GTM Strategy for Multiple Buyer Personas: How CIS Security Runs 5 Business Units With One Team

Running a GTM strategy across multiple buyer personas isn’t a coordination problem — it’s a prioritization problem. When you have five distinct product lines, buyers ranging from solo-operator county offices to Fortune 500 enterprises, and a sales and marketing team of roughly 100 people generating $150M in revenue, every misalignment costs you more than it would at a focused, single-ICP company.

Stephen Thomas, SVP of Sales and Business Services at CIS Security, operates exactly that environment. He oversees go-to-market across five interconnected business units — the CIS Controls and Benchmarks framework, a GRC platform (Secure Suite), hardened cloud images, managed security services, and the multi-state ISAC serving 18,000+ state, local, tribal, and territorial entities. The buyers in that ecosystem span from a librarian doubling as a county security engineer to procurement teams at large state agencies to enterprise risk officers at private-sector corporations.

The question Thomas is solving isn’t abstract. It’s operational and urgent:

“How do I with a limited team, right? We’re a hundred [person team], you don’t read about us. We’re $150 million business… how do we go drive engagement across those multiple businesses when we’re serving so many different entities?”

What follows is how he answers it.

Key Takeaways

Executing a GTM strategy across multiple buyer personas with a resource-constrained team requires three non-negotiable commitments: ruthless ICP segmentation per business unit, a journey-based (not point-in-time) customer model, and thought leadership as the primary pipeline engine. CIS Security manages five business units and 18,000+ member organizations by mapping each unit to its natural buyer, meeting those buyers at their security maturity level, and using freely available frameworks and educational tools to generate demand without a bloated outbound team.

• ICP focus before tactics: With multiple business units, the first move is mapping each unit to its best-fit buyer — not pushing the same message to all segments simultaneously.
• The Member Journey Model beats point-in-time selling: Meeting buyers at their current security maturity (asset management → endpoint → cloud posture) drives cross-sell and retention more effectively than pitching the most advanced solution first.
• Thought leadership is a scalable pipeline engine: For fragmented, education-first markets like government and SMB, frameworks, benchmarks, and free assessment tools generate more qualified demand than cold outbound.
• The “cyber underserved” need operational tools, not knowledge work: Buyers like county-level IT generalists don’t have bandwidth to implement complex solutions — simplicity and automation aren’t nice-to-have, they’re table stakes for this segment.
• Cost-of-inaction messaging unlocks budget-constrained buyers: Free BIA tools and risk assessments educate buyers on exposure before any product conversation — this is how you create urgency without manufacturing false pressure.
• Trust positioning outperforms vendor positioning: Framing your organization as a mission-aligned partner (“we’re here to make you more secure”) converts better than feature-led messaging in government and nonprofit segments.
• Cross-sell only within logical journey steps: Data-driven cross-sell works when it’s sequenced to the buyer’s journey stage — pushing adjacent products before a buyer completes the prior stage increases churn, not revenue.

Deep Dive

How Do You Build a GTM Strategy When You Have Five Different Buyer Personas?

The foundation of any multi-persona GTM strategy is mapping each product or business unit to the buyer it serves best — and refusing to apply one story to all of them. At CIS Security, each of the five business units has a distinct natural buyer: the multi-state ISAC serves state, local, tribal, and territorial entities; the GRC platform (Secure Suite) targets enterprise-level risk and compliance teams; hardened cloud images reach DevOps and infrastructure buyers; managed security services serve SMBs who can’t staff security internally; and the Controls and Benchmarks framework reaches the broadest possible audience through open distribution. Thomas’s starting point is not “how do we sell everything to everyone” — it’s “where does each solution fit best, and how do we organize limited resources around that fit.”

“It goes back, you start with focus and focus leads into things like your standard ideal customer profiles and all the good things that everyone does from a basic approach perspective. But the compelling thing for us these days is… how do I organize that against the current tool set that’s available and the current resources that I have from a selling perspective and a marketing perspective.”

