Chapter 1: Customer truth first: The discipline of starting from the outside in

The workshop

Your sales team is ignoring the customer-first deck. And they should.

Picture the workshop that produced it. The whiteboard says Who is our customer? at the top. Two hours in, fourteen job titles are listed underneath it: CISO, Director of Security, SecOps Manager, IT Director, VP Infrastructure, CFO, Compliance Manager, and on. The next session lists eleven problems across three themes — alert fatigue, compliance burden, tool sprawl, misconfiguration, over-privileged access. The third session turns the eleven problems into value propositions, then consolidates them into pillars, then compresses the pillars into a single line that comes out sounding like the unified security platform that reduces risk, improves efficiency, and accelerates outcomes for the modern enterprise.

The slides go into a deck. The field ignores them. Sellers already know that not every buyer moves deals, not every problem commands budget, and the message would not survive the first question on a discovery call. So they sell what they can sell: the two or three things the customer in front of them actually cares about enough to write a check for.

This is spray-and-pray, and it is how we lose the customer before we start.

Spray-and-pray is not a writing failure. Everyone in that workshop cared about the customer. They just didn't have the discipline of being customer-centered. Without the methodology, the artifact grows until it offends no one and means nothing. The seller makes the choices the slide refused to make, alone, under pressure, in the deal.

But the deeper failure isn't analytical. It's political — and it's structural.

When the room does not share a methodology and a body of evidence, every decision becomes a contest of opinions. My read of the customer versus yours. My intuition about the segment versus the VP's. My sense of what sellers can carry versus the CRO's. In that contest, the loudest voice does not win. The most senior voice does. And the artifact that emerges is not a customer definition — it is a settlement among the people in the room with the most organizational authority, dressed up in customer-first language.

The fourteen titles of the potential sales targets on the whiteboard (spray-and-pray) are not there because the people in the room don't know the right answer. They are there because there is no shared basis for asserting one. The PMM may have done the research. The seller may have closed the deals. The CSM may have absorbed the renewals. But without a methodology that brings their evidence into a shared frame, the discussion defaults to seniority. The cost of producing the right answer — telling the VP their segment is not the priority, telling Product their feature is not the value driver, telling sales the territory plan does not match the ICP — is higher than any individual PMM can pay alone. The PMM is being asked to override organizational authority with personal conviction, and that is a contest the PMM cannot win.

Real customer methodology changes the math. When the room is grounded in win/loss verbatim, expansion data, churn signal, channel economics, and direct buyer evidence, the decision is no longer my opinion versus yours. It is what the data says versus what the org chart wants. That contest the PMM can win — not always, not easily, but possibly. The spray-and-pray contest, the PMM cannot win. They can only stretch the artifact until it absorbs the disagreement, which is what the slide records.

Every downstream decision compounds off this failure. Positioning is a bet about which buyers find which claims compelling. Pricing is a bet about which pains command which prices. Messaging, content, enablement, and launch strategy all run downstream of these initial decisions. Get the customer wrong — too broad, too generic, too many buzzwords — and no downstream work can save you.

This is why understanding the customer is the foundation of product marketing. The rest of this chapter is about the discipline of staying with the customer past the point where it gets politically inconvenient — and the three artifacts that force the organization to make the choices spray-and-pray avoids: a definition of who the customer is at the account level, a map of how decisions actually get made inside those accounts, and a grounded view of what the people inside them care about and will act on.

Before any of that, three terms.

A few terms, defined once

These three terms carry weight through the rest of this book. Let's define them clearly now.

Ideal Customer Profile (ICP). It is a set of criteria specific enough that a seller can recognize product fit without a meeting, and general enough that marketing can build programs against it at scale. An account-level definition of the kind of company you should be selling to — expressed in firmographics, technographics, security maturity, regulatory obligation, and behavioral signals that predict readiness to act. An ICP is not a list of target logos.

Buying permissions. A role-level map of how a deal actually moves inside an ICP account. Who approves, who champions, who blocks, who must be neutralized. Buying permissions replace the demographic persona — which describes who the buyer is — with a behavioral model of what each role does in a deal.

Engagements, pains, and proof. The substance layer underneath both. For each role: what are they trying to get done (engagements), what is costing them today (pains), and what evidence would convince them you are the answer (proof). This is the layer most product marketing artifacts skip, and it is the layer that makes the other two usable.

Two more terms run through the book.

Practitioner mode and executive mode. Two modes that different roles in a security buying group operate in. Practitioners trust peers, hands-on proof, and technical depth. Executives trust business cases, analyst validation, and defensible narratives. Most roles have a dominant mode; the best content serves both without collapsing into either.

The dual constraint. The running frame of this book. Every product marketing decision resolves two questions at once — what the customer will buy, and what your organization can actually package, price, sell, and sustain given its structure. Either side answered alone produces a strategy that fails. The discipline is to hold both in view and resolve them together.

