MERU Conversation Series

Exploring the Growing Cybersecurity Industry and the Sales & Marketing Function with Mike Hanauer

Image of Mike Hanauer, a MERU Strategic Partner for both the cybersecurity industry and the go-to-market (GTM) function.

Mike Hanauer, MERU Strategic Partner


Exploring the Growing Cybersecurity Industry and the Sales & Marketing Function with Mike Hanauer

Samir Saleem, Annika Tallis, and Kyle Sturgeon of MERU recently sat down with Mike Hanauer, who acts as MERU’s Strategic Partner in both the cybersecurity industry and the go-to-market (GTM) function.

This conversation has been edited for clarity and length.


MERU: As an introduction, can you provide us with a summary of your background and experience?

Mike: My professional career kicked off as a Nuclear Engineer in the Navy on aircraft carriers. I did that for four years and then realized I liked working with people instead of machines and wanted to get into sales.

After working different jobs in sales, I came across this company called Datto, where I helped grow the company from $10 million in revenue to $400 million, (and grew the staff from 20 employees up to 2,000). I went from Sales Engineer to Sales Rep, Sales Manager, Sales Director and ultimately, when I left, I was VP of US Sales and had a team of about a 100 comprising of sales engineering, customer success, the sales team.

After we were acquired, I moved into a Chief Revenue Officer (CRO) position in a private equity owned company called SKOUT Cybersecurity. After working there for two years, I then joined another startup, with about 150 employees, called Redstor. After 25 years of success in Europe, Redstor wanted to transition into the U.S. market. They ended up having a strategy shift, and moving towards cloud service providers, and going down a product-led growth route, which is not where I wanted to continue my career. After years of talking about starting up my own consulting firm, I finally did it with Greenlake Consulting, where we focus on helping small businesses (100-500 employees), build out their go-to-market function as either interim or fractional CRO.

MERU: Given you have extensive expertise in sales & marketing (functional), and cybersecurity (industry), I would like to start with cybersecurity which is top of mind for most corporations. What are the most prominent cybersecurity threats that your clients have faced in the current landscape?

Mike: There are three major themes around cybersecurity – (1) compliance, (2) ransomware, and (3) business email compromise. When you look at a typical business, they're looking to solve problems with those three themes through technology and point solutions. What often gets overlooked is the fourth theme, the training of the people.

For example, let’s consider what happened at MGM Resorts and its recent 2023 hack. The company had lots of security systems in place, but if employees are not trained properly, cybersecurity threats will get right through these systems. I think that the most common threat is, and will continue to be, ransomware. Proper training of employees is probably the best way to combat ransomware over any single technology out there.

Graph from IBM Report Showing the Most Common Investment Types Among Those Increasing Security Investments Following a Breach. Includes a dotted outline around the second highest response Employee Training at 46%.

MERU: Based on some of the recent hacks (or security breaches) that you've seen, are there any specific industries or sectors you believe have been targeted?

Mike: A sector that gets targeted is businesses of any industry that have access to multiple external businesses and IT systems. There are plenty of companies, such as consulting firms or Managed Service Providers (MSPs), which have access to business databases and proprietary information which is valuable to bad actors. Anytime your firm has access to multiple internal and external systems, you can become the target of an attack. And if you're the one that owns the business that has access to all these clients, it can be very harmful to the business’ reputation if hackers gain access to client systems.

I’ll also state that a lot of the hacks that you hear about in the news are targeted attacks against large firms that already have security systems in place. But the small and medium businesses that don't have the same protections are also being attacked en masse, with hackers sending out thousands of emails to different companies hoping that one person clicks on those links - no one’s business is too small to be a target. Small and medium businesses are vulnerable to hacks, just as much as large companies are.

Graph from IBM Security Cost of a Data Breach Report 2023 showing the Average Cost of Data Breach by Head Count ($M) compared between 2021, 2022, & 2023

MERU: In the last few years, a lot of people have started to work from home. Has remote work increased the vulnerability of potential hacks?

