The Challenge
A mid-market financial services firm was interested in improving their cybersecurity posture but did not know where to start. They had no CISO, limited security budget, and a vague sense that they were not doing enough. Traditional feature-based selling would not work because they could not articulate their requirements.
The Approach
I offered a complimentary cybersecurity maturity assessment based on the NIST Cybersecurity Framework. Over three sessions with their IT team and leadership, I evaluated their current posture across all five NIST functions: Identify, Protect, Detect, Respond, and Recover. The assessment was genuinely vendor-neutral — I provided recommendations that included competitors where they were a better fit.
The assessment revealed critical gaps in the Protect function, specifically around identity management and access control. Their employees used shared passwords, had no MFA, and their identity infrastructure was a patchwork of standalone tools. I quantified the risk exposure and presented a prioritized remediation roadmap with our solution addressing the highest-priority gaps.
The Result
The maturity assessment positioned me as a trusted advisor, not a vendor. The prospect's leadership team approved a $1.3M cybersecurity investment — significantly more than they had originally contemplated — because the assessment made the risk tangible and the remediation path clear. Our solution represented $850K of the total investment, with the remainder going to complementary tools I recommended.
Key Takeaway
When a prospect does not know what they need, sell the diagnosis before the cure. A maturity assessment that is genuinely helpful — even recommending competitors where appropriate — builds trust that translates into a larger deal and a deeper relationship than any product pitch could achieve.
Get new posts in your inbox
No noise. Tactical field notes when something worth sharing comes up.