With those defined, back to the work.

Most ICP work is sales coverage planning in a costume

Here is the unflattering truth about most ICP exercises in security companies.

You are not defining who the customer is. You are rationalizing the account list the Chief Revenue Officer (CRO) already gave you. The territory plan was set in October. The named accounts were assigned in November. By the time PMM runs the ICP workshop in February, the work is not analysis — it is dressing the existing coverage map in customer-first language so it can be presented at the quarterly business review (QBR).

This is why the ICP document so often reads like a description of the customers you already have. Because that is what it is.

A real ICP exercise has the authority to break the coverage plan. It can say: the named-account list contains forty companies your sellers cannot win and twenty more they cannot serve at the gross retention number your board expects. It can say: the segment your CRO is asking you to cover is real, but it requires a channel motion you do not have, and trying to sell it directly will burn pipeline and credibility for two quarters. It can say: the customers you closed last year are not the customers you should be targeting next year.

If your ICP exercise does not have the authority to make those calls, it is not ICP work. It is sales coverage in a costume.

The discipline starts with naming this honestly. The political compromise that produced the fourteen job-title slide is the same compromise that lets the ICP document quietly mirror the territory plan. The PMM's job is to introduce evidence the territory plan cannot easily absorb: win/loss patterns, expansion data, churn signal, gross margin by segment, channel economics. The evidence does not always change the territory plan. But it changes who in the room can claim to know what the customer actually wants — and that is what gives PMM the standing to make the next call.

This is the dual constraint at work. The customer side of an ICP asks who has the problem, the budget, the buying permission, and the readiness to act. The company side asks who your sellers can reach, your channel can serve, your pricing can fit, and your support can retain. Most ICP work fails at one of these. Either it is rigorous on the customer and silent on the company — a beautiful document describing accounts you cannot win. Or it is rigorous on the company and silent on the customer — a description of the accounts you already serve, dressed up as strategy.

A usable ICP holds both. It also surfaces the conflicts the organization has been avoiding. The mid-market segment the CRO keeps asking for may be unservable at your current support ratio. The federal vertical that came up at the last board meeting may be unreachable without a partner motion (vendors and partners executing joint sales and marketing activities) you do not have. The hyperscaler co-sell motion that everyone wants may break your per-user pricing model — Wiz built per-workload pricing in part because per-user metrics break on AWS co-sell paths, and competitors with the wrong metric were unreachable on those motions regardless of how good their product was.

Naming these conflicts is the work. Resolving them — stretch the company side, narrow the customer side, or defer the segment — is a decision, made consciously, with evidence. That is what integration means in practice. Not a slide that says cross-functional alignment. A specific answer to a specific question about a specific segment.

The account-level view: building the ICP

A usable security ICP describes accounts along five dimensions.

Firmographics. Industry, size, geography, ownership structure, growth stage. In security, ownership matters more than in most categories. PE-owned companies buy security differently than founder-led, which buy differently than public, which buy differently than federal.

Technographics. Current security stack, cloud posture, identity architecture, SIEM (Security Information and Event Management) and EDR (Endpoint Detection and Response) footprint, developer tooling. Stack detection from BuiltWith, HG Insights, or Enlyft gets you most of the way. The last mile is practitioner conversations and win/loss.

Security maturity. Where the account sits on a recognized framework — NIST CSF tier, CIS Controls implementation group, SOC structure (no SOC, outsourced SOC, internal SOC, mature SOC with threat hunting). Maturity is often a better fit predictor than size, and it is the dimension most often missing from ICPs written by PMMs without security backgrounds.

Regulatory posture. HIPAA, PCI, SOX, FedRAMP, CMMC, GDPR, DORA, NIS2. Regulatory obligation changes what the buyer is forced to care about and what evidence they need. It also changes which features are must-have versus nice-to-have — and therefore what your positioning has to lead with for that segment.

Behavioral signals. Recent breach disclosure. New CISO in the last six months. Board-level cyber incident. M&A activity. Cloud migration phase. Recent funding round. These are the triggers that turn a fit account into a buying account. The best security ICPs treat them as first-class criteria, not footnotes.

A specific note on security skepticism. Practitioners are paid to assume the worst about everything, including vendor marketing. They will not read your whitepaper unless a peer forwarded it. They will downgrade your credibility for every unsupported superlative and every FUD-laden chart. This means the ICP cannot be declared from a handful of buyer interviews conducted by someone the buyer does not trust. You have to triangulate — which the research section returns to.

The CISO is increasingly the ratifier, not the buyer

For most enterprise security purchases, the CISO no longer selects. The CISO ratifies.

This is the single most underweighted change in security buying over the last five years, and most marketing motions are still built on the previous reality. The deck is built for the CISO. The webinar is hosted for the CISO. The analyst briefing is choreographed for the CISO. And the deal is being decided somewhere else.

