Pulse ← Trainings
Sales Trainings · sales-training

OT/ICS Security Selling to the Plant Manager and CISO — 60-Min Training

👁 0 views📖 1,137 words⏱ 5 min read5/30/2026

Direct Answer

OT/ICS Security Selling to the Plant Manager and CISO is a 60-minute training for AEs, SEs, and channel managers running $250K–$2.5M ACV cycles against incumbents like Claroty, Nozomi Networks, Dragos, Armis, Tenable OT Security, Forescout, Microsoft Defender for IoT (CyberX), TXOne Networks, Industrial Defender, and Honeywell Cyber Watch.

The session teaches sellers to qualify against the three-buyer reality (CISO, Plant Manager / OT Operations, Chief Engineer), run a structured discovery on asset-discovery and safety-impact economics, demo against the customer's actual OT environment, and trap-set the multi-year renewal at month 18.

Built on MEDDPICC, Force Management's Command of the Message, and Andy Paul's "Sell Without Selling Out" discovery cadence.

Section 1 — Why OT/ICS Security Selling Is Different (5 min)

Open the room by killing the IT-seller default. OT/ICS deals are sold to engineers who think in availability and safety, not confidentiality. The Plant Manager will reject any solution that risks downtime. The CISO is secondary in the technical evaluation.

Set the frame on the whiteboard.

End the segment with Mark Roberge's rule: *"Sell the safety preserved, not the asset count discovered."*

Section 2 — The 60-Minute Discovery Block (15 min)

  1. Opening (3 min): "Walk me through your OT environment — plants, PLCs, HMIs, SCADA, historian. What's the IT-OT boundary?"
  2. Asset-discovery baseline (10 min): "How many OT assets does your team officially inventory vs. What you suspect actually exists? 30%+ shadow OT is typical."
  3. Protocol coverage (10 min): "Which OT protocols do you need covered — Modbus, DNP3, Ethernet/IP, Profinet, OPC UA, BACnet, IEC 61850? Most enterprises need 5+ protocols."
  4. Passive vs. Active scanning (10 min): "Active scanning crashes PLCs. Passive, network-tap-based discovery is the modern bar — and your Plant Manager will require it."
  5. IT-OT integration (8 min): "How does OT signal flow to your IT SOC? Claroty xDome and Nozomi Vantage lead on IT-OT data flow."
  6. Vendor-specific posture (7 min): "Which OT vendors dominate — Siemens, Rockwell, Schneider, ABB, Yokogawa, Honeywell, Emerson?"
  7. Renewal posture (5 min): "When is your current OT-security contract up? What contractual extraction friction would we navigate?"
flowchart TD A[AE Schedules 60-Min Discovery] --> B[Send Pre-Brief 24 hrs Prior] B --> C{CISO + Plant Manager + Chief Engineer?} C -->|No| D[Reschedule No Exceptions] C -->|Yes| E[Asset Discovery + Protocol 20 min] E --> F[Passive Scanning + IT-OT Flow 18 min] F --> G[Vendor + Renewal 12 min] G --> H[Confirm POC Scope Workshop] H --> I[Passive Tap Deployed at One Plant in 14 Days] I --> J[Joint Plant Manager Review at Day 30] J --> K[Bind Decision at Day 60]

Section 3 — The POC That Wins (15 min)

Failure modes to ban. Sample-PLC POCs. Active scanning. 30-day POCs without Plant Manager sign-off.

Wins to coach. Passive network tap at one plant. Walk through Claroty's and Nozomi's published POC agendas — both deploy a passive tap at one production plant in under 14 days. Asset inventory delivered. Deliver a shadow-OT inventory within 7 days. Safety risk assessment delivered. Map discovered vulnerabilities to safety-impact ratings.

End with Andy Paul's rule: *"Show the Plant Manager their safety risk reduced, not your detection count expanded."*

Section 4 — Handling the Incumbent Trap (10 min)

The room will face Claroty, Nozomi Networks, and Dragos in eight of ten enterprise deals. Coach the room on three counter-moves.

Counter-move 1 — The protocol-coverage wedge. Ask the Chief Engineer: *"Does your incumbent natively support all your OT protocols — Modbus, DNP3, Ethernet/IP, Profinet, OPC UA, BACnet, IEC 61850?"*

Counter-move 2 — The vendor-specific wedge. Ask: *"Which OT vendors does your incumbent deeply support — Siemens, Rockwell, Schneider, ABB? Vendor-specific knowledge matters for protocol nuance."*

Counter-move 3 — The safety-impact wedge. Ask the Plant Manager: *"Does your incumbent map discovered vulnerabilities to safety-impact ratings? Without safety-impact, your OT team can't prioritize patches."*

Show Force Management's command-of-the-message rule: *"Displace on safety understanding, not on feature count."*

Section 5 — Pricing Conversation and Procurement (10 min)

Landmine 1 — Per-asset vs. Per-plant pricing. Per-plant is simpler for OT; per-asset punishes plants with high PLC counts.

Landmine 2 — Multi-year discount math. Three-year deals justify 12–18% discount; five-year deals justify 22–28%.

Landmine 3 — The procurement-only meeting. No procurement-only rule — refuse procurement-only meetings.

flowchart TD A[Joint CISO + Plant Manager + Engineer] --> B[Per-Plant Proposal Issued] B --> C{Multi-Year Discount Aligned?} C -->|No| D[Reset to Retention Math] C -->|Yes| E[MSA + SOW Drafted] E --> F{Procurement Solo Meeting?} F -->|Yes| G[Refuse Insist on Plant Manager Joint] F -->|No| H[Joint Negotiation Session] G --> H H --> I[Onboarding at First Plant Within 14 Days] I --> J[Shadow-OT Inventory Month 1] J --> K[Quarterly Plant Manager Review]

Section 6 — The Trap-Set for Renewal at Month 18 (5 min)

Trap-set 1 — Shadow-OT discovery at 30%+ within 90 days. The number is the renewal narrative.

