The Writing King Your Ethical Ghostwriter. Your Story, Done Right.
This entry is part 8 of 16 in the series Conversations With Influencers

Sixto Bernal on Why Security Is Sales and How to Break Into the Field

Featuring Sixto Bernal on Conversations With Influencers

TL;DR: What This Conversation Establishes

  • Sixto Bernal is a cybersecurity and privacy leader with over 23 years in IT and nearly two decades in compliance, audit, and security.
  • His core idea, learned from a CIO whose mantra was “everybody’s in sales”: security should actively facilitate the sales cycle, not resist it.
  • That reframing changes how you write security material, from jargon aimed at peers to documents that help salespeople win customer trust.
  • For job seekers, pairing security depth with business awareness is a genuine differentiator that gets you past the resume stack.
  • Being integrated into the business, not siloed behind the firewall, makes a security professional a partner rather than a cost center.

What You’ll Learn

  • Why security should facilitate the sales cycle instead of resisting it
  • How to rewrite security documents for a business audience
  • Why business awareness is a hiring advantage for security professionals
  • How to network into decision-makers rather than resumes into a queue
  • Why an integrated security role is a more secure career

Sixto Bernal spent over two decades in IT operations before pivoting to compliance and security, where he absorbed a lesson that reshaped his career: security is part of sales. Rather than resenting being pulled into deals at the last minute, he learned to build security programs that actively help the business win.

In this conversation he and Richard Lowe, who spent his own years in enterprise security, work through what that reframing means for how you write, how you network, and how you build a security career that makes you a partner rather than an overhead line.

Sixto Bernal is a cybersecurity and privacy leader with over 23 years in IT operations at major Silicon Valley companies, followed by nearly two decades in compliance, audit, and security.

He holds nearly every major security and privacy certification and crafts security programs that integrate directly with business objectives, having learned the “security equals sales” mindset as a CIO’s report.

Host: Richard Lowe
Guest: Sixto Bernal
Show: Conversations With Influencers
Format: Video + Audio
Time: ~15 min watch / ~10 min read

DISCUSS YOUR BOOK

The Conversation

Full transcript of the conversation follows.

Security Gets Dragged Into Sales

Sixto Bernal: It’s an obvious thing when you think about it, but it isn’t common that security people focus on sales. We get dragged into the sales cycle late. The salesperson has already made a lot of contacts, had a lot of meetings with the potential client. Then they bring us in at the last minute because infosec or privacy at the customer site has questions, or they send over a vendor questionnaire with a security section we need to fill out. Getting dragged into a process that’s not what you do every day disrupts your schedule. Security people get annoyed with sales because their normal workflow is disrupted. Now they have to deal with a questionnaire or, God forbid, get on the phone with a customer. It’s not a healthy relationship when everybody in the company should be focused on winning more sales and advancing the company. I learned this when I first joined SuccessFactors around 2008. I worked for CIO Randy Womack, and his mantra was: everybody’s in sales. Everything you do must contribute to the bottom line. It took me a while to come to terms with that thinking. In my previous career in IT and operations, I spent over 20 years avoiding sales at all costs. And here I was confronted with this new thing and needed to adapt. Since then, I’ve fully integrated it. It permeates everything I build in the security or privacy realm.

Rewriting the Security White Paper

Sixto: Take a security white paper. We’re not just writing it for other security professionals anymore. We’re placing that white paper in the hands of salespeople, giving it to them as a tool to interest a potential customer. The tone changes. How we communicate changes when you integrate this other audience. Security and privacy people get used to talking to each other. We have jargon, nomenclature, conferences where we talk to each other. We forget we’re part of a larger organization. I like to think of my security department as a business within the larger business. But it has to be in alignment with what the business side is trying to achieve.

Richard Lowe: Security people are going to be resistant to this because they’re not salespeople. When I was in security, I would have been completely resistant. How do you convince somebody who wants to be an IT person, not a salesperson?

Sixto: The overall theme is a positive feedback loop. We write the white paper slightly differently: explain terms more, add a parenthetical where we use an acronym, use language easier to understand for the non-security person. Now picture a salesman sitting in front of a customer who says, “Have you got something to show us about your security?” The salesman hands it over, the customer scans it quickly and goes, “This is exactly what I want.” The goal is that during that interaction where security people aren’t even in the room, the document has a positive effect. The positive feedback loop happens when the sales guy comes back and says, “That white paper was awesome. It broke the ice with the customer and we were able to talk about other things.” Now the security people see it really does work. Then you think: what about our knowledge database where we keep policy and procedure? What if we gave salespeople read access with a good search engine? Now the salesperson is at a customer site, the customer asks what kind of encryption you use between different stacks, and the salesman types it in and has the answer in an instant. Doesn’t have to call us back, doesn’t have to wait for a questionnaire exchange. You want to push security material, security answers to questions, as far upstream in the sales process as possible. What if we talked to legal and crafted an attachment that goes out with contracts saying, “Here’s what we commit to security-wise, Mr. Potential Customer”? It changes your whole perspective once you start thinking about yourself as a department that facilitates the sales cycle.

