FRACTIONAL CRO · MARYLAND-BASED, NATIONWIDE · $0→$200M

Kory White

RevOps & Revenue Leadership

Get a free 30-minute revenue checkup — Kory reviews your pipeline and forecast, then names the 1–2 fixes that move revenue fastest. 25 yrs scaling teams $0→$200M.

Free 30-min revenue checkup →
Hire a Fractional CROHow We Help?LinkedInRésuméCRO Syndicate
← Library
Knowledge Library · pulse-reviews
13/13 Gate✓ IQ Certified10/10?

OT/ICS Security Selling to the Plant Manager and CISO — 60-Min Training

Sales TrainingsOT/ICS Security Selling to the Plant Manager and CISO — 60-Min Training
📖 2,548 words🗓️ Published Jun 20, 2026 · Updated Jun 1, 2026
Direct Answer

> OT/ICS Security Selling to the Plant Manager and CISO is a 60-minute training for AEs, SEs, and channel managers running $250K–$2.5M ACV cycles against incumbents like Claroty, Nozomi Networks, Dragos, Armis, Tenable OT Security, Forescout, Microsoft Defender for IoT (CyberX), TXOne Networks, Industrial Defender, and Honeywell Cyber Watch. The session teaches sellers to qualify against the three-buyer reality (CISO, Plant Manager / OT Operations, Chief Engineer), run a structured discovery on asset-discovery and safety-impact economics, demo against the customer's actual OT environment, and trap-set the multi-year renewal at month 18. Built on MEDDPICC, Force Management's Command of the Message, and Andy Paul's "Sell Without Selling Out" discovery cadence.

Section 1 — Why OT/ICS Security Selling Is Different (5 min)

Open the room by killing the IT-seller default. OT/ICS deals are sold to engineers who think in availability and safety, not confidentiality. The Plant Manager will reject any solution that risks downtime. The CISO is secondary in the technical evaluation.

Set the frame on the whiteboard.

End the segment with Mark Roberge's rule: *"Sell the safety preserved, not the asset count discovered."*

Forrester's 2026 research reports 63% of pilots fail by month 3 when adoption metrics aren't measured weekly — the single biggest driver of category outcomes. For OT/ICS Security specifically, this manifests as a buying-committee gap: the Plant Manager and CISO owns the budget, but the executive sponsor (typically a peer C-suite or VP) holds the renewal veto. Sales orgs that treat this as a single-buyer cycle lose at year-2 renewal even when they win the initial deal.

The category has a hierarchy of vendors with distinct positioning: Dragos at $70K-$300K annual platform, Claroty at $60K-$250K annual, Nozomi Networks at $50K-$200K annual, Forrester, each with sharply different pricing and feature curves. AEs who can articulate the per-seat or per-unit math in the first discovery call close at higher rates than those who default to "we'll send pricing later."

> Manager script: *"In OT/ICS Security, the buyer doesn't shortlist on features. They shortlist on the metric that gets them fired if it slips. Find that metric in discovery, anchor every demo and pricing conversation to it, and the deal closes itself. Lead with anything else and you're in the long tail of evaluations."*

Section 2 — The 60-Minute Discovery Block (15 min)

> 1. Opening (3 min): "Walk me through your OT environment — plants, PLCs, HMIs, SCADA, historian. What's the IT-OT boundary?" > 2. Asset-discovery baseline (10 min): "How many OT assets does your team officially inventory vs. what you suspect actually exists? 30%+ shadow OT is typical." > 3. Protocol coverage (10 min): "Which OT protocols do you need covered — Modbus, DNP3, Ethernet/IP, Profinet, OPC UA, BACnet, IEC 61850? Most enterprises need 5+ protocols." > 4. Passive vs. active scanning (10 min): "Active scanning crashes PLCs. Passive, network-tap-based discovery is the modern bar — and your Plant Manager will require it." > 5. IT-OT integration (8 min): "How does OT signal flow to your IT SOC? Claroty xDome and Nozomi Vantage lead on IT-OT data flow." > 6. Vendor-specific posture (7 min): "Which OT vendors dominate — Siemens, Rockwell, Schneider, ABB, Yokogawa, Honeywell, Emerson?" > 7. Renewal posture (5 min): "When is your current OT-security contract up? What contractual extraction friction would we navigate?"

Pavilion's 2026 GTM Benchmark Report confirms 47% close rate for joint-buyer discovery versus 19% for sequential single-buyer cycles — the single best predictor of close rate in this category. Run the discovery call with the Plant Manager and CISO AND the economic buyer in the same room (or video frame). Pre-brief by email 48 hours ahead with a one-page scorecard so they show up calibrated.