The practical application of ICP focus under resource constraint is sequential, not simultaneous. Define 2–3 primary ICPs per business unit. Standardize the message for each ICP to avoid channel confusion. Allocate limited sales headcount based on unit fit — not equal distribution across all units. Only then do you layer in cross-sell motions, and only where a buyer’s journey logically supports it.

This is the error most multi-product GTM teams make: they treat all buyer segments as equally accessible with the same playbook. Thomas’s approach treats each business unit as its own GTM motion with shared infrastructure (data, CRM, content assets) but differentiated personas and messaging.

What Is the Member Journey Model and How Does It Drive Cross-Sell?

The Member Journey Model is CIS Security’s framework for sequencing customer engagement based on security maturity rather than product availability. Instead of pitching the most advanced solution to every buyer, the framework maps the buyer’s current state against the CIS Controls framework, identifies their critical asset gaps, and prescribes the next logical step in a defined progression.

The six-stage sequence:

1. Assess current security posture against CIS Controls
2. Identify asset criticality and exposure
3. Determine budget and risk appetite
4. Prescribe the next step — not the most advanced tool
5. Validate fit before introducing adjacent product lines
6. Measure and re-assess for the next phase

“We have something called the member journey. Whether you’re a private entity or a state local entity where, if you will, using the controls framework, we meet that particular entity where they are in their security journey.”

The first entry point for most buyers — particularly small and mid-size entities — is asset management. Thomas is explicit about this: before any conversation about GRC platforms, cloud images, or managed services, a buyer needs to understand what they’re protecting and how those assets interact with critical data.

“Not understanding what assets you have and what assets are touching your environment… That’s the place to start is determining that criticality.”

This approach directly counters the common GTM mistake of pitching holistic platforms to buyers who aren’t ready for them. A county IT administrator managing 12 servers and a three-person team doesn’t need an enterprise GRC suite — they need to know what assets they have, which are exposed, and what to do about the top three. Pushing the full platform to that buyer produces churn. Meeting them at asset management and walking them forward produces long-term retention and a natural expansion path.

The broader strategic principle here applies directly to customer journey mapping for pipeline: cross-sell sequences based on journey stage outperform product-led upsells based on feature availability.

How Does Thought Leadership Generate Pipeline Without a Large Sales Team?

For fragmented markets — government agencies, small businesses, nonprofits — cold outbound is structurally inefficient. Buyers don’t have procurement cycles designed for vendor outreach, trust is low, and budgets are small. Thomas’s solution is to use thought leadership and education as the primary demand generation engine.

CIS Security’s Controls framework and Benchmarks are freely available and widely adopted. State education departments mandate their use. MSPs build service offerings around them. This creates a distribution flywheel: the more the framework is adopted, the more natural it is for adopters to engage CIS’s paid products when they’re ready to operationalize.

“What we’ve been able to do is largely use the fact that we are a thought leader out in the cyber security market space to really be our path to educate and drive, you know, interactions with our target market, the people that we serve.”

The Thought Leadership as Pipeline Engine framework has five operational steps:

1. Establish authority through freely available, defensible frameworks (CIS Controls, Benchmarks)
2. Create low-friction educational tools — risk assessments, BIA calculators, guidance documents
3. Partner with distribution channels (MSPs, resellers) who amplify controls adoption
4. Track awareness lift through policy adoption signals (state mandates, partner certifications)
5. Convert awareness to sales through content nurture — webinars, case studies, guidance sequences

The key differentiator here is that the thought leadership isn’t branded content disguised as education. It’s genuinely useful, publicly defensible material that buyers adopt independent of a sales relationship. That adoption creates the conditions for a sales conversation — rather than requiring one to initiate it.

This is the model for education-first go-to-market: earn the buyer’s trust through utility before you earn the right to pitch.

How Do You Sell to the “Cyber Underserved” — Government and SMB Buyers With No Security Staff?

The “cyber underserved” segment presents a specific GTM challenge: buyers who have real security risk but no dedicated security staff, minimal budget, and zero bandwidth to implement complex solutions. Thomas’s example is precise and instructive.

