% of it would be meaningless. But in a lot of places we do that in the cyber world and we do that outta a place of like fear and kind of like we don't know where the boogeyman is coming.
But part of that is self-inflicted because we spend a lot of time looking at that large nexus of information instead of understanding what we actually have and what is the best way to protect it. Right. And if we start to dig down into kind of more simple principles around what we actually need to protect, um, [00:19:00] it starts to simplify our lens.
And the other thing is you also start to understand that there are things that, um, are like commodity. I'll give you a, a really weird, perfect example. Um. I should probably care if a laptop gets popped as a ciso. And I do. Everyone who's listening who thinks I don't, I do. Um, but if I'm at a company where the majority of people who are walking around with laptops don't really ever touch the data, right, um, I probably realistically put an EDR on those laptops.
Tell them if it hits a certain number of signals to just wipe it, sandbox it, it's gonna ruin Sally's day, but whatever. Right. And that's it. Like I could go do a whole bunch of more things, and I'm not saying I wouldn't depending on the company, but [00:20:00] if those laptops are not really going to hold any significant data, right.
Maybe they're just, all the laptops in the fleet are just people walking around with sales decks doing pitch meetings all day. Okay. Public information, right. They're on the road. They're not connecting into our network. It does. Right? Like, and, and we tend to ignore those things and have this quote unquote, like best practices playbook and, um, you know, whose practices, is it the best practices for us or is it just.
You read about this somewhere, and this is how you secure a laptop, right? And it goes back to, it's like no one would ever be like, this is how you secure such and such event. And then like, just have like a line of 47 things outside. Right? Um, and, and so, and I, I, I think it's, you know, one of [00:21:00] the airports are an interesting and incredible thing, right?
Um, there's really heavy security at certain airports. Things still go on and there's really light security at certain airports around the world and nothing ever happens. You know what, while most people are on vacation in like the Caribbean, they're not thinking about doing bad things, right? Like, like the threat nexus is different, right?
And so I think we have to understand, really deeply understand that as security pro practitioners.
[00:21:34] Sean Martin: And is that a matter of, I mean, 'cause there there's no lack of, no lack of frameworks, no lack of, um, yeah. Standard policies you might follow. Um, certainly no lack of regulations that that set specifics and also broad things that we have to look after. But is it more of a. Operational view of what really matters.
'cause [00:22:00] you're talking about I don't care if the laptop I do, but I don't care if the laptop gets popped. It's because it's because you've put it in context of your business and you've, you've set, 'cause you're also the CIO set your, set your environment up to be operating in a way that. It's probably not as impactful as perhaps some other organizations.
So I'm, I'm assuming you've learned that and maybe is there, you mentioned the word principles are, are there set of principles that guide you, and if so, can you list some of those that maybe shape what you're talking about versus frameworks and policies and regulations?
[00:22:37] Pieter VanIperen: So I, I like to look at, uh, similar principles to principles. I think of when I think of managing an organization, right? There's a lot of complexity in managing an organization. Um, so I think about, uh, context. Knowing the context, understanding the ownership, uh, then I start thinking about things like, no two people should worry about the same thing at the same time.
Right. [00:23:00] Um, other principles are that correlate. There are things like, um, if no one is doing it and no one cares, it probably doesn't matter, right? Like, um, you know, and, and kind of. Starting to go through that. Right. Um, and it, it, the thing that's always impressive to me is, you know, you look at vendors and tools, um, I've, you know, speaking, you know, I've, I've had lots of experiences.
I've absolutely have had. Tools that are brought in, you know, the, the homeowner, I like to call it the homeowner special, right? Where it's like people just keep going back to Home Depot and buying more tools. They still don't know how to wire their house. Right? It's still gonna burn down at the end, but fine, more tools will help.
Right. Um, but there's so many tools and they're sitting in that closet. And I, I've literally lived through the occasion of like realizing like. This [00:24:00] tool hasn't been on for like two months and no one knew if that tool has not been on for two months, do you even need that tool? Was it doing anything right?
Um, and I, I'm not saying it depends again, the context matters. Maybe it, it matters, right? Um, but the reality is. If you can't answer that question, like why do you have that tool? Right? Um, and that's, that's I think one of the principles. Like I have a. I have an interesting, uh, education, uh, compared to many CISOs.
