top of page

We Don’t Sell Technology: Rethinking Cybersecurity Value Selling with David Koppe

Featuring David Koppe, Head of Value Management at Sysdig


From Episode 9 of "In the Spotlight" by Spotlight.ai


In enterprise software—particularly in cybersecurity—value selling is often discussed but rarely executed well. With buying committees expanding and economic scrutiny intensifying, teams must go far beyond feature comparisons. The challenge is especially complex in security, where the value being sold isn’t always tangible and the decision-makers aren’t always in the room.


In Episode 9 of In the Spotlight, David Koppe, Head of Value at Sysdig and a 30-year enterprise technology veteran, shares what it takes to lead effective value conversations that resonate from technical stakeholders to the boardroom. Drawing on his experience at companies like GE, BMC, Bladelogic, and MongoDB, David outlines a practical framework for quantifying risk, aligning with strategy, and empowering champions to win internal approval.


The First Principle: We Don’t Sell Technology

Koppe opens with a statement that reframes the entire sales process: “We don’t sell technology. We sell the financial outcomes technology enables.”


In cybersecurity, it’s easy to lead with features, architectures, and detection capabilities. But ultimately, budget holders don’t buy dashboards—they invest in risk reduction, operational leverage, and strategic alignment. The value conversation must be focused on outcomes from the beginning—not layered in at the end.


Understanding the Three-Persona Value Map

Effective value selling must address three key audiences, each with distinct priorities:


  1. Practitioners – The technical teams who manage day-to-day alerts, vulnerabilities, and tools. Their concerns are about functionality and workflow efficiency.


  2. Executives – The CISOs or CIOs who sponsor initiatives and drive security architecture decisions. They focus on scalability, resource allocation, and risk posture.


  3. Financial Stakeholders – Typically the CFO or board, who are responsible for capital planning and return on investment. They require a business case rooted in measurable outcomes.


Most sales processes focus too narrowly on the first audience. According to Koppe, that’s a mistake: “There are going to be a lot of meetings we’re not in. And those are the meetings that ultimately decide the deal.”


The Complexity of Quantifying Cyber Risk

Unlike typical software categories, cybersecurity value is not always about cost reduction. In fact, many CISOs are willing to increase their budget—often without a classic ROI—if it means reducing risk exposure or increasing confidence in their security posture.


Still, value conversations must be grounded in business metrics. Koppe suggests framing the value analysis as a comparison between two potential futures: one where the organization continues with the status quo, and one where they adopt the proposed solution. He emphasizes using industry benchmarks, such as IBM’s breach cost data, but cautions against relying on them alone.


Key metrics that resonate across stakeholders include:


  • Mean time to resolve


  • Noise reduction and alert triage effectiveness


  • Breadth and depth of MITRE coverage


  • Vulnerability backlog and burn-down rate


The goal isn’t to eliminate risk entirely—that’s impossible—but to demonstrate credible, incremental improvement over time.


Lessons from Log4j: Why Static Value Narratives Fail

Koppe cites the 2021 Log4j vulnerability as a turning point for many security teams. “The day before Log4j, most vulnerability programs looked fine on paper. The next day, they were overwhelmed.”


This volatility highlights why point-in-time ROI models fall short. Value frameworks must account for the reality that threat landscapes change rapidly. The focus should shift from absolute control to agility and readiness: how quickly and effectively can your team respond when things go wrong?


The Role of AI in Value Realization

AI’s role in cybersecurity extends beyond detection and analysis—it reshapes how teams allocate time and talent. Koppe describes AI as a “force multiplier,” enabling small teams to act with the scale of much larger organizations.


By resolving more issues at Level 1 and reducing the need for manual escalations, AI-driven platforms can improve both productivity and incident response quality. These are tangible gains that resonate with CFOs and operational leaders alike.


Enabling Champions to Deliver the Business Case

A recurring theme in Koppe’s methodology is the idea that the best sellers don’t just deliver a pitch—they equip internal champions with the assets and language to succeed in rooms the sales team may never enter.


This requires a shift from vendor-centric thinking to customer-centric storytelling. The business case should reflect the buyer’s architecture roadmap, investment priorities, and executive goals—not simply the vendor’s product positioning.


Strategic Alignment is the Ultimate Value

At the enterprise level, buyers don’t just want tools—they want partners that help them navigate major transitions. Whether it’s migrating to cloud-native architecture, consolidating tooling, or preparing for IPO readiness, the solutions that win are the ones that support broader business transformation.


As Koppe summarizes: “The value story isn’t about what you do—it’s about what the customer becomes because of it.”





Comentarios

bottom of page