Skip to main content
Introducing Polarity Intel Edition: Streamlining Intel Distribution for SecOps
Polarity Intel Edition
Request a Demo

The Secret to our (Customer) Success

I recently sat down with Jody Caldwell, the Senior Director of Customer Success at ThreatConnect, to pick his brain and understand the specifics of how we help a customer from initial deployment throughout the entire span of their relationship with ThreatConnect.

Will you describe your role at ThreatConnect? What does a day look like for you and what are your responsibilities?

I’m the Senior Director of Customer Success. Day-to-day what I do is manage support, the customer success team, and the deployment engineers. Key drivers for me are ensuring customers get the most value out of ThreatConnect from day one, and that it continues throughout the entire time of their subscription. We’re making sure that deployment and training get executed, and also that we are meeting short term and long term goals laid out by the customer. Whether that’s on the threat intel side or working with their incident response team, and really any team within the SOC environment, the main driver is making sure they’re getting maximum value out of the platform.

Can you discuss how ThreatConnect supports customers, from deployment to continuing throughout the lifetime of the relationship?

We recognized from the outset that with a platform that offers as many capabilities as ThreatConnect does, not all customers were necessarily going to be as technically proficient or immediately understand all the processes that go into integrating the ThreatConnect Platform into the environment that they’re in. So, originally we started out with Customer Success Engineers, or CSEs as we call them here, who were technically proficient in handling the integration side of things, but also understand the process of bringing ThreatConnect into a new environment and helping customers evolve with ThreatConnect.

From there, we grew from a single point CSE after we recognized we needed a deployment engineer. Deployment engineers primarily help with on-premises customers and provide a dedicated resource to help you initially deploy ThreatConnect, but also assist on the upgrade side of things. For every upgrade, you’ll have access to a deployment engineer to assist with getting everything working in your environment. Finally what we added was a Customer Success Manager, or what we call CSMs. This was more of a strategic position that we wanted to put in place to work with the business owners at the customer organization, and also to ensure some of the project management items were being met throughout the phases and life cycle of the customer’s journey. Our goal is to ensure those points are met with specific deliverables and by meeting timelines, but also by working with the more technical or engineering team members from both the customer and from ThreatConnect. They make sure everyone is aware of the goals. Some of the larger companies obviously offer a program manager on their side, so what we thought was better for companies of all sizes is that we offer the same thing from a ThreatConnect perspective to be sure we are driving value consistently.

Can you talk a little more about the CSM / CSE program at ThreatConnect? What are the goals and responsibilities of those individuals, and some examples of day to day interactions or touchpoints that those folks may have with customers?

From day one once a delivery is executed on our end, each customer is assigned a CSM and a CSE. Both of those roles are equally important to ensure value is being derived from ThreatConnect. The CSE is primarily the technical point of contact, and the CSM is the strategic point of contact and from day one starts to recognize what the priorities are for things like getting integrations deployed, for meeting specific use cases that a customer has requested during the pre sales cycle, and for getting the proper trainings scheduled for all the right people. Both of those individuals will be involved when it comes to training the customer.

We do quarterly business reviews that the CSM is in charge of. They typically happens with the business owner at the customer organization to ensure they recognize the efforts that are being made by both the customer and by ThreatConnect, and the partnership that’s being built. During the QBR, priorities and short and long term goals are reviewed, and also allows time to plan. Oftentimes this is where customers have the conversation that starts with, “This is the next initiative I want to do with ThreatConnect.”  By ‘initiative’ they could mean additional integrations they may be looking to achieve, or if the organization is looking to expand to another division such as the incident response team, security operations team, vulnerability, fraud- once you start wanting to integrate other divisions within your organization into ThreatConnect, your CSM assists with that – including any additional necessary trainings. Ideally, as we go through a couple QBRs, the business owners are getting a high level of engagement with our team and are able to keep track of where the project is moving.

What type of background do you look for when hiring people for your team? How does that translate to being beneficial to ThreatConnect customers?

A bulk of the CSEs on the team today have experience in some facet, whether it’s them working through government and threat intel services, or they’ve actually held IR or SOC roles, so they understand the need for not only a solution like ThreatConnect, but they are also very keen to understand processes and how those processes drive security operations. They’ve lived it. They get the problems and the necessary solutions. That translates really well with the customers and allows us to have candid, two-way conversations with them about successes and challenges they face in their jobs.