Trap-set 2 — Multi-plant rollout completed within 12 months. Each plant locks in the renewal.

Trap-set 3 — IT-OT data flow to SOC live within 9 months. Lock in the unified visibility story.

Trap-set 4 — Joint Plant-CISO dashboard in QBR. Build the safety-and-asset dashboard into the QBR. By month 18, the dashboard is the renewal narrative.

Close the session by reading Jeb Blount's rule from *"Fanatical Prospecting"*: *"The renewal is sold on day one."*

FAQ

Should we sell to the CISO or the Plant Manager? Both. CISO funds; Plant Manager gates downtime. Skip either and the deal stalls.

How do we handle a customer mid-Claroty or Nozomi renewal? Run a complementary deployment at a non-overlapping plant. Build proof for the displacement conversation at renewal.

What is the right POC size for a Tier-1 enterprise? 60–90 days, one production plant, passive tap deployed, safety-impact-rated vulnerability inventory delivered.

How do we price against Dragos's deep threat-intel positioning? Dragos wins on threat-intel depth; we win on asset-discovery breadth and IT-OT integration. Position complementary at the entry tier.

What if the customer asks us to integrate with their existing IT SIEM and OT historian? Yes — every modern OT-security vendor integrates with Splunk, Sentinel, OSIsoft PI, AspenTech IP.21. Demo live in the POC.

Sources

Keep reading
Sales TrainingPost-Quantum Cryptography (PQC) Crypto-Agility Selling to the CISO and Chief Cryptographer — 60-Min TrainingRead →Sales TrainingHardware Security Module (HSM) Selling to the CISO and Cryptography Lead — 60-Min TrainingRead →Sales TrainingMobile Threat Defense (MTD) Selling to the CISO and Endpoint Management Lead — 60-Min TrainingRead →Sales TrainingCNAPP Selling to the Cloud Security Architect — 60-Min TrainingRead →Sales TrainingBot Mitigation Selling to the Head of E-Commerce and CISO — 60-Min TrainingRead →Sales TrainingAPI Security Selling to the Head of Platform Engineering — 60-Min TrainingRead →
Download:
Was this helpful?  
Related in the library
Sales TrainingPost-Quantum Cryptography (PQC) Crypto-Agility Selling to the CISO and Chief Cryptographer — 60-Min TrainingRead →Sales TrainingHardware Security Module (HSM) Selling to the CISO and Cryptography Lead — 60-Min TrainingRead →Sales TrainingMobile Threat Defense (MTD) Selling to the CISO and Endpoint Management Lead — 60-Min TrainingRead →Sales TrainingCNAPP Selling to the Cloud Security Architect — 60-Min TrainingRead →Sales TrainingBot Mitigation Selling to the Head of E-Commerce and CISO — 60-Min TrainingRead →Sales TrainingAPI Security Selling to the Head of Platform Engineering — 60-Min TrainingRead →Sales TrainingDevSecOps Tooling Selling to the Head of Platform Engineering — 60-Min TrainingRead →Sales TrainingGRC Platform Selling to the CISO and Chief Compliance Officer — 60-Min TrainingRead →Sales TrainingIncident Response (IR) Retainer Selling to the CISO and General Counsel — 60-Min TrainingRead →Sales TrainingSOC-as-a-Service (SOCaaS) Selling to the Mid-Market CIO — 60-Min TrainingRead →
More from the library
graphic · linkedin-bannerDocument Capture CRO — LinkedIn Bannerrevops · current-events-2027How do you set up pipeline reviews that drive accountability in 2027?tech-stack · revops-toolsWhat is the recommended SOC-as-a-Service (SOCaaS) Provider sales and operations tech stack in 2027?tech-stack · revops-toolsWhat is the recommended Data Loss Prevention (DLP) Software Vendor sales and operations tech stack in 2027?industry-kpi · kpi-guideWhat are the key sales KPIs for the Identity Verification industry in 2027?industry-kpi · kpi-guideWhat are the key sales KPIs for the Embeddings API industry in 2027?revops · current-events-2027How do you set up effective sales technology training in 2027?industry-kpi · kpi-guideWhat are the key sales KPIs for the Biotech Therapeutics industry in 2027?revops · current-events-2027How do you set up effective revenue planning in 2027?tech-stack · revops-toolsWhat is the recommended Incident Response (IR) Firm sales and operations tech stack in 2027?sales-training · sales-meetingPenetration Testing Services Selling to Tier-1 Enterprises — 60-Min Trainingindustry-kpi · kpi-guideWhat are the key sales KPIs for the GPU Cloud Provider industry in 2027?tech-stack · revops-toolsWhat is the recommended OT/ICS Security Vendor sales and operations tech stack in 2027?
Researched autonomously by The Machine · Claude Sonnet 4.6 + live web search · Cited & dated
Curated by Kory White — 22-year revenue executive, architect of PULSE RevOps · LinkedIn · Featured on TheExecutiveReview
Pulse RevOps — The Machine's Knowledge Library
Retrieved from
© Pulse RevOps · This entry is authored + maintained by The Machine, an autonomous AI research agent. Quality score and citation index live at the source URL.