#029 Fortifying Your Revenue Fortress with Cameron Johnson
Safeguarding Business Profits Amid Shifting Cyber Threats and Economic Uncertainties
Guest & Host
Cameron Johnson & Steven Morell
Welcome to Speak Revenue, the podcast where we emphasize that revenue is not just a goal; it's a result. In this show, we shift our focus from the output to the inputs. We engage in conversations with sales leaders and entrepreneurs about their remarkable journeys. Our mission? To uncover the true root causes of success. In this episode of Speak Revenue, host Steven Morell and guest Cameron Johnson discuss the realm of revenue protection. They explore how businesses can bolster their profits in the face of changing cyber threats and economic uncertainties. Discover the crucial strategies for enhancing sales resilience, risk management, and adapting to the VUCA (Volatile, Uncertain, Complex, Ambiguous) world of revenue generation. Tune in to fortify your revenue fortress and ensure a thriving bottom line.
October 27th, 2023
Steven Morell: Welcome to our new episode of Speak Revenue. Remember, revenue is not a goal. It's a result! But a result of what? In this show, we turn our eyes from the input towards the output. We speak with revenue leaders and entrepreneurs about what works for them. And what didn't. So join me on my journey to uncover the root causes of success. Today in my studio, I have a dear friend, I might say, Cameron Johnson, welcome to the show.
Cameron Johnson: Hey Steven. Thank you for having me. Lovely to be back again and speaking with you. Amazing to see how everything's been going.
Steven Morell: Cameron, we know each other for quite some time, but for the audience real quick, who are you? What do you do? Who do you do it for, and what makes that whole thing so successful?
Cameron Johnson: Yeah. Cool. So my name's Cameron Johnson. I have a company called Revnu. And over the years I've been working as a sales consultant, a fractional, and having people come into work as really kind of elevating the sales role that I come from my background, sales and customer success account management into the US kind of terminology around revenue, chief revenue officer, revenue as a service, if you will. And you'll see from a kind of background like I specialize and I've worked in cybersecurity for most of my career. I've worked in FinTech with Stripe and African open banking company backed by SoftBank and the like, and worked with Funnel in MarTech and a few other companies. So it has really given me that. experience and that depth and that kind of wide view of different industries to, to see what one industry is doing to one another industry is doing and seeing the maturity of those markets based around products or service based businesses in that. So that's myself and I
Steven Morell: I like to get back to the security market and security situation. Later in my questions because I think there is some development that we are seeing in the last couple of years that might be interesting. Right now we have, for those who cannot see this, we are seeing Cameron in the Office of PentestPeople. It's white and green and you are consulting PentestPeople. Real quick, who is PentestPeople? What do they do and what do you do for them?
Cameron Johnson: PentestPeople does what it says on the tin, right? They do pentesting, ethical hacking, everything is very much service based around testing. I joined these guys when I first started my career and they built a company, sold it. And they've gone on a kind of similar journey, but I'd probably say 5 x /10 x of what their journey was before.
Steven Morell: For the non-security people here, Pentest have nothing to do with writing anything. They're not testing pens. They're doing penetration testing. So they find the loops, the holes, the leaks and in your data system, in your IT system and help you fix the open gates that most people have. Does that describe it?
Cameron Johnson: The vulnerabilities, the ports. That's exactly it. If you think about it, you've got the bad actors and the unethical hackers, and you've got the ethical hackers. These guys have the ethical ones which is great. And on top of that, I think one, one thing that I was telling the industry and especially the companies I was working with many years ago when I was a lot more involved in cyber, was that testing is one thing, but you need to have a product and a portal or some sort of online digital service that takes all of that information in and then feeds it out to customers. Because companies, and then they still do pentesting, they put it onto a PDF and then they send it across to a customer and it's okay, there's all this data that's there just in word form. Actually, that should be going into a tool that can then be used. So these guys have actually created a portal that, all the scoping, all the testing, all the information and data is stored onto that portal. And then you can take those vulnerabilities and then ping them off through Jira and Slack and whether you like to then feed into your systems. So you're getting that holistic service with a professional service and a product to, back it
Steven Morell: Because security is not a status, security is a process that you continuously improve.
Cameron Johnson: And it'll never stop.
Steven Morell: Or it's like sales and your revenue process that you continuously improve. Great segue. What are you doing for them?
