← All Episodes
John Finizio · Security and Risk Leader Whistic SaaS · April 2025

How to Sell SaaS to Enterprise When 76% of CISOs Ignore You

Learn how to sell SaaS to enterprise security buyers who distrust vendor marketing. Practitioner-led sales, compliance readiness, and trust-building tactics that work.

Enterprise SalesSales EnablementB2B Sales & PipelineCustomer SuccessPositioning

How to Sell SaaS to Enterprise When 76% of CISOs Ignore You

Three-quarters of the security professionals you’re targeting don’t trust a word your marketing team publishes. That’s not a copywriting problem. That’s a structural trust deficit that cold outreach, polished decks, and feature-heavy demo flows will not fix.

John Finizio, Security and Risk Leader at Whistic, spent five to seven years as a hands-on third-party risk practitioner at JPMorgan before crossing to the vendor side. He currently sits on the steering committee for shared assessments at the Cloud Security Alliance. When he says technical buyers are tuning out vendor marketing, he’s speaking as someone who was the buyer—and ignored it himself.

The playbook he’s built at Whistic inverts the traditional enterprise sales model: instead of leading with product, lead with practitioner credibility, proactive compliance artifacts, and embedded professional services that eliminate post-sale friction before it starts. What follows is the tactical breakdown.

Key Takeaways

Deep Dive: Why Traditional SaaS Sales Tactics Fail With Security Buyers

The 76% Trust Problem Is Structural, Not Tactical

Security buyers are not a niche with a messaging problem. They are a category that has trained itself to route around vendor marketing entirely. The data John Finizio surfaced is blunt: 76% of security professionals do not trust the marketing content vendors produce. They have better alternatives.

“I have better sources that I’m going to rely on and trust more than a company website or like an AE that reaches out to me cold kind of a thing. So, I think there’s just like the pendulum is kind of swinging. It’s just like stop. It’s just noise.”

What are those better sources? Peer networks. Industry steering committees. Practitioners who’ve held the same job title and can validate or debunk a vendor’s claims in ten minutes of conversation. The Cloud Security Alliance, ISACA chapters, shared assessment programs—these are where CISOs and TPRM leaders actually form opinions about vendors.

This has a direct implication for how you build your go-to-market motion when selling SaaS into enterprise security: the channel is community, not content marketing or cold outbound. If your SDRs are hitting security leaders with generic sequences, they are generating active distrust, not pipeline.

Practitioner-Led Sales Enablement: The Framework That Actually Works

Whistic’s solution to the trust deficit is not a better persona doc or a more empathetic email sequence. It’s deploying practitioners—people with five-plus years of hands-on experience in the buyer’s actual role—directly into the sales cycle.

This is the Practitioner-Led Sales Enablement framework, and it works in four stages:

  1. Identify practitioners inside your organization with genuine operational depth in the buyer’s domain—third-party risk, compliance operations, security program design
  2. Train them as empathetic peers, not product evangelists. The goal is to “talk shop,” not deliver a deeper demo
  3. Deploy them alongside AEs in prospect conversations, deal reviews, and customer calls—specifically at the moments where technical skepticism is highest
  4. Measure deal velocity and win rates on deals where practitioners participated versus deals handled by AEs alone

The mechanism here is empathy, not expertise. Technical buyers can read a features matrix. What they cannot fake is the feeling that a vendor actually understands what their Tuesday looks like.

“What I preach kind of within our, you know, within Whistic is leverage us, leverage other folks within the company to support that conversation, that sales cycle, right? So our buyers, our prospects get a real feel and a sense that like, hey, we’re not just experts on our product, we actually understand, we get the—we feel your pain kind of a thing.”

Finizio came to Whistic directly from doing TPRM work at JPMorgan for the better part of a decade. That practitioner credibility is not a nice-to-have in multi-stakeholder security buying decisions—it’s the variable that determines whether a technical buyer engages at all.

Why Security Teams Become Sales Bottlenecks (And How to Fix It)

One of the least-discussed dynamics in enterprise B2B sales is that security and risk teams often forget they serve revenue. When a vendor is stuck in a six-month due diligence cycle, it’s frequently because the internal security team treats vendor evaluation as a risk-containment exercise divorced from business outcomes.

Finizio spent years inside that dynamic at JPMorgan and names it directly:

“You learn some of the pitfalls of operating in a large organization… you kind of forget… yeah you’re in IT or risk or security it’s like wait a second there’s people out there selling something like I don’t make any money for the company I support a frontline business that’s selling something.”

The vendor that wins in this environment is the one that helps security teams see themselves as revenue enablers, not gatekeepers. This reframe has tactical implications for your sales motion:

This is especially critical in vendor due diligence automation conversations, where the buyer’s internal resistance is often “we’ll lose control of the process” rather than “this doesn’t work.”

Compliance-First Pre-Sales Readiness: Eliminating Due Diligence Friction

The second major framework Finizio outlines addresses the compliance bottleneck from the vendor side. Most SaaS companies treat compliance certifications as reactive obligations—something you complete when a prospect’s legal team demands it during late-stage negotiations.

That’s the wrong posture. Proactive CMMC compliance readiness, SOC 2 attestation, and ISO documentation published in a publicly accessible trust center before any customer asks for them accomplishes three things simultaneously:

  1. Eliminates a major friction point in multi-stakeholder security buying decisions
  2. Signals organizational maturity to technical buyers who are trained to spot vendors who scramble for compliance artifacts
  3. Creates a competitive differentiator in markets where most vendors still treat compliance as a checkbox

“You don’t want to wait around until someone asks you for it. You better get going on that, right? Solutions to essentially self assess and kind of demonstrate proactively how you already comply… share that proactively with your customers or in some cases publicly in like a trust center.”