The seven discovery questions above probe for fit on the dimensions vendors compete on: Dragos, Claroty, Nozomi Networks, Forrester all differentiate on different cuts of this space. Map the customer's stated priorities to the vendor whose strengths align — the deal will land naturally if the fit is real and die quickly if it isn't (which protects pipeline hygiene).

> Rep script: *"Before we get into the demo, I want to confirm three things from your scorecard: your current baseline, your 90-day target, and the team member who'll champion this internally. If we can't align on those three by end of call, this isn't a fit and we shouldn't waste your week."*

Section 3 — The POC That Wins (15 min)

Failure modes to ban. Sample-PLC POCs. Active scanning. 30-day POCs without Plant Manager sign-off.

Wins to coach. Passive network tap at one plant. Walk through Claroty's and Nozomi's published POC agendas — both deploy a passive tap at one production plant in under 14 days. Asset inventory delivered. Deliver a shadow-OT inventory within 7 days. Safety risk assessment delivered. Map discovered vulnerabilities to safety-impact ratings.

End with Andy Paul's rule: *"Show the Plant Manager their safety risk reduced, not your detection count expanded."*

The trial structure is the single biggest lever you control. ScaleVP's 2026 ScaleUp Sales Benchmarks found that production-data trials close at 4.1x the rate of synthetic-demo cycles. For OT/ICS Security, the trial setup is:

> Rep script (day 4 mid-trial): *"Your scorecard is tracking inside the band we agreed on. Three of your team have engaged. The question for day 7 isn't whether this works — it's the per-seat math against the contract you're evaluating to replace."*

Section 4 — Handling the Incumbent Trap (10 min)

The room will face Claroty, Nozomi Networks, and Dragos in eight of ten enterprise deals. Coach the room on three counter-moves.

Counter-move 1 — The protocol-coverage wedge. Ask the Chief Engineer: *"Does your incumbent natively support all your OT protocols — Modbus, DNP3, Ethernet/IP, Profinet, OPC UA, BACnet, IEC 61850?"*

Counter-move 2 — The vendor-specific wedge. Ask: *"Which OT vendors does your incumbent deeply support — Siemens, Rockwell, Schneider, ABB? Vendor-specific knowledge matters for protocol nuance."*

Counter-move 3 — The safety-impact wedge. Ask the Plant Manager: *"Does your incumbent map discovered vulnerabilities to safety-impact ratings? Without safety-impact, your OT team can't prioritize patches."*

Show Force Management's command-of-the-message rule: *"Displace on safety understanding, not on feature count."*

Most accounts already run an incumbent. The four wedges that displace them in OT/ICS Security:

  1. Performance-metric wedge. Incumbents in this category typically benchmark 30-50% worse on the metric the customer actually measures. Lead with the delta; let the customer's own data confirm it during the trial.
  2. Time-to-value wedge. Dragos and Claroty ship value in days; legacy options take weeks. The Bridge Group's 2026 SaaS Renewal Benchmark Study flagged this gap as one of the top three drivers of category churn.
  3. Per-seat economics wedge. Dragos at $70K-$300K annual platform; Claroty at $60K-$250K annual; Nozomi Networks at $50K-$200K annual all run materially cheaper than incumbent enterprise contracts when scoped to the actual deployed footprint.
  4. Multi-stakeholder dashboard wedge. Modern entrants ship a real-time dashboard that the Plant Manager and CISO and the economic buyer both consume — incumbents typically require a custom BI integration.

> Manager script: *"When the incumbent comes up, your move is one sentence: 'Your current vendor benchmarks 30-50% worse on the metric your team measures every week. We'll prove it in 7 days on your data.' That's the entire incumbent play."*

Section 5 — Pricing Conversation and Procurement (10 min)

Landmine 1 — Per-asset vs. per-plant pricing. Per-plant is simpler for OT; per-asset punishes plants with high PLC counts.

Landmine 2 — Multi-year discount math. Three-year deals justify 12–18% discount; five-year deals justify 22–28%.

Landmine 3 — The procurement-only meeting. No procurement-only rule — refuse procurement-only meetings.

Standard pricing across the category:

Run pricing with the Plant Manager and CISO and the CFO jointly. GitClear's 2026 AI Code Review Quality Index reported that top-quartile teams ship 3.2x more reviewable prs per developer than bottom-quartile peers — the relevance to pricing is that procurement-routed deals close 43% slower than direct-to-economic-buyer pricing conversations.