Cameron Johnson: So at the moment I'm helping them with, they're currently really good. And they've got a couple of thousand customers in their kind of SMB market. From my career I've branched out into the enterprise markets, banking, financial services. So helping them bring on customers like that. But then also looking at that type of function of how do they move 'em upstream from the SMB customers to enterprise and what does that look like from a structural perspective as well. So
Steven Morell: How do you sell penetration testing? Bazillion questions come up. It requires certain trust. Why would I, anyone? Come on. I gotta pay you so you can hack me and then tell me how you did it. That's, wow. That's a hard sell. Walk me through the whole process. First of all, how long has this company been around? How many people?
Cameron Johnson: So the company's been around about seven years, I believe. Six, seven years. And we're moving on to about a hundred people. So
Steven Morell: That's not small anymore. You've been around for seven years. Where do you go out and find people? Do you have an inbound motion? Do you pull, push, outbound? Step me through this.
Cameron Johnson: there's a whole mixture that they have here, but if you look at the cybersecurity market, especially from a professional service perspective, it's always been very outbound driven. Which has been great. When I go into other industries like Stripe and Funnel where they're like, okay, we are very inbound focused. Tell me how to go outbound. And they're still really heavy here. So they've got quite a big sales team that's very much outbound driven. They work with third parties who help bring leads in. But there's also, there's always that hunter mentality to go out and bring new business in. They do have a marketing function that does a lot of great work. So we are doing some podcasts, so there'll be some podcasts we're calling a chat with a CISO that I'm running where I'm talking to CISOs across UK, Europe, and hopefully go into the US soon around, like where they're going, what they're doing. A lot of the events they attend, so InfoSec, ice, all those types of industry based events is where they go to get the leads in.
Steven Morell: I think we, for our listener, we have to explain CSO. A lot of people might actually think chief sales officer, but you're talking chief security officer.
Cameron Johnson: Yeah, that's it. A few years ago, GDPR and other kinds of regulations and a lot of testing and cyber sales, a lot of that was done through governance or regulation driven requirements. A few years ago there was a rule that, okay, you need to have someone who is looking after security on the board have a seat at the board. So in the C-suite, god, maybe five, six years ago when I was doing this, that title didn't really exist. It was IT director, then it became information security manager, and then from there to a C-suite. So yeah, it's Chief Information Security Officer. Some companies, especially us, call it CSO, which is Chief Security Officer, which kind of combines like the physical and digital security of the business.
Steven Morell: Describe your ICP a little bit to me. At what size companies start to build out the chief information security officer or chief security officer. And those structures. What type of maturity level, company size, age. Step me through this.
Cameron Johnson: It's a very interesting question because actually there's a. As we know from the fractional boom, there's a lot of companies that are hiring fractional leaders no matter what they are. And actually the CISO is something that's come really popular over the years. Because a lot of startups are having to go and do SOC 1, SOC 2, ISO 27001 accreditations, and they're actually bringing in virtual CISOs. They may be there for one or two days a week. But when you look at other companies, a lot of the people on the ICP that the guys here are focusing on. Is very much the IT manager, IT security manager, sometimes the application security manager, someone who is more of an operational level or kind of entry level junior level manager within this function. But actually a lot of my focus is on the C-suite because a lot of my relationships are from CISOs. And actually that's when you are looking at more mid-market and larger enterprise companies that have these leaders within the business that they focus on a growth strategy for that business or a maturity strategy. Because there's a security maturity curve which is a bit of a graph that goes from very immature to, 1, 2, 3, 4, 5. And there's different things you've gotta do on the way. A lot of these CISOs go in with a 18 month to three to five year plan. And then testing is one part of that. But they deal with all of the cybersecurity tools
Steven Morell: Real quick you're based in the UK, a lot of our listeners are based in the US. I'm currently based in Germany. We all have slightly different definitions of what SMB, mid-market enterprise is. Give us your definition real quick.
Cameron Johnson: Yeah. So mid-market.
Steven Morell: How do you define that?
Cameron Johnson: We still use the old school traditional methods of people based, so I would say. A thousand, couple of thousand is like the mid-market space, maybe 500 to a couple of thousand. And then a couple of thousand plus is when you go into enterprise and then you have the multinationals that's kind of enterprise plus, if you will. So I would say mid-market upwards is where that role comes into play, where you actually are in charge of a function. A lot of my contacts are very much on the enterprise level where they are part of businesses that are, several thousand or some of the banks that are, 10, 10 times that.
