People Tech

Building a better salesperson

My first tech job was with a regional VAR (value added reseller). I started in phone support, then moved up to bench tech, then to field engineer – a path that increased my exposure to customers and the rest of the business with each move.

I liked the technical work and helping people with their problems, but as I began to notice the sales engine that was at work around me, I started to dread coming to work.

Over time my reaction to the projects the owner and salespeople would bring to me went from “Yes, I’m on it!”, to “Huh, this is kinda weird.”, to “WTF is wrong with you people!?”

I found myself having conversations like:

Me: “Yes, we could upgrade every part in the customer’s PC, but wouldn’t it be better and cheaper for them to just buy a new computer?”

Salesperson: “Just put in the upgrades. It’s a big sale.”

Owner: “Go to their office, install this drive, and setup backups for them.”

Me: “Umm, we’re selling this? It’s 3 years old and the box is covered in dust.”

Owner: “It’s what we have in stock.”

Me: “But these things are worth like a 100th of the price on this invoice.”

Owner: “They don’t know that.”

Salesperson: “Can you look over this bid for these school lab computers?”

Me: “Why are you putting $1000 video conferencing codec cards in them?”

Salesperson: “Because we already have them and the grant allows it.”

By the end, I wanted to burn the building down with everyone locked inside. At the time I thought my experience was unique, that my employer was just particularly evil.

That was, of course, stupid. I was new to the workforce and naïve. Working for that VAR gave me the first insight into a cancer that is easily spread into any sales org.

Cracks in the system

Sales is an important job and I have met some amazing salespeople who are both good at their job and good at being decent humans. But sales is usually a pay for performance role which has inherent flaws, at least in the way it’s structured for most companies.

Quota-driven motivation tends to isolate the salespeople on a team and can lead to acts of desperation. Even some team-based quota models drive a culture of “every man for himself” that can never end well.

Traditional quotas recreate the cutthroat conditions of a medieval bazaar and living day-to-day in a system of “I must sell five more goats or my family will starve.” has an effect on the morality and judgement of an individual. How can it not?

I feel sympathy for people stuck in this situation. They have mortgages, kids to feed, whatever else and they feel like they don’t have the convenience of always fighting to do the right thing. It’s a crummy place to be – to have a moral compass and not be allowed to follow it.

In general, I find performance-based compensation off-putting.”You sell more, you make more.” makes sense and works pretty well on a small-scale, but crank it up to multi-million-dollar-mania levels and you’ve self-selected for a certain psychology.

The worst of humanity reveals itself when you put a bunch of people in a room who tie their level of effort to how much money they make. Extrinsic motivation is the stuff of pyramid scheme tycoons, politicians, and serial killers.

The status quo is ugly

On the customer side, I have multiple conversations a week that go a little like this:

Me: “In detail, here is the problem I am trying to solve. Could your widget help fix that problem?”

Salesperson: “Yes!”

Me: “So your product can cure cancer, solve world hunger, and keep our network free of viruses?”

Salesperson: “Yes!”

Me: “Do you understand anything that I’ve said?”

Salesperson: “No.”

Me: “And you still think your widget is the right solution for me?”

Salesperson: “Yes! It’s what I’m getting the highest comp on this quarter.”

I can’t express how frustrating this is and how much this sucks, especially when the person has swaggered in presenting themselves as a trusted advisor.

Customers need honest answers and guidance. They need help, even if it’s in the form of “Hey, I don’t think our product is a good fit for this problem.”

If you’re a salesperson who wants to build trust and a long-term pipeline that practically vomits money, be willing to walk away from a sale that doesn’t make sense. Spouting half-truths and outright lies may work in the short-term, but it’s a clichéd path that leads to gold chains, cocaine addictions, damaged relationships, and early heart attacks.

Personally, I respect the heck out of salespeople who tell me “no” and “I don’t know.” I will go out of my way to seek them out for future projects even if what they’re selling costs double the competition. I’ll come back to them when they change jobs and do my best to always take their calls.