What changed:

• The buying group fragmented. A modern enterprise security purchase touches the CISO, the security team, IT operations, the Chief Information Officer's (CIO) org, procurement, legal, privacy, often the CFO, and — since the SEC's 2023 cyber disclosure rules — increasingly the board.
• The CFO entered the room. Tool consolidation, ingestion-cost economics, and the post-2023 budget pressure on security spending pulled finance into deals it used to ignore. The CFO is now an active participant in security purchases above a certain threshold, and a structural blocker on most others.
• The practitioner became the champion. Enterprise security deals do not close without a SecOps lead, detection engineer, or cloud security architect doing the internal selling. The CISO can kill the deal but cannot, on their own, make it happen.
• Procurement professionalized. Security purchases now move through procurement processes that look more like enterprise software than like the line-item budget calls of five years ago. Indemnification, AI clauses, data residency, SOC 2 evidence, and supply-chain attestations are all blockers that did not exist at the same density in 2019.

What this means for PMM is concrete. Marketing built for CISO consumption is reaching the ratifier, not the decider. The ratifier matters — they can stop a deal — but they did not start it, and they will not close it. The buyer is now a coalition, and the coalition has to be reached, equipped, and unblocked separately.

This is why buying permissions — a behavioral map of how a deal actually moves — is more useful than persona work. Not because the categories are different. Because a coalition cannot be served by a one-pager about an imagined buyer.

The role-level view: buying permissions

For any account in ICP, four questions matter.

Who approves? Who holds the formal authority to sign. In security, this is typically the CISO up to a spend threshold, the CIO or CFO above it, and the board on cyber-material deals. The threshold varies by company and is usually knowable from one discovery call.

Who champions? Who inside the account does the internal selling on your behalf. In enterprise security, almost always a practitioner — SecOps lead, detection engineer, cloud security architect, occasionally a security manager one level below the CISO. Champions form around specific pain and specific proof. They do not form around your brand. Enterprise security deals without a champion do not close, regardless of the quality of the approver relationship.

Who blocks? Who can prevent the deal from closing without holding approval authority. Procurement is the reflexive answer and is often not the real blocker. The real blockers are more often legal (data handling, indemnification, AI clauses), privacy (data residency, processing agreements), FinOps (ingestion pricing, unit economics), and architects with loyalty to an incumbent. A blocker does not need to want the deal dead. They just need to slow it past the quarter.

Who must be neutralized? Who has a political reason to prefer a competitor, an incumbent, or no decision. An architect who championed the incumbent five years ago. A director protecting their tool budget from consolidation. An external consultant with a referral relationship to a competitor. Neutralizing does not mean converting. It means giving the approver enough cover to override the objection.

This frame is more useful than persona work for one reason: it tells a seller what to do.

The persona document describes who the buyer is. The buying permissions map names what each role does in the deal — and therefore what marketing has to produce, what enablement has to deliver, and what content has to prove. But knowing who plays each role is only half the work. The other half is knowing what each of them cares about.

The substance layer: engagements, pains, and proof

A buying permissions map that names roles but does not go deeper than titles is a better demographic document — not a substantively better artifact. The usable version goes one layer further: for each role, what is the job they are trying to do, what is the pain costing them, and what proof will they accept.

Engagements are the work a role is trying to get done inside their organization, regardless of whether you exist. The SecOps lead is trying to reduce mean time to detect and respond, shrink alert volume, retain their analysts, and not be the reason the company ends up on the front page. The CISO is trying to demonstrate defensible risk reduction to the board, consolidate a tool sprawl they inherited, survive the budget cycle, and not be fired after an incident. The CIO is trying to reduce agent fatigue, improve developer experience without compromising posture, and avoid another integration project.

Engagements are stable. They predate your product and will outlast it. They are what lets your messaging connect to something real instead of something you made up.

Pains are the specific frictions, costs, and failures a role encounters in doing their job today. The SecOps lead is drowning in alerts from an EDR that hasn't been tuned in eighteen months. The detection engineer is writing the same correlation rules in three different tools. The CISO is spending forty percent of their time in vendor meetings and cannot name what any of them changed last quarter. The CFO just approved three security tools that overlap in capability and nobody can tell her which to cut.

Pains are testable. You can ask a buyer whether a pain is real, and the answer will be specific. If your ICP research has not surfaced specific, testable pains per role, you do not yet have ICP. You have a segmentation document.

Proof is what each role needs to see to believe you. This varies more by role than most PMMs account for, and it is where the practitioner/executive distinction matters most.

1. A SecOps lead needs your product running against their actual data, producing detections their stack missed.
2. A detection engineer needs to see your rule logic and your API.
3. A CISO needs peer references in their industry at their scale, analyst validation, and a defensible procurement story.
4. A CFO needs a cost-comparison model, consolidation math, and a reference who can speak to year-two economics.

