Proving the Negative: Customer Success in Cybersecurity, with Wiz and Planhat
Proving the Negative: Customer Success in Cybersecurity, with Wiz and Planhat
Proving the Negative: Customer Success in Cybersecurity, with Wiz and Planhat
Share
This article is based on conversations from the most recent Inside: Cybersecurity, an in-person, invite-only event, hosted by Wiz and Planhat, where commercial leaders discussed the nuances of customer success in the industry.
Cybersecurity is an odd corner of customer success. Customers pay six, seven, sometimes eight figures a year for products whose ideal outcome is that nothing actually happens. The category functions, in effect, as an insurance policy—which makes the post-sales job unusually hard, because at renewal time you are often proving a negative: “you didn't get hacked this year, so pay us again please.”
It is tempting to conclude that value is therefore unprovable in this industry. It is not. However, it does have to be constructed deliberately, step by step, rather than waiting for an outcome to announce itself.
This article is based on conversations from the most recent Inside: Cybersecurity, an in-person, invite-only event, hosted by Wiz and Planhat, where commercial leaders discussed the nuances of customer success in the industry.
Cybersecurity is an odd corner of customer success. Customers pay six, seven, sometimes eight figures a year for products whose ideal outcome is that nothing actually happens. The category functions, in effect, as an insurance policy—which makes the post-sales job unusually hard, because at renewal time you are often proving a negative: “you didn't get hacked this year, so pay us again please.”
It is tempting to conclude that value is therefore unprovable in this industry. It is not. However, it does have to be constructed deliberately, step by step, rather than waiting for an outcome to announce itself.
The ROI ladder: visibility, context, closure
The value journey in cybersecurity runs in three stages, and the order of them is key:
1. Visibility
More than half of cybersecurity is about its relationship with visibility. CISOs lose sleep not over the threats they can see but over the environment they cannot—a problem AI is making worse, as agents get deployed everywhere with nobody quite sure what is running. The first job of any vendor is complete coverage, as fast as possible, and it is close to binary: the 2% of workloads you haven't scanned, or the identities you don't know about, could be the attack vector.
2. Context
Visibility alone produces noise—a scan that returns a thousand vulnerabilities might have no sense of which ones really matter. The decisive shift in the industry has been towards tools that can say: of these thousand findings, here are the ten that are actually exploitable, based on the attack path to your critical assets. That prioritisation is itself a sellable outcome; it replaces hours of argument between security teams and developers about what is theoretically versus practically dangerous, and it is the difference between a point solution and a platform.
3. Closure
Most security vendors are not hands-on-keyboard. Remediation depends on the customer's resources, politics and change windows—and if those ten items are still open at the next QBR, the CISO's risk profile has not moved, whatever the tool has done. The honest play is to show the real picture, explain why items remain open, and show where the customer could be in a few months if they act. Some vendors formalise the end state—a “zero criticals” milestone, say—which has the useful property of separating the vendor's contribution (visibility, context, persistent nagging) from the customer's (actually fixing things).
“Security software is bought to keep people out of jail; but it renews more easily when it also makes them more profitable.”
The ROI ladder: visibility, context, closure
The value journey in cybersecurity runs in three stages, and the order of them is key:
1. Visibility
More than half of cybersecurity is about its relationship with visibility. CISOs lose sleep not over the threats they can see but over the environment they cannot—a problem AI is making worse, as agents get deployed everywhere with nobody quite sure what is running. The first job of any vendor is complete coverage, as fast as possible, and it is close to binary: the 2% of workloads you haven't scanned, or the identities you don't know about, could be the attack vector.
2. Context
Visibility alone produces noise—a scan that returns a thousand vulnerabilities might have no sense of which ones really matter. The decisive shift in the industry has been towards tools that can say: of these thousand findings, here are the ten that are actually exploitable, based on the attack path to your critical assets. That prioritisation is itself a sellable outcome; it replaces hours of argument between security teams and developers about what is theoretically versus practically dangerous, and it is the difference between a point solution and a platform.
3. Closure
Most security vendors are not hands-on-keyboard. Remediation depends on the customer's resources, politics and change windows—and if those ten items are still open at the next QBR, the CISO's risk profile has not moved, whatever the tool has done. The honest play is to show the real picture, explain why items remain open, and show where the customer could be in a few months if they act. Some vendors formalise the end state—a “zero criticals” milestone, say—which has the useful property of separating the vendor's contribution (visibility, context, persistent nagging) from the customer's (actually fixing things).
“Security software is bought to keep people out of jail; but it renews more easily when it also makes them more profitable.”
