Cybersecurity Vendors Used to Promote Practitioners Into Sales. Now They Hire Sellers and Outsource the Security Part.

For most of the last decade, the cybersecurity sales floor was stocked from the practitioner bench. Sales engineers who had spent two years in the technical seat, analysts who had worked a SOC, operators who had run the very tools the product was replacing. They moved into a quota-carrying role because they already had the one thing you cannot teach in a week. They spoke the buyer's language, and the buyer believed them.

That pipeline has narrowed. A growing number of vendors now hire enterprise sellers from outside security entirely, people with a real track record of closing deals in fintech or logistics or martech, and then pay an outside firm to teach them the security part. On the org chart it looks like enablement. It is not. It is a different operating model, and most of the leaders running it have not said the quiet part out loud: a meaningful share of their AE ramp now happens off their own team, on a vendor's curriculum.

The reason this happened is structural, not lazy. The cybersecurity sales talent shortage is a closed loop. The reps who already know the space have jobs. The companies hiring from adjacent industries are not getting people who cannot sell. They are getting people who can sell, but cannot yet talk about the buyer's stack. The bottleneck was never selling skill. It is domain knowledge, and domain knowledge is the scarce input.

So every vendor faces the same choice. Build the security education internally, with curriculum from the product marketing team and delivery from a sales enablement manager. Or rent it from an outside firm. More and more pick the outside firm, for reasons that hold up under scrutiny. And it works. It also makes the first-quarter forecast slightly more believable, which is its own kind of argument.

This article lays out the old model and why it stopped scaling, the closed loop that makes domain hiring nearly impossible, the new buy-the-knowledge model and the firms that now sell it, why internal enablement is structurally wrong for this particular job, the ramp math that makes the outside firm look rational, and the one cost almost nobody prices in.

The Old Model: A Sales Seat Was a Promotion From the Bench

For a long time, staffing a cybersecurity sales team was straightforward. You promoted from inside the field. The sales engineer who had spent two years in the technical seat, the analyst who had worked incidents, the operator who had run the tools. They moved into a closing role because they already carried the thing that takes years to build and minutes to detect the absence of: real fluency in the problem.

It worked because cybersecurity is a credibility sale. A CISO can tell within five minutes whether the person across the table actually understands the threat model or is reading from a card. A rep who had lived the problem cleared that bar automatically. The domain knowledge came baked in by the years before the sales job, and the company only had to teach selling on top of it.

That bench has thinned. The practitioners who make the cleanest jump into sales are exactly the people the security industry is most desperate to keep in technical roles, and the do-more-with-less squeeze has made every one of those people harder to spare. Pulling a strong engineer onto the sales floor now means losing them from a team that was already short-staffed. The internal pipeline that used to feed sales is competing with every other part of the business for the same scarce people, and sales does not always win.

The Closed Loop: You Cannot Just Hire Reps Who Already Know Security

The obvious workaround is to hire reps who picked up the domain knowledge somewhere else. The problem is that there is no somewhere else with supply to spare. The cybersecurity talent shortage is a closed loop. The people who understand the space are already employed in it, and the pool is not refilling fast enough to spill over into open sales seats.

The 2025 ISC2 Cybersecurity Workforce Study found that 59 percent of organizations cite critical or significant skills needs on their security teams, up from 44 percent a year earlier, and that 88 percent have already absorbed at least one significant consequence because of a skills deficiency. ISC2 stopped publishing a single headcount gap number this year, after last sizing the global shortfall at a record 4.8 million professionals, precisely because the bottleneck stopped being bodies and became knowledge.

Read that as a sales leader and the implication is direct. If trained practitioners are scarce enough that defenders are losing ground for lack of them, they are not sitting in a candidate pool waiting for a sales recruiter to call. The reps who already know the buyer's stack have jobs. Hiring your way around the knowledge gap is not a strategy, it is a bidding war you will usually lose to companies with deeper pockets.

So the constraint is real. You can hire someone who can sell, or you can hire someone who knows security, but you rarely get both in one candidate at a price you can justify. Most teams resolve it the same way. They hire the seller, on the theory that selling is the harder thing to teach, and plan to backfill the domain knowledge later.