“You might have a librarian who’s also the security engineer for her county, right? And that’s a really challenging place for those individuals to be, particularly as you think about, you know, how do you deliver them an operational technology rather than a something that they’ve got to work on or work with, right? Because they don’t have the time, effort, and energy to take that.”

The product and messaging implication is clear: operational tools, not knowledge work. Solutions that require configuration, ongoing management, or security expertise are disqualifying for this segment. What converts is automation, simplicity, and pre-configured defaults. The sales motion must lead with ease-of-use and time-to-value, not feature depth.

The free BIA tool CIS offers exemplifies this approach. It requires no security expertise to use, generates a concrete output (a risk assessment), and creates a natural segue to a conversation about next steps.

“We’ve got a BIA tool out there that’ll help you do basic risk assessments and no cost to help somebody who might be a small business owner understand what would happen if and you got to spend time to go through the exercise first and foremost. But if you don’t understand the risk to you and your business, then you’re you know, you really don’t have a place to start.”

For compliance and security sales to SMB and government sales strategy, this translates to: remove all friction from the first value moment. Make the first engagement free, fast, and concrete. Use freemium tools for demand generation that produce an output the buyer can act on — then have the follow-up conversation about who helps them act on it.

Why Does Positioning as a Trusted Partner Outperform Vendor Positioning in Mission-Driven Markets?

For organizations operating in government, nonprofit, or highly regulated markets, the trust gap between “vendor” and “partner” directly affects close rates. Thomas frames CIS Security’s positioning advantage explicitly:

“We’re able to do is take a position of hey we’re here to fund the mission but our mission is to make you more secure and so we’re a trusted partner in doing that as compared to saying hey here’s widget number one.”

This isn’t a soft, brand-level distinction — it has hard GTM implications. In segmented sales approaches for government and public-sector buyers, procurement skepticism is high and vendor relationships are scrutinized. An organization that leads with mission alignment and publicly available frameworks (rather than proprietary tools behind a paywall) earns credibility before the sales process begins.

The nonprofit GTM strategy advantage: public financials, a mission statement that aligns with buyer outcomes, and free resources that compete on merit rather than marketing budget. Thomas notes CIS’s financials are publicly available — a transparency signal that builds trust in contexts where commercial vendors are often viewed as extractive.

The commercial translation of this principle for B2B SaaS companies: lead with a point of view on the buyer’s problem, not a product pitch. Make the first interaction about the buyer’s risk or business gap — not your feature set. That’s what cost-of-inaction messaging achieves when executed at the top of the funnel.

How Do You Avoid the “One Widget Solves Everything” Trap in Multi-Product GTM?

One of the most damaging GTM mistakes for multi-product companies is positioning a single product as the complete solution — then watching buyers churn when the gap becomes apparent. Thomas addresses this directly:

“It’s a point in time approach versus a holistic approach. And we’d advocate strongly for taking a holistic approach to your security posture as compared to saying, yeah, hey, there is one widget to solve it all because there truly isn’t oftentimes one widget to solve it all.”

The holistic security posture framing reorients messaging from “best-of-breed feature” to “next logical step in risk reduction.” For multi-product GTM alignment, this means the entire product narrative must be sequenced — not siloed. Each product should have explicit messaging about where it sits in the buyer’s journey and what comes before and after it.

This is where sales and marketing alignment across business units becomes operationally critical. If the GRC platform team is selling a “complete solution” while the managed security services team is selling “coverage for what your tools miss,” you create messaging conflict that confuses buyers and fragments pipeline. The shared customer journey model resolves this: every business unit talks to the buyer’s current stage, not its own product’s capabilities.

About Stephen Thomas

Stephen Thomas is SVP of Sales and Business Services at CIS Security, a $150M nonprofit cybersecurity organization serving 18,000+ state, local, tribal, and territorial entities through five interconnected business units. His perspective on GTM strategy carries direct operational weight: he leads go-to-market for one of the most complex multi-persona, multi-product sales environments in the cybersecurity sector, doing it with roughly 100 people in sales and marketing across the entire organization.