Um, and I had one mentor and his rule was, uh, I'll, I'll leave out the expletive, but like, if you don't need it, get rid of it. Right? That was, hi. Like one of the things I still take to this day, and I think we just need to simplify in a lot of places. Um, I also wanna be clear that does not mean, uh. [00:25:00] It drives me a little batty when I hear CISO say, if we just had good hygiene, all the problems would stop.
Well, I agree that security really boils down to about like 15 core principles of like just not, you know, right. I also don't think that's true. I think there problems are still gonna happen. People make mistakes. We need backstops, like just doing the fundamentals. If that was ever enough, then like no bad things would happen to good companies and things like that.
Um, but I do think we need to look to simplify in our industry a lot.
[00:25:45] Sean Martin: Yeah, a lot, lot to think about and comment on there. I, I want to maybe look at this from, um, where was I gonna go with this? The, 'cause one of the other things we talked about that I want to touch on was the, the [00:26:00] idea that, and alluded to it a little bit. Tons of problems being, being identified by vendors.
Um,
[00:26:08] Pieter VanIperen: Yes.
[00:26:09] Sean Martin: some solutions tackling a problem, some solutions looking for a problem, right? Um, and so to your point, if you might have a lot of stuff on your stack that may or may not be used. Maybe di maybe difficult for you to figure out which ones are, which ones are valid, which ones are providing a good return, but there's no lack of new stuff coming your way.
And I think one of the things we, we touched on, you're, you're pretty vocal about, and I, I think I touched on a little bit in an article I wrote after Black Hat was the idea if, if as a vendor, if you can't tell me the why,
[00:26:45] Pieter VanIperen: Yes.
[00:26:45] Sean Martin: um. Uh, it's gonna be hard for me to listen to you and figure out how and where you fit in.
Um, and that was really in the context of a lot of the AI stuff we were hearing as well. They can't explain [00:27:00] that we have ai, we can't explain why or how it works or
[00:27:03] Pieter VanIperen: But it's there. The letters,
[00:27:05] Sean Martin: Exactly we have it. So it doesn't have to be about ai, but just your general thoughts on how, how that presentation works and how do you as a CISO kind of filter the stuff that matters?
'cause there may be a nugget in there, right? Maybe, maybe something really does connect to that principle and it's gonna make your life easier and the environment safer and reduce complexity. Complexity and all that. So, I dunno your thoughts. I'll stop rambling.
[00:27:33] Pieter VanIperen: Y Yeah. Um, I, look, I, I think there's three critical mistakes vendors make, especially having, you know, as I'm a ciso, but I've been a CISO at vendor companies for several years now. Um, so one is like. You need to be able to describe your value prop and how you are different in 30 seconds. If you can tell me about all the cool magic and and different technical [00:28:00] things your tool can do, but you can't tell me what problem you're solving for me or what solution you have to my problem.
You don't have value. You've, you've built cool tech seeking a problem. I am not investing in you to find problems for you to solve. Right. Um, and I, I love the, the pitches of kind of the everything machines that I get, right? Like, um, just gimme access to all the data and I'll do magic for you. And it's like, what?
Why, what are, why do, why would I give you that? What is, what is the benefit? Um. And I've seen really bad benefits when you press there, right? Like, oh, we can block this, like one particular type of email. Oh, okay. Like, great, what's that's, that's a
[00:28:44] Sean Martin: We, we can protect that laptop. You don't care about Peter.
[00:28:47] Pieter VanIperen: There you go. Right? Like it's, it's, and and I think that's like the second mistake follows that, which is when they can't find, uh, a problem instead of listening and understanding [00:29:00] whether or not I have a problem, that their tool.
Can solve. They instead try to tell me that I have a problem, which is always fun when I get a LinkedIn message telling me about, don't you hate how long your GRC takes or don't you hate this, that, that, and the, and it's like you, again, going back to our earlier conversation, your problems are not my problems.
My problems are not your problems. We all have different problems. If you as a vendor are gonna start telling me what problems I have, I'm, I'm instantly tuned down. Because you're not interested in partnering with me. And I think that's the third thing. I think, um, you know, when we, we met, we had a conversation about like, how do you, but how do you get a CISO's attention?
How do you sell to a ciso? And it's actually funny because in, in my travels in the past week, I met someone else who had, who had a somewhat similar background to me. And it kind of worked on both the like vendor and having to be selling and face of and consulting and then like also. Being sold to and everything else.