How It Filters Down to Consumers

Richard: How does this relate to the end consumer at a retail online store? Does it filter down as better security?

Sixto: Most of my experience has been B2B in large enterprise. I’ve worked with most of the big banks, and they’re tough customers. Some are quite insistent on us following their security protocols. The way it filters down is that the end user gets assurances they’re dealing with a company that takes security seriously and has ensured all their vendors do too. Whether it’s Charles Schwab or Wells Fargo, they can tell their customers: we vet all our vendors, they pass stringent evaluation, we talk to them in deep detail about how they implement security. They don’t get direct knowledge of the vendor’s security, but it flows downward.

Preparing for the Security-Sales Mindset

Richard: If somebody is interested in becoming a cybersecurity person, how can they prepare for this kind of interaction with sales and other groups?

Sixto: It’s a mindset. Once you think it might be beneficial, you start seeing opportunities. A lot of security training, whether it’s ISC2, the CISSP, all those certifications, they’re very focused on the nuts and bolts. It’s sometimes hard to see how it fits into the bigger picture. It takes outreach: go to lunch with a sales guy, talk to somebody in marketing, understand how you might fit in. For so long, security has been considered back room, behind the wall, behind the firewall. As you develop relationships outside your security community, talking to legal, sales, marketing, those people are forthcoming. They’re hungry for leverage points that might differentiate the company from others who don’t have this mindset. It has a cascading positive feedback loop. Once you get started, it gets more fun.

Career Advantage for Security Professionals

Richard: Should people looking for cybersecurity jobs become more up to speed on sales? Does it give them an advantage in an interview?

Sixto: I think it does. In America, sales drives business. No company exists in a vacuum. I think it’s a level of awareness any person should have about how their company works. It’s more than understanding that we make widgets. How do these widgets make their way into the marketplace? How do we sell them? That expanded perspective is a good thing in itself, even if you never use it as directly as I have.

Richard: One of the hard things is the resume goes into a blizzard of a thousand other resumes. How does a person with sales knowledge combined with security knowledge get to a decision maker?

Sixto: Your resume should reflect who you are, not just an inventory of what you’ve done. If in your last company the work you did was a contributing factor to landing a customer, put that in your next version. The reader will see this person has an outward-facing perspective. He’s not just a backroom kind of person. It never hurts to be able to say you helped close the deal.

Richard: But how do they get around the resume queue? Is it LinkedIn, networking, knowing people?

Sixto: It’s a combination. Your online presence has to be a reflection of who you are. A good LinkedIn profile in concert with your resume. Networking can’t be neglected, either. Professional organizations like ISACA, ISC2, ISSA. I’m going to a dinner tonight where I’ll be rubbing elbows with other security professionals. When somebody has an opportunity pop into their head, they think, “Oh yeah, that guy,” and fire up LinkedIn. It’s a percentage game. You need to be out there. LinkedIn is a great site not only for your profile but for writing articles. All of it is about putting you in someone else’s mind, triggering them to think of you when they’ve got something that needs doing.

Writing for a Broader Audience

Richard: It sounds like a good LinkedIn strategy would be to get your profile done professionally and write articles that say “here’s how a router contributes to the business” instead of just “here’s how you configure a router.”

Sixto: If your articles are focused only on people just like you, you’ll only interact with people just like you. But if you broaden your scope, you might run into people who would appreciate knowing how a router fits into the business, or how the selection of a firewall impacts the business overall. It’s like being a painter. If all you can do is talk about brushstrokes, you’re not going to be exciting at a party. But if you talk about the travel you took to get to the field where Van Gogh painted the daisies and the wonderful dinner you had, you’re weaving a story instead of just throwing facts on the table.

Richard: When you’re looking for a job, the people who are going to hire you are several levels above you in the organization and they’re interested in the business.