What does the mapping of CSEs and CSMs to customers look like? Is that done by specific territories? Additionally, do you have the same team throughout the lifetime of the relationship?

A little bit is based on geography, but we also look at it from a maturity and industry standpoint. What type of subscription have they procured? And who is really the best asset to address that? I’ve got a good team that focuses on Financial Institutions, I’ve got a good team that focuses on Government related organizations, and one for Oil and Gas. Those things may vary a little bit, and it’s also based on the availability and workload of my current team on who will be assigned to what.

For the duration that you’re a ThreatConnect customer, from day one, you will always have a dedicated CSE and a CSM.

I will say one thing about onboarding, and this may go back to the last point, with onboarding typically there will be at least weekly touchpoints to get things implemented and deployed. After about the first 6 weeks once we get to a solid state where integrations are up and running, the team is trained, and we all feel comfortable with where things stand- those typically scale back to biweekly. As we move on and customers become more self sufficient, those may change to monthly. That being said, you can set up ad hoc meetings with the CSE and CSM at any point along the way.

That’s a lot of communication and touchpoints, which is great, but why is so much communication and support necessary for this type of solution?

With ThreatConnect, and a lot of other TIP and SOAR-like solutions, we realize there are a lot of functionalities, capabilities, and potential integrations with the Platform. Ensuring we are providing the most up to date and consistent information is important, so having those regular touchpoints and somebody you can rely on to talk to you – having that identified asset – speaks volumes to the commitment that we’re willing to make. You’re not necessarily having to reach out to a support desk and be in a queue before you get an answer to your issue. We look at every customer as a partnership, so as in any partnership, ensuring there’s effective communication back and forth with both parties involved is key to us. We’ve had a lot of success that we’re very proud of with this program.

What are the ways that a customer can get in contact with ThreatConnect?

We put out as many ways that we can think of to ensure that we are providing unlimited access to both the Customer Success and the Support teams. We offer a ThreatConnect Users Public Slack Channel which is for customers only at this time. We do see engagement between customers in that Slack Channel, as well as with other members of the ThreatConnect team – Customer Success, Product Management, etc. For support issues we do have support@threatconnect.com. Our CSEs and CSMs provide at least the office number where you can reach them, and multiple people on my team offer their cell number out to customers as well. I’d say that frequently gets used before, during, and after office hours which I believe shows the level of commitment we’re providing. For customers, we also offer a Private Slack Space. That is something that’s hosted by ThreatConnect. This gives you access to your customer success team members, the support team, and also to members of our Product Management and engineering teams.

Is everything we’ve discussed here included in the standard ThreatConnect subscription? Is this a unique program or do other vendors do the same?

Yes, absolutely. Most everything we’ve talked about here is included in standard terms. Above and beyond, and for an additional cost, we do offer enhanced support which is 24×7. If you need something at 2am, you can call a 1-800 number and one of our support team members will answer and be available to help you right away.

As far as this program being unique, I have spoken to other Customer Success Directors and people in similar roles, and I think with most of the better companies you get typically one person assigned to help you. But, if you really look at that, if you have one person dedicated to you and they have 30 customers, are you really getting the level of support that you need? So, one thing we’ve done with assigning two folks is break down the level of effort between being tactical and technical, and on the other side, being strategic and ensuring those needs are being met as well.

To use an analogy, you’re really fighting a two front war. You have to win over the analysts and technical team at a customer site, but you also have to win over the business owners and strategic assets and make sure they understand the value proposition and see the value that they’re getting from the money that they’re spending. This whole idea came about a few years ago when we realized our team was really good technically and really good with the analysts, but we didn’t have that strategic partnership at the business level. This led to a lot of frustration with some of our users, because they thought everything was going great, but when looking up the chain, say someone new came in as the head of the department, they may cut the budget and we’re not aware of that before it happens. That means we’re not there to help the actual users, analysts, translate the benefits they’re getting from ThreatConnect into business benefits that the higher-ups can understand.

More information on ThreatConnect’s Customer Success Team here.

 

About the Author

ThreatConnect

By operationalizing threat and cyber risk intelligence, The ThreatConnect Platform changes the security operations battlefield, giving your team the advantage over the attackers. It enables you to maximize the efficacy and value of your threat intelligence and human knowledge, leveraging the native machine intelligence in the ThreatConnect Platform. Your team will maximize their impact, efficiency, and collaboration to become a proactive force in protecting the enterprise. Learn more at www.threatconnect.com.