Steven Morell: How chief security officer of a thousand people company and I think geography is US Europe, serving both
Cameron Johnson: Yeah. US Europe there, there's opportunities in the Middle East as well, quite a bit at the moment. We don't really focus on it, I don't really focus on anything outside of that part.
Steven Morell: I heard accounts based before when you were listing all the things that you do. How do you approach a Chief security officer of a thousand FTE Enterprise Company?
Cameron Johnson: SMB level, they're not really at the top end of mid-market to enterprise. Their focus is not really on CISOs, it's more on the management. So their approach is getting on the phone, calling through, dropping emails, sending LinkedIn messages, doing marketing campaigns, doing events sponsoring different events. Just getting the name and the brand out there is very much outbound driven from my side of things. And as you move from our enterprise. I think it's a very much, it's a lot more network orientated, so utilizing the relationships you have and then doing great jobs and building case studies and then using that to then get into other other groups or building communities of people, building something that is giving value back to the audience rather than just the SMB market is so high volume, so tactical take a lot of time, whereas more enterprise customers require a little bit more support. There's more complexity there. The conversation and the relationships are ones that last many years. Whereas the smaller businesses, they can churn, quite heavily because you don't have to do a pentest every year, with the same company. And there's the value of kind of mixing it up with different companies each year. So actually within that market it's difficult. But when you're on the enterprise companies where you've spent a lot of time going through the procurement process and you've used relationships to get you into these three to five year engagements, there's gonna be a handful of you that are in there that are being rotated around so that passing it on from one to another is there. But actually the enterprise motion is very, is still quite heavily traditional in that sense of network and relationship based. I think you're seeing a lot of companies and what I'm here as well is build communities
Steven Morell: Suppose I'm opening a pentest company tomorrow. You and I. I do the hacking, you do the sales work. Or maybe vice versa. I don't know. But let's say we set out tomorrow. I wanna be super hands-on here. How do I get to have that conversation with the right decision maker? How do I even get them on the phone or in a, into a meeting? What is, what drives them? And I like to think of going to market motions or marketing, if you will, or lead generation. There are essentially just four ways of telling people what I have to offer. You can divide all people on the globe into people who know me and people who don't know me. There are no other people. And I can talk to people one-on-one like we do now, or I can talk to them one to many. That's when I post something on LinkedIn. And I like to separate everything that people do into those four types.
Cameron Johnson: Yep.
Steven Morell: So if I talked one to many to people that I don't know that I'm doing paid ads, billboards on the street, TV commercials, that's one-to-many with people I totally don't know and who don't know me. By the way, it just matters that they know you, you don't need to know them. As you grow and penetrate the market better, there are more people that know you. Then you can do cold calling, cold emailing. That's one-on-one with people who don't know me. Answer wouldn't be called.
Cameron Johnson: Yeah. Yeah.
Steven Morell: Then you mentioned that you can post on LinkedIn and social media. That's one too many. For people who know you else, they wouldn't see it. And then you can have this one-to-one conversation with somebody who knows you as a result of your content marketing, of you sponsoring a conference for whatever reasons. However, they got to know you, they know you. They come to a meeting, and this is where B2B deals are being closed.
Cameron Johnson: Mm-Hmm.
Steven Morell: So we B2B people, we want this. We don't want the other three. But they don't fall from that. When you start out, you may have some people who know you that you can, this is founder sales. This is where founder sales starts, you need to supply this quadrant consistently with people who know you. So you need to grow those relationships.
Cameron Johnson: There's area between the two as well. Sorry to jump over you. Like you've got the call, you got the warm, but when I was working with funnel.io, there was a big kind of movement there to try and go from very much inbound orientated, 95% of all deals were based around that to a more of an outbound motion. And it's actually taking that, that smaller step or that step into the gray, which is the warm, right? So it's actually there's hot, there's cold, and there's warm in the middle, which is like utilizing the warm relationships that you have or the relationships you're talking about, which is from the B2B kind of content perspective, that, people are on that journey and they're starting to get nurtured and, maybe you're doing some account based marketing to them as well. They are in a position where they're not super calls. They've never heard of you, they know you or they . They know someone knows you or someone can reference you to them, or there's some sort of connection there. It's just not as hot as, Hey, I've worked with you for the last 10 years. Do you wanna work together again?
Steven Morell: But if they know you, then, you can influence what they know you for. And there are ways to do this. Your website, your LinkedIn profile and so forth. What are the activities that the PentestPeople do to increase the amount of people who know them?