The Compliance-First Pre-Sales Readiness framework runs in four steps:

  1. Audit your product and company against the compliance frameworks your target market actually uses (CMMC for defense contractors, SOC 2 Type II for enterprise SaaS, ISO 27001 for international buyers)
  2. Complete and document self-assessments for each applicable standard
  3. Publish completed attestations and supporting documentation in a vendor trust center—publicly accessible, not gated
  4. Make proactive compliance readiness a selling point in discovery and proposal conversations, not an afterthought in legal review

A vendor trust center is not a marketing asset. It is a sales acceleration tool that removes an entire category of back-and-forth from your deal cycle.

Embedded Professional Services: Solving the Post-Sale Drop-Off

Enterprise security software has a specific failure mode: the customer buys the product but not the program. They have software. They don’t have a functioning third-party risk management program, a set of baseline requirements, or the internal expertise to configure the tool against their actual control framework. Six months after close, they’re churning—or worse, not using the platform at all.

The instinct is to build a formal professional services function. The reality for most $2-5M ARR companies is that a separate PS P&L creates organizational complexity faster than it creates revenue.

Finizio’s solution is the Embedded Professional Services in Customer Success model:

“The struggle is it’s not considered revenue, but if you have professional services that is not like a massive outlay of resources, there’s creative ways to kind of supplement. In some cases, you can kind of fold that into like your customer success and implementation.”

The execution playbook:

The framing matters: this is not “free consulting.” It is customer success professional services embedded into the implementation motion—funded by the CAC you’ve already spent to close the deal, not a new cost center.

“You could be setting your customer up to fail. If you just kind of hand them over, you know, hand the software over to them… they don’t have the right requirements. They may need some just just a little nudge to kind of design and build that foundation.”

Continuous Monitoring Is Replacing Point-in-Time Assessment

The final structural shift Finizio identifies is the transition from point-in-time vendor security assessments to continuous compliance monitoring. This is a product positioning and sales conversation point, not just a feature roadmap item.

Annual audits and bi-annual security questionnaires are artifacts of a compliance world that assumed change happened slowly. In a threat environment where a vendor’s security posture can shift materially between your Q1 and Q3 assessment cycles, static snapshots create false confidence.

“We’re continuing to move even further left and take a look at maybe more proactive actions that could be taken based on things that change like reacting to what we’re learning about the compliance space in general. Not less of a point in time… starting to move towards more continuous monitoring.”

AI-driven compliance and control mapping automation are what make continuous monitoring operationally viable at scale. The sales implication is clear: if you’re selling a security assessment tool that produces static reports, you are selling against a headwind. If you’re selling continuous visibility, you’re selling with it.

For TPRM teams and compliance operations leaders evaluating vendors in this space, the question to pressure-test is: what happens to your compliance posture data between assessment cycles? The answer to that question determines whether a vendor is solving today’s problem or next year’s audit.

About John Finizio

John Finizio is a Security and Risk Leader at Whistic, an enterprise software platform purpose-built for vendor security assessment and third-party risk management. He spent five to seven years as a hands-on TPRM practitioner at JPMorgan before transitioning to the vendor side—giving him direct experience in both the buying and selling motion for enterprise security software. Finizio currently serves on the steering committee for shared assessments at the Cloud Security Alliance, one of the primary industry bodies shaping how vendor risk quantification and compliance frameworks evolve.

Ready to Build an Enterprise Sales Motion That Actually Reaches Technical Buyers?

The tactics John Finizio outlined—practitioner-led sales, proactive compliance readiness, embedded professional services, continuous monitoring positioning—aren’t theoretical. They’re the specific levers that move deals forward when your buyers have trained themselves to ignore traditional vendor marketing. If you’re running a B2B SaaS or services business targeting enterprise security buyers and your pipeline is stalling at the trust and due diligence stage, RPG builds the GTM systems that fix the structural problem, not just the messaging.

Talk to a Growth Strategist →

Frequently Asked Questions

Why do security professionals distrust vendor marketing and what should vendors do instead?

76% of security professionals don’t trust vendor marketing because they have higher-quality peer networks and industry groups they rely on instead. Vendors should deploy practitioners with hands-on buyer-role experience to build credibility in sales conversations—peer-level empathy beats polished messaging every time.

How do you navigate multi-stakeholder security buying decisions in enterprise sales?

Bring practitioners into deal cycles alongside AEs. Technical buyers need to know you understand their daily workflows, not just your product specs. Proactive compliance readiness—publishing certifications in a trust center before anyone asks—removes a major friction point across every stakeholder involved in vendor due diligence.

What is the difference between point-in-time and continuous compliance monitoring?

Point-in-time assessments capture compliance status at a single moment—typically annual audits—and go stale immediately. Continuous monitoring uses AI to track compliance signals in real time, alerting buyers when a vendor’s posture changes. This replaces manual review cycles and keeps compliance artifacts perpetually current.

What is a vendor trust center and why does it matter for sales cycles?

A vendor trust center is a publicly accessible repository of your completed compliance certifications, security attestations, and audit documentation. It removes the back-and-forth in late-stage due diligence by giving security teams and procurement the artifacts they need without a formal request—shortening deal cycles materially.

Should SaaS security vendors offer professional services or focus only on product?

The practical answer is both, structured correctly. Embedding lightweight professional services—program design, requirements gathering, initial configuration—into your customer success function delivers implementation value without creating a separate P&L. This prevents post-sale drop-off, accelerates time-to-value, and reduces churn driven by customers who bought software without a functional program to run it.

Ready to accelerate your B2B SaaS growth?