And we were talking about the fact that like the [00:30:00] number one, like top people we've worked with in our career are people who literally would like meet us and be like, Hey, let me know if there's anything I can do. And you're like, yeah, yeah. And they're like, no, no, really. Like I get it. It's a community I want to help.
Right. We're looking for partners as CISOs, and I know now I'm gonna get like 50 million LinkedIn messages that are like, I just wanna help. Right? But, but, but realistically demonstrate to me. That you care about partnering and building a relationship and wanting to help, because when I do have that emergency and things do go to crap, 'cause that is part of my job, I need to know that you're gonna be there and you're gonna actually sincerely be there and help one of the grossest things to me.
And I will put, I, I hopefully I'm gonna, I know, Sean, you're dragging things outta me.
[00:30:57] Sean Martin: I am,
[00:30:58] Pieter VanIperen: me in trouble here. But, but like.[00:31:00]
[00:31:00] Sean Martin: I'm on the hook with you here,
[00:31:01] Pieter VanIperen: Some of, some of the, um, partner organizations I very much like to participate in. And I've, I've seen it kind of fade away mostly, but it's like, one of the things that kills me is like, there are events and like partnership organizations and you'll stop being a CISO because you leave a company you don't like and like, you're not, like, you're not a CISO for like three months or stuff.
And they'll be like, no, we've had a relationship with you for five years, but until. Until you have that buying power back, good luck. Bye. And it's
[00:31:35] Sean Martin: Wow.
[00:31:36] Pieter VanIperen: um, okay, right?
[00:31:39] Sean Martin: That is, that is gross. Gross is a good word
[00:31:42] Pieter VanIperen: right. And you're like, well, wait a second, but I'm gonna, I, I, I've still got 20 years left. I'm gonna be that guy again in three months.
[00:31:50] Sean Martin: Right.
[00:31:50] Pieter VanIperen: Boy, did you just make a mistake? Right? And, and, and I think that. That is, that is just an in an incredibly important thing [00:32:00] because, um, people often think that, uh, you know, being, getting a business deal done is transactional. And in general, I can tell you, and, and maybe I don't know everything in the world, but I can tell you I've done a lot of business in, in my life and transactional business deals.
It's not a way to build business. Putting that opinion aside, it's definitely not a way to deal build business with people who are holding the bag when everything goes to.
[00:32:33] Sean Martin: Right. Yeah. There's so much in there and yeah, I see a different, different side of it. Of course, I was building and working, building stuff for vendors and, and bringing 'em to market and selling it and all that and, and kind of help a lot of vendors. Some their, uh, go to market positioning and I, to your point, the transaction.
Right? How long, how long is the sales. [00:33:00] How quickly can you push that through? How quickly can you find the person who owns that and close that deal? That's probably what you're, you're seeing from the vendor's perspective. I see it on the other, the other side of the transaction, which is how many leads can we get to translate into potential deals?
And, and it's, it's so numbers driven that it, it, I I feel for the folks that, that really have to deal with this and 'cause that's the way they make their living. Yet
[00:33:32] Pieter VanIperen: I,
[00:33:32] Sean Martin: reality, it's, it's, it does boil down to trust and partnership and relationship and, and being there when things go wrong.
[00:33:39] Pieter VanIperen: The best encapsulated story is the, the person I met and, uh, I'll change some details because it's his story, but like, basically he, uh, was working for a company and someone needed his product and. Uh, they worked in like a, a kind of like a charitable organization that did some really [00:34:00] nice stuff for like children and they, they simply could not like, afford the product, right?
And so he discounted it down as much as possible and they came to him and they're like, we love the product, but we just can't afford it. And he looked at the price and the costing and he realized that the most expensive part of the price was like the ProServe that was necessary to like get this thing stood up.
And. He went to a bunch of folks he knew and he asked them to basically volunteer the Prosser, like on their own hours. And he got like approval to basically write that out of the contract. And that like, essentially they would do it even though they didn't know how to do it. And like the, the folks would come in and do the proser and he did this just because like he liked the kids.
Right. And this is, this is kind of like what I'm talking about when I say like. Help do something. Right. Um, and he did it and, and they were like, why are you doing this? He's like, I like the kids. I want the kids to be able to like have this, I wanna help you guys. Right? That's like just coming from a [00:35:00] good place.
He thought nothing of it. And. The person who we helped called him up when he moved and changed jobs, and he said, Hey, like, uh, the person was, was now in charge of like a large organization. He was like, we're moving the whole large organization to the cloud. And he's like, okay, you want me to fill out an RFP?