So Vendors Hire the Seller and Buy the Knowledge Separately

That decision creates a gap on day one. You have just hired a strong enterprise seller from outside security, someone who can run a complex deal in their sleep, and who cannot yet tell a CNAPP from a CASB or explain why a CISO loses sleep over lateral movement. They can manage a buying group. They cannot yet have the conversation that earns the right to manage one.

Closing that gap internally is slow, and this is where the new operating model reveals itself. Rather than build the security curriculum in house, a growing number of vendors buy it. There is now a small industry of outside firms whose entire business is teaching salespeople how to sell security. A Sales Growth Company runs a cybersecurity-specific program built on its Gap Selling method, training reps to quantify risk and tie it to business consequence instead of pitching features. Unstoppable sells cybersecurity sales enablement to security vendors, including a new-hire program built explicitly to shorten ramp. There are others, and more arriving, because the demand is real.

Here is the part worth saying plainly. It works. A focused outside program will get a capable seller conversant in the category faster than a stretched internal team usually can, because teaching that curriculum is the outside firm's only job. The point is not that vendors are doing something foolish. The point is what the choice reveals. When you pay an external firm to deliver the core domain education your new reps need, you have outsourced a piece of your sales floor's competence. That is not enablement. That is a different operating model, and it deserves to be named as one.

Why Internal Enablement Is Structurally Wrong for This Job

The natural objection is that this is what the enablement team is for. On paper, true. Enablement owns onboarding almost everywhere. In practice the function is built for a different job than the one this requires.

Internal enablement is organized around product launches, not around ramping a new hire on an entire category. The team's cadence follows the release calendar: new feature, new messaging, new deck, sales kickoff, repeat. That machine is good at pushing the latest update to a floor that already understands the market. It is not designed to take someone who has never sold security and teach them the threat landscape, the compliance frameworks, the competitive map, and the buyer's mental model from zero.

There is a second structural problem, and it is about who writes the material. The content enablement ships is mostly produced by product marketing, and product marketing writes for the buyer. Its job is to make the product legible and compelling to a CISO, which is the right job and a different one from making a new rep fluent. A buyer-facing one-pager tells a seller what to say. It does not teach them why it is true, what to do when the buyer pushes back, or how the category fits together. The knowledge that makes a great rep great is not in the battlecard, it is the pattern recognition behind it, and that does not transfer through a slide.

So the internal option a leader is weighing the outside firm against is not great domain education built by their own team. It is product-launch content, written for buyers, handed to a new rep, and called onboarding. Framed honestly, the outside firm wins that comparison more often than not. Which is exactly why the model is spreading.

The Ramp Math That Makes the Outside Firm Look Rational

The economics push in the same direction. Ramp time is getting worse, not better. The Bridge Group's 2024 SaaS AE report put average ramp at 5.7 months, up from 5.3 in 2022 and 4.3 in 2020. Reps are taking longer to reach full productivity even as the market demands they sell into more complexity than ever.

Now stack tenure on top. The same body of research puts average AE tenure under three years and median annual turnover around 30 percent, and once ramp is accounted for, it pegs the productive window at only about 24 months per hire before they churn and you start over. Every month you shave off ramp is a month of quota-carrying production you get back, on an asset that is going to walk out the door sooner than you would like.

And attainment is falling while all of this happens. The same Bridge Group data shows the share of AEs hitting quota dropped from 66 percent in 2022 to 51 percent in 2024. When half your floor is missing the number and every hire takes most of half a year to get useful, anything that credibly compresses ramp looks like a rational purchase. An outside firm that promises to make a new seller conversant in the category in weeks instead of months is selling exactly that. It makes next quarter's forecast slightly more believable, which is what a sales leader under pressure is actually buying.

That logic is sound on its own terms. The trouble is what the math leaves out.

The Cost Almost Nobody Prices In

Here is what the ramp calculation misses. When the domain education happens off your team, on an outside firm's curriculum, the knowledge does not accumulate where you need it. It enters one rep's head, and when that rep churns at the 30 percent annual rate, it leaves with them. You did not build it. You rented it, for one person, for one tenure, and the next hire restarts the meter.