The ROI ladder: visibility, context, closure
The value journey in cybersecurity runs in three stages, and the order of them is key:
1. Visibility
More than half of cybersecurity is about its relationship with visibility. CISOs lose sleep not over the threats they can see but over the environment they cannot—a problem AI is making worse, as agents get deployed everywhere with nobody quite sure what is running. The first job of any vendor is complete coverage, as fast as possible, and it is close to binary: the 2% of workloads you haven't scanned, or the identities you don't know about, could be the attack vector.
2. Context
Visibility alone produces noise—a scan that returns a thousand vulnerabilities might have no sense of which ones really matter. The decisive shift in the industry has been towards tools that can say: of these thousand findings, here are the ten that are actually exploitable, based on the attack path to your critical assets. That prioritisation is itself a sellable outcome; it replaces hours of argument between security teams and developers about what is theoretically versus practically dangerous, and it is the difference between a point solution and a platform.
3. Closure
Most security vendors are not hands-on-keyboard. Remediation depends on the customer's resources, politics and change windows—and if those ten items are still open at the next QBR, the CISO's risk profile has not moved, whatever the tool has done. The honest play is to show the real picture, explain why items remain open, and show where the customer could be in a few months if they act. Some vendors formalise the end state—a “zero criticals” milestone, say—which has the useful property of separating the vendor's contribution (visibility, context, persistent nagging) from the customer's (actually fixing things).
“Security software is bought to keep people out of jail; but it renews more easily when it also makes them more profitable.”
What actually matters to executives
The risk-trending-downwards chart is the staple of the cybersecurity QBR, and rightly so. But few practices separate a good executive conversation from a ritual one.
Annotate the chart. If risk spiked because of an acquisition, a platform migration or a wave of newly onboarded teams, then mark the event on the timeline. Boards do not mind blips; they mind unexplained ones.
Retire the support-ticket recital. Ticket counts are how IT traditionally reported its output, and they still creep onto QBR agendas, but no board ever asks about tickets. Rather, they ask risk-based questions.
Make the CISO look good. The real job of cyber customer delivery is making the security leader look good in front of their board for the work they are already doing. Perception of trust is almost as powerful as trust itself—it is why trust centres are everywhere and why a strong compliance posture has become less a checkbox than a revenue enabler. Companies increasingly will not do business with vendors who cannot prove their infrastructure is safe.
Tie to business priorities. Identity tools can now show which expensive licences belong to people who haven't logged in for months—this visibility serves the bottom line, and not just the threat model. Security software is bought to keep companies secure, but it renews more easily when it also makes them more profitable.
What actually matters to executives
The risk-trending-downwards chart is the staple of the cybersecurity QBR, and rightly so. But few practices separate a good executive conversation from a ritual one.
Annotate the chart. If risk spiked because of an acquisition, a platform migration or a wave of newly onboarded teams, then mark the event on the timeline. Boards do not mind blips; they mind unexplained ones.
Retire the support-ticket recital. Ticket counts are how IT traditionally reported its output, and they still creep onto QBR agendas, but no board ever asks about tickets. Rather, they ask risk-based questions.
Make the CISO look good. The real job of cyber customer delivery is making the security leader look good in front of their board for the work they are already doing. Perception of trust is almost as powerful as trust itself—it is why trust centres are everywhere and why a strong compliance posture has become less a checkbox than a revenue enabler. Companies increasingly will not do business with vendors who cannot prove their infrastructure is safe.
Tie to business priorities. Identity tools can now show which expensive licences belong to people who haven't logged in for months—this visibility serves the bottom line, and not just the threat model. Security software is bought to keep companies secure, but it renews more easily when it also makes them more profitable.
How the teams are changing
Three structural patterns have become near-universal across the industry.
1. CSMs are becoming TAMs
Relationship-led account management is shifting back to sales, while customer success moves to a more technical profile. The products are too complicated, and the buyers too technical, for a purely commercial CSM to drive outcomes. The genuinely hybrid profile—technical depth plus commercial ownership—exists, though hiring for it is difficult.
2. Segmentation is ruthless
A mature cyber CS organisation typically runs three or four deployments at once: a scale team at the low end, working high ratios and monitoring for signals rather than holding relationships; mid-touch in the middle; near-dedicated coverage at the top, where single customers can be worth eight figures. The low end works best as a team sport—one person in the fire tower watching dashboards for smoke, specialists parachuting in when an account catches fire.
3. Renewals ownership varies
Some companies keep renewals in sales, with CS measured on retention and adoption; others have CS owning renewals and expansion outright. Either can work. What does not work is ambiguity about who is accountable for the number.