And he is like, no, no, no, there's no RRFP. Give me a price. If you're gonna take us to the cloud and he's, and then he is like, look, from then on it was like anytime he go somewhere and look, I have contacts like that. All CISOs do right there. That's what I think people don't understand who are kind of, you know, these SDRs and BDRs and people who are, who are trying to get, there are people.
Who are on the sales side, who are legitimate friends, who I go and visit, who I'll hang out with, who I'll have beers with, who, who I will call when I go and get my next CISO job and my next CISO job. Because I trust them [00:36:00] and because when things, even when they aren't gonna get a deal, they're gonna help me.
Even I've actually had one salesperson who I'm friends with literally look at what I needed to do and go, you know what? We're worse at this than our competitor. You actually really need our competitor. Now, I'll never say who that was because I don't, I, I, I love that person. I don't want anything bad to happen to him.
Right? But, but that is a trust mechanism that is critically important as a ciso because at the end of the day. You sell me snake oil if I can't trust you, if you disappear in the dark of night when I need you. It's not just me, it's all the other people, employees, customers, everyone else who I am responsible for protecting that you're letting down.
So my barrier to doing business with you is [00:37:00] higher than a lot of other departments in a company because. As a ciso, failure happens, but my job is to avoid it as much as humanly possible. Right? Does that make sense?
[00:37:16] Sean Martin: Yeah, totally, totally makes sense. And I'm, I'm just thinking of, I mean, there, there are so many technologies and new solutions, and they're all, well, I say all that. They're, they're looking for a way to, they wanna help, right? I think yes. People are, are, they start a business, but it's usually driven by I see a problem or I, I see a new way to look at this.
I'm gonna build something and, and hopefully I can connect it in a certain way. Some companies pivot, some whatever. I think ultimately they, they wanna help, but especially young, young SDRs. They don't know how to help beyond selling what they have to sell. This is what I have. Hopefully it meets a need.
And Tru I [00:38:00] trust, I trust my organization to deliver value in the area that I'm, that I'm selling to you. But beyond that, I don't know, do they have the knowledge of the rest of what you're dealing with to to be helpful.
[00:38:14] Pieter VanIperen: See, but, but I think that is for some reason we've decided as a society that an SDR R'S job is to talk an SDR R'S job. Is to listen. Right? And I can't tell you how many organizations I've worked in where like the worst of the worst of SDRs usually have high numbers. In like gross contacts and like, um, quote unquote leads.
But when you actually look at like, I'm not gonna use like the terms to confuse people, when you actually look at like, lead qualification and like, can this person buy the product? Are they actually interested? Are they just trying to get you off the phone, et cetera. It, it's like the number's up here. And then when you, you actually [00:39:00] qualify, the number comes down here and they're actually quite at the bottom and.
The people who are often the highest and qualified leads actually have lower numbers of, of contacts and gross contacts and outreach, and they usually have a lower number of incoming leads, but that's because they're taking time with the folks on the phone to qualify and find the leads that are qualified.
And look, to some extent, sales is a numbers game, but I often think that like when, if you need an incredibly high volume. Of SDR outreach to sell your product. I'm sorry, but I have news for you. One of three things is happening. The good one is the market's not ready for your product. That's rare. The second one is your product's not very good, and it's not getting a lot of tension for that reason.
And the third one is. You have the [00:40:00] wrong ICP and, and you don't. You're not targeting the right people and you don't understand your market. And the problem that I have there with all three of those is the root of all of those problems is that someone above the SDR also didn't take the time to outreach and listen.
And so you have this systemic rolling problem of folks. Who don't listen and are trying to prescribe a problem onto a population and say, I know you have this problem. I can fix this problem. I know you have. Which everyone loves to be told what problems they have in life. It is, it is a fan favorite.
[00:40:42] Sean Martin: Favorite. Uh, I'm gonna quick, very quickly. Two stories. I think it's relevant. I, I try not to talk too much, but, but my guests talk, but two stories are relevant. I hear here. I think so. One, back in the day. Y 2K timeframe. Um, everybody looking at this particular world of [00:41:00] everything's gonna crash
[00:41:01] Pieter VanIperen: Mm-hmm.
[00:41:01] Sean Martin: the turn of the year, turn of the century, and we had a, a huge platform, the company I was working for, and it could do everything.