Cameron Johnson: I think they've, they're very event driven, so they'll be going to a lot of the events that are out there and then using that as a tool to, one, get the brand out there, but also try and meet new people. that don't know them. people that do know them at the moment, it's about keeping those relationships and, when one person moves from one place to another, to continue that journey and continue working with those people.
Steven Morell: Okay.
Cameron Johnson: That, I'm not really covering what you wanted, what you were asking there, but…
Steven Morell: I'm getting my answers, yeah. Once they know you, once you have that conversation, how do they become customers? Do you, do we have a qualification? Do we have an SDR qualification step and then
Cameron Johnson: No. So if you think about the models I like to really build pods and I like to have the assembly flow, right? Where you have, if you either have a pod in different regions doing different things, or you have the assembly flow, you have the SDRs into sales within PentestPeople as a business, and this is not all companies, I've worked with company before that had the I built in the assembly line because. What they had at the time was just a handful of salespeople who were going out, and it's actually similar here. They have a bunch of salespeople who go out and they do the qualification. Yes, they have lead generation partners. Yes, they have marketing efforts. Yes, they do some content creation, podcasts, et cetera, to try and feed those leads in. And they work with data providers to get the information for the team to go out. But it is very much, , they have a couple of guys who are SDR kind of entry level, but that is the pathway into the next role. And that function as itself isn't a set function. Which is something that I, that is a suggestion that could help the business to get to that next stage of going from the traditional model having a bunch of sales guys going out and doing referrals, warm, hot meet, cold engagements. There's also a big channel partner that covers maybe 25, 30% of the revenue within the business here. They have a channel team that then go out and then manage relationships with a lot of different IT resellers, value added resellers. Don't go to the Disney level 'cause the margins are too low, but that's the way that they are going to market to, to get those details that they're, what they're doing here is they're using external support and marketing with a little bit of SDRs to then build in that. But then every sales person or BDM within the business here has to find a way to source their leads. They'll get one, one or two. And I think it's quite fair to say that that is typical of the cybersecurity industry as a whole. Unless you are a vendor and you are, there's a few out there that have done some really great stuff. CrowdStrike quite recently owned InfoSec, paying about a million plus to have the full branding there. There's a company called FireEye a few years ago. They had massive marketing. Their inbound was insane. Their vendors, right. There's a lot of companies that have written, I think Arctic Wolf they're doing quite well as well from that perspective. Like it's just channel only, but they're pumping out a bunch of market and being at a lot of events, getting the brand out there which is very much inbound led, which means that obviously you need a really strong SDR team to be able to transfer those leads through a qualification process into an SQL that then goes through SQO. I think a lot of the professional service companies don't really have that set up. It's still quite traditional model until you get to a certain size, and I feel like the company here is getting to the size that putting in the enterprise function and put putting in a an SDR function to then build out that assembly line, makes it a lot more efficient and smoother for the customers to go through the journey rather than having the traditional sales approach.
Steven Morell: Let's talk a little bit about the market. I think the security we've, in recent years, I feel like we've gone through difficult times. There was covid when everybody moved out from the corporate office to work from home. That's a security challenge because suddenly, you're not on corporate wifi anymore. Everybody is at home. Maybe their private devices, their kids play on the same laptop that they used to log into their IT company.. So there is this challenge. Now we are faced directly like that wasn't really over when we were faced with the first large scale land war in Europe. Europe is definitely also an info war and cyber war has that part to it. What is your take on the security market as a whole? How is the threat and the situation different for a mid-size company that has totally different things on their agenda right now? How can they still ignore this topic compared to five years ago or 10 years ago?