A better path (maybe)

Being honest in sales requires a company culture that allows the person to be honest. The dude-bro, hyper-competitive environment that many companies create for their salespeople is not that. Quotas don’t support that, neither does performance pay. All those things box salespeople in and make them feel as if they have to lie, cheat, and steal to keep their job.

How about this:

  • Pay salespeople a good, fixed salary based on their skill and experience.
  • Get rid of sales quotas and replace them with other metrics like customer satisfaction and product usage. These are imperfect measures as well, but have a longer-term focus.
  • Manage salespeople like everyone else. If there’s a performance problem, coach and support them. If that doesn’t work, help them move on to something else.
  • Hire people who are motivated to do a good job because it’s the right thing to do, not because they want/need to chase carrots.

What about the salespeople who need the carrot? The ones who love the game, and are going to shuck and jive even when they don’t have to.

Honestly, eff those people. That’s not a personality trait that helps move humanity forward or builds a solid foundation for a business. If they can’t adapt to a healthier culture, they can go pound sand.



In pursuit of a modern password policy

The phrase “convenience shouldn’t trump security” sounds good. It carries the weight of authority, of someone who is taking a stand to do the right thing, and in most cases they are. Problem is, outside of a high security setting, inconveniencing users tends to make things less secure.

The classic example: An IT department implements a high complexity password requirement. Numbers, letters, uppercase, lowercase, symbols, all that jazz. Policy in place, IT tells management “We’re more secure” ignoring the fact that most users are now writing their passwords down on sticky notes and putting them under their keyboard.

Someone from security will go around and occasionally wag their finger at users telling them they are stupid for writing their password down. Users will momentarily stop writing down their passwords, password reset calls to the helpdesk will spike, and then users will go back to writing down their passwords. Rinse & repeat, over and over again.

“$p4rkY_&bT” is more difficult to crack than “Bobby” and the corporate-wide use of complex passwords guards against certain kinds of attacks, but opens up doors to other attacks – like a disgruntled coworker staying late, flipping everyone’s keyboards, and using their password to metaphorically burn the business to the ground, which is a much more likely scenario than scary internet hackers trying to brute force crack end-user passwords.

Most businesses gravitate to a standard password policy that’s based more on culture and audit compliance than real world efficacy. It tends to look like:

  • 8 character minimum
  • A mix of symbols, uppercase, lowercase, and numbers
  • 90 day expiration

In certain contexts, this is absolutely the right policy, but it is the wrong fit for most. It’s based on outdated assumptions: that the most common threats are external, that stale passwords are a common attack vector, and that a blanket policy is best. Here are some different approaches.

Passphrases, vaults, and pins

It’s no longer novel to use passphrases (strings of words, usually 16 characters or more) instead of passwords. An XKCD comic from several years back helped popularize their use and highlighted their strength versus traditional complex passwords. The technical advantage isn’t as much as it once was as cracking tools evolved, but the ease of memorization remains.

“popcorntreefortunicorn” or “thereisacowinmyfrontyard” are both easier to remember than a complex string like “4_%Ca*f2(k” and less likely to be written down or forgotten.

Using a password vault like 1Password is a better option in general, as it allows you to still use complex passwords and not have to remember them, but user adoption and support keep vaults from gaining widespread use in businesses – vaults are hard to scale. Depending on your user base, passphrases may remain the better option.

The future of authentication is being driven by mobile and largely does away with passwords. Windows 10 supports secure-pin login that functions much like an iPhone. A short pin number (or biometric signature – fingerprint, face recognition, etc.) can be encrypted and stored on the local device on a dedicated, secure chip. Plugging in the correct pin unlocks the device and from there, authentication to different apps and services can be claims-based, using a standard like SAML or FIDO. Usernames and passwords may need to be occasionally re-entered to refresh an authentication token, but day-to-day, users won’t be typing in many passwords.