Proof is what closes the gap between interesting and defensible internally. A buying permissions map that does not specify, per role, the proof required is not actionable. It is descriptive.

Three implications follow.

• Your content strategy is mostly a proof strategy. If you know what proof each role needs and you do not have it, that is your roadmap for research, case studies, third-party validation, and analyst work. The gap between what your buyers need to see and what you have to show them is almost always bigger than the gap in your product roadmap.
• This is where your win/loss program earns its keep. Done well, win/loss interviews surface engagements, pains, and proof directly — what the buyer was trying to accomplish, what was costing them, what convinced them or failed to. A program that reports only win rates is wasting most of its own data.
• This layer is what makes the difference between an ICP document that lives on SharePoint and an ICP that shows up in a seller's discovery call. The seller does not need the firmographic criteria in the room. They already know they are in an ICP account. What they need is the language of the job, the pain to probe for, and the proof to offer when the objection lands. That is the payoff for doing the work at this level.

This is also where the platform-speak value proposition from the opening workshop gets replaced with something real. Unclear value propositions are not a writing problem. They are a choice problem — the consequence of trying to cover every buyer and every pain with language abstract enough to fit all of them. The fix is not better copywriting. It is knowing which two or three pains, for which specific roles, you materially solve and can prove. Clarity is what you get when the choices underneath are real.

The research that grounds all of this

None of the above works on intuition. It requires evidence, and in security the evidence is harder to get than in most categories — federal, financial services, healthcare, and critical infrastructure buyers are often constrained from participating in the kind of research a horizontal SaaS PMM takes for granted. They cannot be named. They cannot appear in case studies. They sometimes cannot take a vendor call.

Three disciplines do most of the work.

Win/loss, run as a program. Not a post-mortem email from the Account Executive (AE). A structured program with a consistent interview guide, third-party interviewers (Clozd and DoubleCheck are the usual vendors), and quarterly synthesis back to PMM, product, and sales leadership. The output that matters is the verbatim — the specific language buyers used when they chose you, chose someone else, or chose not to move.

A warning: most win/loss programs are making their organizations dumber, not smarter. The verbatim is where the value is, and almost nobody reads it. The synthesis deck gets summarized into themes that confirm what leadership already believes. If your win/loss program has produced six quarters of similar themes, the program is not finding new signals — it is laundering existing belief. Ask to see the verbatim.

Community listening. Where your practitioners actually form opinions: r/cybersecurity, the CISO Series podcasts and Slack, Mandiant's community, Hacker News for certain segments, closed Slack groups, local ISSA chapters, BSides events. The goal is not engagement. It is reading. Pattern recognition on language, objections, running references, and what earns respect versus what gets dunked on. A PMM who has read six months of a community reads the market differently than one who hasn't.

A second warning: practitioners do not want to be your friend. The practitioner-first trend in security marketing has produced a generation of vendors performing community while extracting attention. Practitioners can tell. The discipline is to read, learn, and let your product earn its way into the conversation — not to manufacture presence.

Analyst inquiry data. If your company pays Gartner or Forrester, your analyst relations function logs the questions buyers ask in inquiries. Those logs are cleaner buyer signals than most of what PMM generates internally, because the buyer is talking to an analyst, not a vendor, and the incentive to posture is lower. Six months of inquiry logs will teach you more than a quarter of internal debate.

Most PMMs never ask for access. Ask for access.

Close

Spray-and-pray is not the disease. It is the symptom of a function that was asked to do customer truth work without the standing or the methodology to make the choices that customer truth requires. The artifacts in this chapter — a dual-constrained ICP, a buying permissions map, a grounded substance layer — do not eliminate the political compromise that produces spray-and-pray. They give the PMM in the room something sharper to bring when the compromise tries to form again.

Every downstream chapter builds off this foundation. Positioning that does not start from a real ICP becomes feature differentiation. Pricing that does not start from real pains becomes a metric the customer rejects. Messaging that does not start from real proof becomes platform-speak.

Next chapter: once the customer is defined and the substance is clear, how do you make yourself the obvious choice to those accounts without destroying your credibility in the process? Positioning, differentiation, and the discipline of credible de-positioning.

Field Kit: The customer truth starter set

The three tools that follow turn the chapter's argument into work you can do this quarter. Use them in sequence: the diagnostic surfaces what you know and what you're guessing about, the buying permissions map turns the diagnostic into a working artifact your sellers can use, and the research inventory tells you what evidence you need to keep the first two honest.

A note on scope. These tools are designed for a single ICP segment at a time. If your organization serves three real segments — say, federal, mid-market commercial, and global enterprise — fill out a separate set for each. The most common failure mode in customer truth work is averaging across segments and producing answers that fit none of them.

Tools