Thomas’s GTM challenge is one that many scaling B2B organizations encounter in a more concentrated form: how do you serve radically different buyer personas — from a single-person county IT office to a Fortune 500 compliance team — with shared infrastructure, limited headcount, and a mandate to grow across every segment? His frameworks for the Member Journey Model, ICP focus under resource constraint, and education-first demand generation emerged from executing against that problem at scale. CIS Security’s financials are publicly available as a nonprofit, making their $150M revenue figure and 18,000-member base verifiable benchmarks for the model’s performance.

Ready to Align Your GTM Strategy Across Multiple Buyer Personas?

If you’re running more than one product line, serving more than one buyer type, or managing sales and marketing with a team that’s undersized relative to your revenue targets, the frameworks in this episode are directly applicable. Stephen Thomas’s Member Journey Model, ICP focus under resource constraint, and thought leadership pipeline engine are not theoretical — they’re the operating system behind a $150M nonprofit scaling GTM across five business units and 18,000+ members. The gap between a fragmented multi-persona GTM and a sequenced, journey-based one is measurable in churn rate, cross-sell yield, and sales efficiency. If you’re ready to close that gap with a structured approach, the next step is a direct conversation about where your GTM motion has the most leverage.

Talk to a Growth Strategist →

Frequently Asked Questions

How do you align sales and marketing across multiple business units with one team?

Map each business unit to its natural buyer persona first — don’t apply a single message across all units. At CIS Security, Stephen Thomas segments the GTM motion by unit: state agencies go through the multi-state ISAC, enterprise buyers engage the GRC platform, and SMBs are reached through MSP partners. With ~100 people covering $150M in revenue across five units, the key is ruthless ICP prioritization per unit, standardized messaging per segment, and using a shared data layer to identify cross-sell only within logical journey steps — not equal resource distribution across every product.

How do you use buyer journey mapping to reduce churn and drive upsells?

Build a defined journey model that meets buyers at their current maturity — not where you want them to be. CIS Security’s Member Journey Model uses the CIS Controls framework as the roadmap: assess current posture, identify critical assets, determine budget and risk appetite, then prescribe the next logical step. This prevents pushing advanced solutions to underprepared buyers, which is a primary churn driver. Cross-sell is triggered only when a buyer has completed the prior stage — turning retention into a natural pipeline motion rather than a forced upsell play executed on the sales team’s timeline.

What is cost-of-inaction messaging and how do you implement it in B2B sales?

Cost-of-inaction messaging quantifies what a buyer loses by not acting — financially, operationally, and reputationally — before any product pitch. CIS Security implements this through a free Business Impact Analysis (BIA) tool that helps buyers model their exposure before a sales conversation begins. The sequence is: risk assessment first, solution second. As Thomas puts it directly: “If you don’t understand the risk to you and your business, then you really don’t have a place to start.” Lead every sales motion with the buyer’s exposure, use free tools to make the risk concrete, and position your solution as the investment that closes the gap.

How do you segment ICPs when serving both enterprise and SMB customers with the same team?

Define separate ICP profiles per business unit rather than trying to build a single composite ICP. CIS Security runs five business units with distinct natural buyers: enterprise GRC teams, SMBs via MSP channels, government agencies, and DevOps infrastructure buyers. For each unit, Thomas defines 2–3 primary buyer profiles with clear decision criteria, then standardizes messaging per profile. Resource allocation follows unit fit — not equal headcount distribution. The shared infrastructure (CRM, data lake) enables cross-sell identification without requiring each unit to build its own pipeline from scratch.

How does thought leadership generate pipeline without a large outbound sales team?

Thought leadership generates pipeline by earning buyer trust before a sales conversation exists. CIS Security’s freely available Controls framework and Benchmarks are adopted by state governments, school systems, and MSPs independently of any sales motion — creating awareness at scale that no outbound team could match. The conversion path runs through low-friction educational tools (risk assessments, BIA calculators, webinars) that produce concrete buyer outputs, then nurtures those engaged buyers toward paid products when they’re ready to operationalize. The key metric is adoption of free frameworks as a leading indicator of downstream commercial engagement.