Cameron Johnson: Yeah, . It's quite an interesting question 'cause I've been myself out of cybersecurity for a couple of years. As a consultant, I've been focusing on FinTech, MarTech, and other industries, like most of my life has been in cyber. So I wanna get out and explore. When I started my business just before Covid started, I was actually working with a lot of the banks where they were like, alright, okay, how are we going to do this? And it was an absolute nightmare because they'd have thousands of people in campuses or offices, office blocks in London trying to figure out how they secure the home because that's just another attack vector. I think a lot of companies managed to get through that. But at that period of time, say about four or five years ago. The media was so rife and so heavy on making the general public aware of what is happening when data breaches are coming out. And there was a, it was a massive thing. So many companies like this company got breached, this company got breached, this company got breached, and it had become a bit of a norm. So I think over time what it's done is . It's helped us normalize it. I think at that time it was very much okay, we've gotta get everything in place. I really need to secure, lock down everything. Chatting to the security leaders in the world through the podcast that I run I'm finding that actually a lot of that, not ambulance chasing, throwing money at things is actually reduced. And it's more around risk management and it's okay, some of the conversations I'm having with people, they're actually saying. Our CISO function may actually contract again most, everything's very cyclical. Our role may even actually contract back into a risk officer's role because cyber and security and infrastructure or network security will move into it in its right places and, from before, whether it was like investing. We don't wanna be on the news. And if we're on the news, what we're gonna do, then you invest in a PR company that helps you figure out how not to do what Talk. Talk did and got into the point now where it seems like the market, because we're gonna downturn, money's tight. A lot of companies are doing what they need to do. And actually a lot of businesses want to do more from a cybersecurity perspective and data privacy perspective and make sure they can look after people's data. But actually the business and the ball are now having that more of a conversation around what is the risk? What is the appetite for our business on what are the risk levels? And it's down to those security leaders within the business to say I'm comfortable with being a part of your business because I will also accept the risk of what you are saying is acceptable. Whereas in my heart, I'm really wanting to do more, but I understand the business side of that.
Steven Morell: But would you say an economic downturn means open season for hackers to go after companies that slash down security budgets?
Cameron Johnson: So one, I've seen things go through different bits when we had the economy, when we had the housing kind of crash, stuff like that. Hackers and the like will always find an opportunity wherever there is one. So when companies are investing less, of course they're gonna be pushing on that. If you look at the market, there's more money to be made in doing the bad than there is actually doing the good. So in a market where that is the driver and the motivator of the industry driving the buying kind of decisions, when people are spending less, it's obviously gonna give more opportunity to that, the bad side of the economy, of the economy to be making money, right? Maybe it's a bit of a balance in that as we go through the different cycles where we're in high growth. A lot of companies are spending a lot of money on security, making it so much harder. When we are in a downturn, people are spending a lot less money on security and then in that sense, hackers are then making more from ransoms and the like. And maybe that will then become again into the news a lot more often, a lot more data breaches that are happening, which will then in turn drive more investment later down the line. It seems to be a bit of a back and forth game.
Steven Morell: Looking back the last couple of years. Let me ask you a final question. If I would have a time machine and a postcard to the five years younger Cameron with a warning, what to do and what not to do, what would you write on that postcard?
Cameron Johnson: I feel . I had the warning, but I didn't listen to it. In my MBA that I finished just the year before the pandemic. A lot of what we were learning was around the VUCA environment. So that's the volatile uncertain environment. So it's actually my letter on my postcard that would push yourself outside of your comfort zone as much as possible in different ways. To become a more rounded individual who's more comfortable with experimenting, because then actually instead of doing the same thing over and over again, which I see a lot of people doing, a lot of companies doing, still trying to do the same playbooks from 10, 20 years ago. And we're in this environment now where it's completely different. I would put that on there or push yourself. 'cause I think it starts with that, right? To be able to be. Valuable in a VUCA environment. You need to be flexible. You need to think outside the box. You need to push yourself every day by doing new things and different things. I would've probably doubled down and say, what they said about that. Practice it, actually practice it. Which I think I've been lucky enough to do through the consulting, but to myself and all the other peers and everyone that I've worked with. I think then I would've been like, practice it and spread the word because if you can do it and someone else can do it. we're all gonna benefit as a global economy versus this, the localized or personal based,
Steven Morell: Yeah. Makes total sense. Makes total sense. Practice being outside the box. Cameron, thank you for coming here. All right, everyone. That brings us to the end of this episode of Speak Revenue. I want to thank our guest. Cameron Johnson to join me for joining me today and sharing his insights. Huge shout out to all our listeners. New support means the will to us. Please remember to check out our website: speakrevenue.com for a full transcript and additional resources. And if you enjoyed the show please with a lot of sugar on top of it. Go to Apple Podcast, Google Podcast, Spotify, or wherever you go for your listening needs. And leave us a great review with five stars and all the bells and whistles, and please follow us on YouTube, on LinkedIn, on Instagram, and wherever you can find us. We'll be back soon with another great guest. Till then, stay curious, keep listening, stay safe, and I'll talk to you soon. Thanks.