It was, it was GRC before it was GRC with it managed, ITSN, built in all this stuff. And what we found was that if we just changed what we're looking for, what we're hearing from our customers. We realized it wasn't just about which machines are gonna fall over it turned into where can you find the machines that are having hard drive failures, lack of memory, um, issues connecting to the network or whatever it was at the time that was important.
And which of those were due to be replaced in your, in your sale or your renewal cycle? So you can make the best purchasing and, and budgeting decision, not just be, be prepared for Y 2K. So it was a very financially driven thing and customers like. [00:42:00] This is cool. You helped me solve a problem that we didn't, didn't know we had, but it's very specific in a way.
You weren't selling a big platform. You were selling, here's how you're gonna go and buy new machines. They're gonna solve this. The majority of your challenges, of course, Y 2K didn't happen. But, but then, so the other story I wanna highlight, and then maybe some your, some of your thoughts if you have another story, but, uh, and I'm not gonna mention who, but I, I was with some customers recently for a company. And a lot of them described use of the solution in a certain way, and if a majority of those people that I heard from then said, when, when this vendor removed this blocking point. And helped us get from A to B. Our world opened up. We were able to expand the CDE, F and G in the solution and become more successful in our, in our, uh, management of the, of the challenge that they're trying to [00:43:00] solve.
And so instead of what I was hearing and hearing from them is if the company or the vendor would help me overcome this challenge, which isn't. A problem that the product's solving, it's a problem with the product in my environment,
[00:43:16] Pieter VanIperen: Yeah. Yeah.
[00:43:17] Sean Martin: we could be so much more successful together, um, versus the, the vendor just pushing, well, you need C, D, E, and F now because you've been, you've been on a and B for three years.
Why can't you? And I dunno, it, it just seemed really strange to me that that wasn't seen when I, when I heard this story.
[00:43:36] Pieter VanIperen: I think that, look, having been an entrepreneur right? Um. Entrepreneur is like riding, uh, the, the most hellacious rollercoaster that exists in the world right there. I, I've actually coached, uh, and advised entrepreneurs and I've said, if, if you're not like once a quarter sitting in your chair in the dark at [00:44:00] night, kind of quietly crying, and you can't choose which of the six reasons why you're crying, like you might not be pushing hard enough, right?
Like, it's like, it is, it's a, it, there's a brutality, um, to it. Um. I think because of that, some of the brutality and some of the, um, you are, you're, you're birthing a baby, right? And, and no one likes to have their baby called ugly. But I think that, um. If you're not willing to have your baby called ugly by folks who really know what babies should look like, um, then you're probably gonna end up handing someone like a baby cat, and they're gonna be like, that's not, that's not what I want.
Right? Like, that's not, that don't look like a human. What is that? Right? And, and, and so. I, I think there is this mental trick that you have to take where, look, there's a lot of bad feedback you get as an entrepreneur, but you have to understand the people [00:45:00] and find the customers who provide good feedback.
And you have to, you have to outreach and find people in your circles, beg, borrow, and steal, and get people to mentor you or work with you who can help you guide the product, who are willing to share their knowledge with you. And don't get me wrong, like. One of my entrepreneurial ventures was a media company.
We, we literally hid expletives and changed like two things in a layout. And I will, to me, this comment still lives with me 'cause it's just so amazing and, uh, quote. Whoever did this, it's probably the CTO that was me. Right. , And I'm like, yes, that's, yes, that is, those are equivalent, right?
Like you can't, you can't use, uh, certain expletives now have like dollar signs in them. So that that exists. And you get that as an entrepreneur, right? And you're, you're gonna [00:46:00] get a lot of stuff like that.
But you have to, you have to be Teflon to that, and you have to ferret out the people who are really going to help you, um, target your problem space, right? Because what you're trying to do as an entrepreneur. Which is the trick and why listening is so important is, like I said at the beginning of this call, and I did not intend for this to go full circle, but it kind of works out perfectly, Sean,
[00:46:24] Sean Martin: There we go. Look at that.
[00:46:25] Pieter VanIperen: um, your problems are not, my problems are not the next person's problems, but there is overlap between all those problems and what you as a vendor, if you wanna have a product that's really going to explode.
Is you are listening to your different customers and to the different people who are willing to talk to you, and you are looking for that overlap. And that's also FYI for everyone listening. Why platforming tends to fail so badly and it's one of the worst things you can do as an early vendor is to [00:47:00] try to build too much and go too wide, too early, because you need to spend time finding that core overlap.