“Done well, a paid success offering can become one of the largest revenue lines in the company.”
How the teams are changing
Three structural patterns have become near-universal across the industry.
1. CSMs are becoming TAMs
Relationship-led account management is shifting back to sales, while customer success moves to a more technical profile. The products are too complicated, and the buyers too technical, for a purely commercial CSM to drive outcomes. The genuinely hybrid profile—technical depth plus commercial ownership—exists, though hiring for it is difficult.
2. Segmentation is ruthless
A mature cyber CS organisation typically runs three or four deployments at once: a scale team at the low end, working high ratios and monitoring for signals rather than holding relationships; mid-touch in the middle; near-dedicated coverage at the top, where single customers can be worth eight figures. The low end works best as a team sport—one person in the fire tower watching dashboards for smoke, specialists parachuting in when an account catches fire.
3. Renewals ownership varies
Some companies keep renewals in sales, with CS measured on retention and adoption; others have CS owning renewals and expansion outright. Either can work. What does not work is ambiguity about who is accountable for the number.
“Done well, a paid success offering can become one of the largest revenue lines in the company.”
How the teams are changing
Three structural patterns have become near-universal across the industry.
1. CSMs are becoming TAMs
Relationship-led account management is shifting back to sales, while customer success moves to a more technical profile. The products are too complicated, and the buyers too technical, for a purely commercial CSM to drive outcomes. The genuinely hybrid profile—technical depth plus commercial ownership—exists, though hiring for it is difficult.
2. Segmentation is ruthless
A mature cyber CS organisation typically runs three or four deployments at once: a scale team at the low end, working high ratios and monitoring for signals rather than holding relationships; mid-touch in the middle; near-dedicated coverage at the top, where single customers can be worth eight figures. The low end works best as a team sport—one person in the fire tower watching dashboards for smoke, specialists parachuting in when an account catches fire.
3. Renewals ownership varies
Some companies keep renewals in sales, with CS measured on retention and adoption; others have CS owning renewals and expansion outright. Either can work. What does not work is ambiguity about who is accountable for the number.
“Done well, a paid success offering can become one of the largest revenue lines in the company.”
Run it like a P&L
The sharpest lesson of the past few years is that cost-centre CS gets cut. The post-sales organisations that thrive are the ones that build a proper P&L—monetising support and TAM packages, stratifying hires, walking away from deals that carry no margin. Done well, a paid success offering can become one of the largest revenue lines in the company. The framing changes everything upstream: a leader who walks into a board meeting with unit economics gets resources; one who talks about happy customers in the abstract eventually gets asked what the team actually does.
Outcome-based pricing is the logical endpoint, and almost nobody has cracked it. The obstacles are real: revenue recognition, attribution, and deep dependence on the customer's own willingness to act. For now, the pragmatic version is outcome-based conversations on subscription-based contracts.
In an industry where success is silence, the job of customer success is to make that silence audible.
Run it like a P&L
The sharpest lesson of the past few years is that cost-centre CS gets cut. The post-sales organisations that thrive are the ones that build a proper P&L—monetising support and TAM packages, stratifying hires, walking away from deals that carry no margin. Done well, a paid success offering can become one of the largest revenue lines in the company. The framing changes everything upstream: a leader who walks into a board meeting with unit economics gets resources; one who talks about happy customers in the abstract eventually gets asked what the team actually does.
Outcome-based pricing is the logical endpoint, and almost nobody has cracked it. The obstacles are real: revenue recognition, attribution, and deep dependence on the customer's own willingness to act. For now, the pragmatic version is outcome-based conversations on subscription-based contracts.
In an industry where success is silence, the job of customer success is to make that silence audible.
Adrian Beck
Global Vice President, Customer Success, Renewals & Services
Wiz
Adrian Beck is a global post-sales executive with a track record in building world-class Customer Success, Technical Account Management, Renewals, Services and Support functions in cybersecurity. With 25 years of experience spanning Big 4, scale-ups, and global SaaS leaders, he specialises in protecting and growing revenue — leading teams of 300+ and managing $2bn+ TCV.
Kaveh Rostampor
CEO & Co-Founder
Planhat
Kaveh Rostampor is the CEO and Co-founder of Planhat, where he leads the company’s mission to help organizations automate commercial operations. Since founding Planhat, he has guided its evolution from a Swedish startup into a global software company serving customers across software, healthcare, security, financial services, and IT services. With nearly two decades of experience building and scaling software companies, Kaveh is passionate about the future of enterprise software and how humans and AI will work together to run more intelligent, efficient businesses. He also serves as an advisor and board member to growth-stage technology companies.
AI
Load More