Sixto: Business people and executives look to people like us to solve their problem. They’ve got this business problem called security, but they don’t exactly know what it is. Security’s been in the newspaper, customers are banging them on the phone. They need to hire a security person to fix that problem so they can go back to doing business. If you’re just a security person, that business leader is never going to find you. But if you play in the same playgrounds, rub elbows with those business people, two things happen: they will ask you questions, and you will learn what kind of questions business people have. We in security sometimes get arrogant about non-technical people. Their viewpoint is just as valid. And usually they’re the decision makers.

Richard: If you’re specializing in pen testing, there’s a bazillion pen testers out there. But if you know about the business, you’ve differentiated yourself.

Sixto: Exactly. If decision makers find you easy to talk to… After all, isn’t business nothing more than personal relationships writ large? You have a relationship with your vendor, but it’s really with Alex, the representative who makes you feel good about that relationship and always answers your questions. That’s what you’re building: a series of relationships. You’re making yourself open to new relationships by being somebody who’s reasonable to talk to.

The Reverse Is True Too

Richard: A good strategy for someone who wants to get into this would be taking some sales and business courses on Udemy or somewhere, even just simple ones. At least know the terminology.

Sixto: Yes, because now you’re in the conversation. It isn’t foreign. I see security people sit in the back of a room with their arms crossed waiting for sales guys to finish their spiel, instead of sitting forward and thinking, “What is the message here?” The reverse is also true. A few years ago, the organization that advises boards of directors recommended that board members become as conversant in security topics as they are in financial topics, because security has become such an important thing. I’ve watched it over the last few years where the people I talk to get a better understanding. A week doesn’t go by without something about data privacy and some company getting hacked. Security topics have bubbled up into common thought, and we need to meet that challenge by speaking in a way that’s more easily understood by anybody.

Richard: Another strategy would be to find a business-level person and set up a coffee meeting or Zoom call. Pick their brains about the business, not security. Not begging for a job, just talking.

Sixto: That’s exactly right. You’re looking to make that connection and you’re getting an education. Anything you can do to educate yourself about what your company does is always a positive.

Being Integrated Means Being Protected

Richard: A takeaway I’d leave people with: this has to be an ongoing process. Don’t just pick up networking when you’re about to be laid off, because then you’re coming from behind. Do it all the time. Set up meetings, talk to people above you, learn about security but also the other parts of the business, AI, how things all hook together. These people will become your advocates and mentors. If they see you have business savvy and you’re helping the company sell using security, they’re going to be behind you.

Sixto: It has been such a facilitator. It’s made my work in security so much easier when you have allies. At budget time, when projects are being integrated, you become part of the business instead of this outlier that everybody wonders, “What do you guys do with all that money we give you? Are you just buying firewalls and equipment?” When you’re integrated into the whole thing, you are less of a mystery and more of a partner.

Richard: You become more than just Joe or Sally the security person. You become a real person to them, and that makes you a more valuable part of their team and less likely to be the first person laid off.

Sixto: If you’re considered part of the money-making end of the business, that changes things. Find Richard Lowe at TheWritingKing.com.

Quotable moments

Everything you do must contribute to the bottom line. Everybody’s in sales. — Sixto Bernal
Share on X

Your resume should reflect who you are, not just an inventory of what you’ve done. — Sixto Bernal
Share on X

When you’re integrated into the whole business, you are less of a mystery and more of a partner. — Sixto Bernal
Share on X

Related interviews

Frequently asked questions

What does Sixto Bernal mean by “security is sales”?

That security should actively help the business win and keep customers rather than sitting behind the firewall. He learned it from a CIO whose mantra was that everybody is in sales, and he now builds every security program to facilitate the sales cycle.

How does that change security writing?

A security white paper stops being written only for other security professionals and becomes a tool salespeople can hand to customers. The tone shifts, jargon gets explained, and the document is designed to build trust in the room even when security staff are not present.

Does business awareness help in a security job search?

Yes. Sixto argues that pairing security expertise with an understanding of how the company makes money is a real differentiator, both on the resume and in interviews with the business-focused leaders who do the hiring.

How do you get past the resume queue?

A combination of a strong LinkedIn presence, published articles that speak to a business audience, and active networking through professional organizations, so that when an opportunity arises, someone already has you in mind.

Related Reading

Conversations With Influencers features leaders and innovators sharing what they know. If you have expertise worth a book, let’s talk about turning it into the book that outlasts the work.

DISCUSS YOUR BOOK
ALL INTERVIEWS

Part of Conversations With Influencers, Richard Lowe’s interviews with leaders and innovators.

📁︎ Cybersecurity

🏷︎ Careers🏷︎ Cybersecurity🏷︎ influencer interview🏷︎ Sales