Mike: Absolutely. One reason for increased vulnerability due to working from home is the lack of communication between employees. If you're sitting near several cubicles and everybody gets the same email at the same time that looks suspicious, they'll talk to each other and be less likely to fall victim to a suspicious email. But if you're working from home and you don't have that in-person interaction, you may be less likely to question or alert someone about the email, which can cause a significant problem if you click on malicious links. This is another strong case for the importance of employee training.

Another consequence of working from home is that the network perimeter has expanded greatly. Now that people are working in non-traditional office settings, they get access to a VPN, which means they can access confidential information from home. Whether that's in a CRM, or a financial database, they're accessing all of that through a home Wi-Fi network that is more vulnerable than a protected office network. Some companies are starting to adopt SASE technology and zero-trust practices, but unfortunately, many are not.

MERU: What advice can you give people who work from home or in a non-traditional office setting to increase their cybersecurity and protect themselves from potential threats?

Mike: Do not utilize a public network when trying to access any work documents. It's a very easy way for bad actors to get in - you should use your own secure mobile hotspot. From a business perspective, enable multifactor authentication on any business-critical application.

MERU: How can private equity firms ensure that the cybersecurity initiatives that they have align with some of the value creation plans they have for portfolio companies?

Mike: I like to look at cybersecurity like the cost of diamonds – if you get small diamonds, you can get a lot for a low cost. As you start to increase the carats and clarity, the price increases exponentially. So, in terms of cybersecurity, there are very basic things that you can get in place that's going to protect you from 95% of threats. Here are the five things that are going to protect you from 95% of threats: 

  1. Have the right log monitoring solution or SIEM (Security Information and Event Management) in place.
  2. Ensure you’re monitoring your network with an IDS (Intrusion Detection System) solution. 
  3. Have email protection, spam filtering, ransomware protection, in an email protection platform.
  4. Invest in solid behavioral based endpoint protection. 
  5. Utilize an outside firm that has domain expertise in cybersecurity. All the tools in the world will not protect you if you are not configuring them properly, maintaining them regularly, and backing them up with a team of experts that know what to do when a threat is detected. 

Now, to get an extra 1% and protect yourself from 96%, it might cost you twice as much, and it just continues to increase as you get closer and closer to a hundred percent protected. However, there is no service, no product that will ever protect you from 100% of threats.

With that said, a good idea for private equity firms is to pick a cybersecurity related KPI target for your portfolio companies and have everybody pushing towards the same target. I would also have portfolio companies include a cybersecurity update or progress check in their monthly or quarterly management reports. You can share best practices across portfolio companies, and you can develop a good view of how each of your portfolio companies are protected. There could also be significant cost and operational savings by utilizing the same vendors across multiple portfolio companies.

MERU: What are some of your predictions for the next few years in terms of the major shifts or advancements in cybersecurity practices or technologies?

Mike: My prediction is that the biggest focus over the next few years will be generative AI. If you look back to 2022 there was a record-breaking number of investments in generative AI tools, amounting to billions of dollars in investments. All these generative ChatGPT-like tools are going to start to make their way into businesses. You might see an AI product for your cybersecurity needs or even for your sales team that we can map out who the right customer to target would be during a certain month, or other programs that can help your team succeed. The vast majority of these tools will have access to sensitive information. It will be critical for businesses to understand the access granted to these tools, who will have access to your data, where it is getting stored, and other considerations.

Graph from CBS Insights showing Investor Deal Count and Funding ($B) in Generative AI from 2019 to 2023YTD.

MERU: Let’s switch gears and talk about your functional expertise in the go-to-market function and salesforce effectiveness. Can you provide an overview of some of the key components of a go-to-market strategy, and why it's so crucial for a company's success?

Mike: There are three main components to any go-to-market strategy.  

  1. Identify your ideal customer. 
  2. Developing a strategy to acquire those customers.
  3. Developing a strategy to retain those customers. 

It sounds very simple to do, but it takes a very long time to identify who your key customers are, or who your ideal prospects should be. A lot of times, exercises like that are done looking at historical data.

However, historical data is not always reflective of the current market, the future market, or the business strategy going forward. So, that exercise can take a good amount of time to figure out, and then you have to figure out how you're going to acquire those customers, which is absolutely different in every industry. You can start to develop your acquisition strategy once you identify who those ideal customers are.