And really finding how to like spread out from that core overlap so that you, you are starting to add value and solve that problem a little bit for everyone. And then it grows into fully solving that problem for all those customers and. If you, if you don't listen, finding that overlap is really, really hard.
And so you might understand something or have seen something that you think is a problem that's 5% overlap with. 30% of the people, and I don't know math really quick, but that's not a good number of people to be selling to. Right? Um, so you have to figure out what that is. And that's, that's why like it goes back to the, um, the sales journey.
Um, I, I think the other thing that [00:48:00] lacks is, uh, going back to the numbers, games, those leads that don't qualify, there's often very little feedback gathered. As to why they're not qualifying and the, the leads that don't qualify. It's like the, the old, you know. Plane in World War ii, it's where, where are the parts that that aren't shot?
Those are the ones we have to protect. Right? It's the same thing. It's like these are the leads that aren't qualifying. Why aren't they qualifying? And in theory, should they be qualifying? Right? If, if a co, if, if you're talking to a company that's billion dollar company and they're saying, I have no budget for that.
That that doesn't get marked as they can't afford us. That's why they're not qualified. There's a problem there. Right. Um, does that make sense?
[00:48:49] Sean Martin: Yeah, it certainly does. And the whole, I mean, we can talk for an hour on platforms I think as well. I think PLA platforms is a VC problem, right? They, they want a company, they're [00:49:00] investing in a company, they'll have a good return. They wanna be the platform that. Everybody plugs into, but as a, as a ciso you don't have a platform problem.
You have a, you have, you have a particular problem that maybe, maybe one day might be part of a platform, but there's so many vendors building platforms. And then there are one little piece of that with the, with the hopes that there'll be the base that everything else sits on and they'll, they'll get a nice return for their investors.
But
[00:49:28] Pieter VanIperen: I to It's, it's a weird thing to me because if you look at most other technology, it's like you look at a plane, right? Plane is a large, complex thing that needs to operate United, or even going to like Boeing or Airbus, they don't build all the parts. They put 'em together. Right. So it's like, even as a VC controversial, I, I friends with lots of VCs, but I'll be controversial for a minute.
Like even if you're a [00:50:00] vc. If you wanna build a platform, go out and build a portfolio of companies that can work with each other and compliment each other, and then help co-sell them to customers and say, Hey, these guys are, they all know each other. They all work with each other. They're all highly integrated.
Look, everything works together. Magic, right? But then if I don't need two of your companies, I don't have to pay for something I don't need and I don't want, and is going to. Look at your product as though some part of it is not functioning for me, and therefore I should get rid of it and find something that fits what I need.
Right? So it's like, there, there are, there are solves to these problems. And look, I'm not a vc, so I'm, I'm sure there are barriers to doing that, but like we, we work in the world of invention like.
[00:50:54] Sean Martin: Yeah, well, I've seen a few investment firms do something close to that and they actually use a [00:51:00] lot of the technology themselves. Um, so they could actually understand this is the stuff we have, here's how it works together or doesn't. Here's how we're gonna guide our portfolio. And then we have a, a common, common message to share.
Um, rare, I think.
[00:51:16] Pieter VanIperen: it.
[00:51:17] Sean Martin: And, and probably, probably very different risk model, uh, from an investor perspective too. So you have to, I'm sure, I guess somebody has to pay for it all. Some somebody somewhere up front or at some up front or at the back end. Ah, Peter, I keep chatting with you forever. We didn't really get into AppSec.
Maybe, maybe we can chat about that in another time. But, um. Uh, so good to see you, my friend, and, uh, enjoy being grounded for, uh, the next little bit anyway, and, uh, for the next travels. But, uh, yeah, thanks a million. So good to, to, uh, meet you and to have this chat and everybody listening. Thanks for joining us and, [00:52:00] and, uh, yeah, put, put all your arrows toward me.
Don't, uh, don't shoot him at Peter. He's just being, he's just being honest with you.
[00:52:08] Pieter VanIperen: you can shoot him at me. It's fine.
[00:52:10] Sean Martin: We go. Uh, thanks everybody for listening, watching, uh, do subscribe, share with your friends and enemies, and, uh, we'll see you on the next episode of Redefining Cybersecurity. Thanks, Peter.
[00:52:19] Pieter VanIperen: Thanks.