The pin only works with local login, so if the pin is compromised it can’t be used remotely.

What about expiry? Everyone hates setting up a new password every three months. Expiry breaks apps tied to service accounts and drives end-user helpdesk calls. So why do we force passwords to expire several times a year? Because reasons?

There’s no good reason to expire passwords every 30, 90, or 120 days. It’s not an effective countermeasure, it just causes problems. If an attacker gets access to corporate passwords, they aren’t going to sit on them, they’re going to use them almost immediately, or sell them to someone who will. The threat of stale credentials isn’t a real thing and luckily, there are now government agencies and standards bodies stepping up to the plate to say so.


No password policy can keep passwords from being compromised, especially when applied to humans. Multi-factor authentication helps though and is no longer optional. Using a soft token app on a device secured by biometrics (think fingerprint locked iPhone) as well as a password is an easy way to boost your security posture.

Multi-factor tools aren’t as difficult to manage as they once were. Solutions like Duo and Yubikey are simple to add and companies like Microsoft and Okta are building multi-factor directly into their product suites.

Right now, the most popular methods of multi-factor auth are biometrics (fingerprints), tokens/certs (Yubikey), and SMS. Challenge questions are on the way out. They face the same issues as passwords and can be compromised using the same method. From a support perspective, if a person can’t remember a password, they are probably going to have issues remembering the answer to a challenge question.

Behavior will be the next big thing in multi-factor auth. Behavioral analytics tools like Exabeam can be used to create risk profiles for user activity and trigger actions based on risky or out of the norm behavior. Geo-fencing is the simplest form of behavior MFA – “Are you logging in from somewhere you aren’t normally, like southeast Asia?”

As these tools develop they’ll be able to look deeper into the actions performed with each app a user logs into and match them to a threat profile.

“User (based in Minnesota) logged on from the UAE, downloaded 4 gigs of data from Box, then sent e-mails with attachments to several blacklisted countries.”

“Something you do” is being added to the authentication triad of “Something you are, something you have, or something you know.”

Context and controls

End users and administrators should not fall under the same authentication policy. They are not operating in the same context and have access to different resources.

Following a policy of least-access – meaning users only exist in the systems they need and only have access to the minimum functionality necessary goes a long way toward beefing up security. Paired with separation of duties, these soft controls are often more effective than a strong authentication policy.

Effective controls allow you to give your end users an easy-to-live-with password policy that matches the scope of impact. They can also guide sane password policies for admin users, who should have an easier time dealing with password vaults (like Thycotic or 1Password for Teams – Seriously, don’t use a spreadsheet.) and more strict MFA requirements.

If you’re worried about brute force attacks, lockout policy is far more effective than password complexity. Some businesses lock out with as few as 3 incorrect passwords, which is a bit too few, in my opinion. Settling around 10 or so feels more appropriate. If a user needs 4 attempts to login to get it right, maybe they are having a bad day. If they need 11, they’re either an idiot or someone malicious.

So what’s a modern password policy look like?

How about this:

For users

  • 14 character minimum, no complexity but common passwords like Password123456 are blacklisted
  • MFA required for off-network access and for critical apps
  • No password expiry
  • 10 attempts before lockout

For admins

  • 20 character minimum (or highly complex)
  • MFA required for all access
  • Yearly password expiry
  • 5 attempts before lockout

My goal isn’t to prescribe – everyone’s needs are different – but I do think it’s important to question established wisdom. If your team never revisits the “why” of things, they’ll always be protecting against the attacks of the past instead of what’s coming.

Image Credit: marc falardeau


Talking shop at the Okta Identity & Mobility Forum

Videos and a related blog post.

In which Okta’s Aaron Yee and I talk about identity lifecycle.


Later in the day: Talking security, multi-factor auth, and cloud service delivery with Okta’s Eric Karlinsky. Also, client VPNs suck.