For customer retention, it's going to all depend on the product. For example, selling through partnerships, you can have net retention over 100% because you're growing those partnerships and selling more through them. If it's a one-time sale, how do you get them to do repeat business? If it is a simple SaaS product that has a monthly fee, you need to retain them as it is heavily focused on customer success and enablement. 

MERU: When we're talking about collaboration between sales and marketing teams, what are some of the key hurdles that they face when they work together, and what are the factors that you believe would be helpful in growing revenue?

Mike: I have a unique view on this. I believe that marketing should be measured on sales success. When marketing is measured on lead volume, influenced leads, or things along those lines, it can be manipulated. You can hurt lead quality by doing that and end up wasting time and money for the business, even though the leading indicators look positive. I think shared metrics are really, really important in this.

I once worked with a colleague whose primary goal of marketing was to make sales go faster. Whether that was making sure there were high quality leads in the beginning so they would convert faster, or once an opportunity was opened, there was a drip campaign that accelerated that sales process - there were a lot of subcomponents involved that utilized content and tools to enable partners to do this. Once a partner or a customer was on board, they were making sure that the team had all of the marketing tools to then go out and sell their customers or distribute to internal teams to better enable them.

Everything that marketing did was focused on making sales go faster. My belief there is that the best way to get those two teams aligned is to share a metric between both teams, so both teams are striving for the same goal. An added bonus (and the primary role of a CRO is to facilitate this), is to have one person that oversees the entire customer lifecycle from the first interaction with a lead all the way through retaining a customer for 5 years. You want to keep these two teams aligned and clear ownership will help to that end.

MERU: When you talk about these shared metrics across these two teams, what are some examples of those metrics?

Mike: The easy one is bookings, but conversion rates are also important. If you're looking purely at lead volume, you're going to suffer on lead quality. If you're looking purely at bookings, it's tough to attribute bookings exclusively to a marketing function or a marketing activity, especially if there's multiple interactions. But looking at conversion rates, it helps if the teams work together to understand the dynamics. The two teams can then start to talk about how they can develop better content, how they can have a better strategy at events, how they can ultimately work together to get more bookings.

MERU: Understood. Great. When we're talking about the sales team specifically, what are some strategies that can be employed to foster healthy competition amongst them? What can you do to foster a healthy environment versus a negative one?

Mike: Healthy competition is always great to have on a sales team. I always look at sales teams like athletes - they want to win, but they also want the team to win. So, there's ways that you can do that. I remember one time we did a March Madness fantasy bracket, and the entire company participated. We would bracket people based on their tenure and historical performance. There was tier one, tier two, tier three, and tier four salespeople, and everybody throughout the company would pick their team based on those tiers. Everybody was working together to push the teams to get money. You'd have people in completely different departments collaborating towards a common goal. 

I also think one of the best ways is just having live dashboards that's visible to the entire company. Everybody can see how people are performing - nobody wants to be at the bottom. At the end of the day, if you want to fly under the radar, sales is not the right place for you.

MERU: Last question, how do you strike the right balance in a sales compensation plan between base salary, commission, bonuses, or all the other types of incentives?

Mike: I've seen a healthy balance with a 50-50 split between salary and commission. Usually, people can get by on their salary, but most people want to earn more than this, so the commission is where they focus. When it's too off balance and they're making enough money in their salary that they don't need to sell to live a comfortable life, that's problematic. When commission is way too much of someone’s income, to the point where if they miss a month that they're going to be getting behind on bills, that's going to be problematic as well. In both cases, you have people looking for another job. The most important thing here is, never cap your commission plans because your top performers become demotivated at the end of the year when you really want them to be motivated.

MERU: Thank you so much, Mike! This has been very insightful.

1. Most Common Investment Types Among Those Increasing Security Investments Following a Breach, Cost of Data Breach Report 2023, IBM Security.

2. Average Cost of Data Breach by Head Count ($M), Cost of Data Breach Report 2023, IBM Security. 

3. Investor Deal Count and Funding ($B) in Generative AI, CBInsights Article.  

Authored by: Samir Saleem, Managing Director, in collaboration with Annika Tallis, Associate, and Kyle Sturgeon, Managing Partner.