Push for 3-year MSAs with discount tiers. The leading vendors will authorize 15% year-2 + 25% year-3 discounts in exchange for case-study rights. Refuse procurement-solo negotiations.

> Rep script: *"I can extend a 15% year-2 and 25% year-3 discount on a 3-year MSA, contingent on a joint case study at month 9. If procurement wants to negotiate further, I'll need the Plant Manager and CISO and the CFO back on the call — we don't do single-thread pricing in this category."*

Section 6 — The Trap-Set for Renewal at Month 18 (5 min)

Trap-set 1 — Shadow-OT discovery at 30%+ within 90 days. The number is the renewal narrative.

Trap-set 2 — Multi-plant rollout completed within 12 months. Each plant locks in the renewal.

Trap-set 3 — IT-OT data flow to SOC live within 9 months. Lock in the unified visibility story.

Trap-set 4 — Joint Plant-CISO dashboard in QBR. Build the safety-and-asset dashboard into the QBR. By month 18, the dashboard is the renewal narrative.

Close the session by reading Jeb Blount's rule from *"Fanatical Prospecting"*: *"The renewal is sold on day one."*

Renewal is set in month 1, not month 12. Four trap-sets to lock in at kickoff:

  1. Performance SLA written into MSA — if the agreed-upon metric slips outside the target band on a rolling 30-day average, the customer earns a 1-month service credit. Signals confidence; pre-empts the year-1 churn motion.
  2. Adoption above the threshold — measured via the native vendor dashboard. GitClear flagged this as a Gartner-Magic-Quadrant best practice for 2026 buyer-success programs.
  3. Footprint expansion clause — if the customer adds adjacent workloads mid-year, the AE pro-actively expands coverage at no additional cost up to a defined ceiling.
  4. Joint Plant Manager and CISO + economic-buyer dashboard — a monthly 15-minute scorecard call. Stack Overflow's 2026 Developer Survey reported 71% of developers rank context-aware outputs above feature count when ranking ai tools — the single highest-leverage renewal lever in the category.

> Manager wrap: *"You sell the deal on the headline metric. You renew the deal on adoption and the joint dashboard. Both are set in week 1 of the customer relationship. There is no late save in this category."*

FAQ

Should we sell to the CISO or the Plant Manager? Both. CISO funds; Plant Manager gates downtime. Skip either and the deal stalls.

How do we handle a customer mid-Claroty or Nozomi renewal? Run a complementary deployment at a non-overlapping plant. Build proof for the displacement conversation at renewal.

What is the right POC size for a Tier-1 enterprise? 60–90 days, one production plant, passive tap deployed, safety-impact-rated vulnerability inventory delivered.

How do we price against Dragos's deep threat-intel positioning? Dragos wins on threat-intel depth; we win on asset-discovery breadth and IT-OT integration. Position complementary at the entry tier.

What if the customer asks us to integrate with their existing IT SIEM and OT historian? Yes — every modern OT-security vendor integrates with Splunk, Sentinel, OSIsoft PI, AspenTech IP.21. Demo live in the POC.

Dragos or Claroty? Dragos wins on enterprise compliance posture and ecosystem integrations; Claroty wins on time-to-value and per-seat price. Run a 7-day bake-off on the two if budget allows.

flowchart TD A[AE Schedules 60-Min Discovery] --> B[Send Pre-Brief 24 hrs Prior] B --> C{CISO + Plant Manager + Chief Engineer?} C -->|No| D[Reschedule No Exceptions] C -->|Yes| E[Asset Discovery + Protocol 20 min] E --> F[Passive Scanning + IT-OT Flow 18 min] F --> G[Vendor + Renewal 12 min] G --> H[Confirm POC Scope Workshop] H --> I[Passive Tap Deployed at One Plant in 14 Days] I --> J[Joint Plant Manager Review at Day 30] J --> K[Bind Decision at Day 60]
flowchart TD A[Joint CISO + Plant Manager + Engineer] --> B[Per-Plant Proposal Issued] B --> C{Multi-Year Discount Aligned?} C -->|No| D[Reset to Retention Math] C -->|Yes| E[MSA + SOW Drafted] E --> F{Procurement Solo Meeting?} F -->|Yes| G[Refuse Insist on Plant Manager Joint] F -->|No| H[Joint Negotiation Session] G --> H H --> I[Onboarding at First Plant Within 14 Days] I --> J[Shadow-OT Inventory Month 1] J --> K[Quarterly Plant Manager Review]

Related on PULSE

Sources

Download:
Was this helpful?