A team that grows its own sellers builds a compounding asset: a shared internal understanding of the category, the competitors, the objections, and the plays that actually work, one that gets richer every time a rep wins or loses a deal and feeds the next person in line. A team that buys ramp from outside gets the opposite. The expertise lives in individuals and in a vendor's deck, not in the organization, so it never compounds. Your best rep's brain still does not scale, and now you are paying an outsider to rebuild a thinner version of it in each new hire. The closed loop that started this whole problem reappears inside your own company. Knowledge that should be accumulating keeps walking out the door, and you keep paying to rent it back.

This is the real question hiding under how do we ramp faster. It is not whether the outside firm works, because it often does. It is how much of your AE ramp is actually happening on your own team, and whether the competence your floor depends on is something you own or something you lease. A vendor that leases its domain knowledge is one renewal cycle away from a competence gap that never shows up on the org chart.

What Sales Leaders Should Actually Do

None of this means fire the outside firm. As a bridge, while you hire sellers faster than you can grow them, it is a defensible move and sometimes the right one. The mistake is treating the bridge as the destination, and never building the thing that lets the knowledge compound on your own team.

The goal is to make domain competence an asset your organization owns and improves, not a service you re-purchase every time someone churns. That means capturing what your best reps actually know, the repositioning that took them months to develop, the competitive intel, the objection handling, and putting it in front of every rep at the moment they need it, on a live call, not buried in a document they opened once during onboarding. Training teaches a rep what to know. The harder, and mostly unsolved, problem is delivery: getting the right knowledge to the rep in the moment it matters.

That is the entire reason we are building KillChain Overwatch, to give cybersecurity AEs an unfair informational advantage in competitive deals through real-time competitive intelligence and sales coaching, delivered the instant a buyer raises a competitor or a compliance framework, not in a deal review three weeks later. It is a force multiplier for strong reps, the sellers you hired for their selling ability and now need to arm with the domain map, and it is built for cybersecurity AEs. The point is to turn the knowledge your best people carry into something your whole team can draw on, and something your company keeps when a rep leaves.

So sit with the question the short version of this ended on. How much of your AE ramp is actually happening on your own team? If the honest answer is less than you would like, the outside firm is not the problem. The absence of a system that makes the knowledge stick is. Build that, and the outside firm becomes a temporary accelerant instead of a permanent dependency.

FAQ

Why is there a cybersecurity sales talent shortage?

Because it is a closed loop. The reps who sell security well usually came from technical or practitioner roles, and the security field has a documented skills shortage that keeps those people in high demand for non-sales work. ISC2's 2025 workforce study found 59 percent of organizations citing critical or significant skills needs. The people who already understand the buyer's stack are employed and hard to poach, so vendors increasingly hire sellers from outside security and teach the domain afterward.

Should cybersecurity vendors hire sales reps from outside the industry?

Often, yes, because selling is harder to teach than product knowledge and the pool of reps who already know security is too small to staff from. The risk is not the hire. It is assuming your existing enablement can turn an outside seller into a credible security salesperson, when that function is usually built for product launches rather than category ramp. Hire the seller, but build a real system for the domain education instead of assuming it will happen on its own.

What is the difference between sales enablement and sales training?

Enablement is the ongoing internal function that supports reps with content, tools, and messaging, much of it tied to product launches and produced by product marketing for a buyer audience. Sales training, especially the outside kind, is a focused program that teaches reps a specific skill or domain, such as how to sell security through a risk lens. The distinction matters here because vendors are increasingly buying the second to compensate for what the first was never designed to do.

How long does it take to ramp a new cybersecurity AE?

Industry-wide, the Bridge Group's 2024 data put average SaaS AE ramp at 5.7 months and climbing. Cybersecurity tends to run longer than average because of the technical depth buyers expect and the breadth of the competitive landscape a rep has to absorb. With average tenure under three years, a long ramp leaves only about two years of productive selling per hire, which is why compressing ramp has become a priority for sales leaders.

Do outside sales training firms actually work for cybersecurity?

They can, which is why the model is spreading. Firms like A Sales Growth Company and Unstoppable build focused programs that get capable sellers conversant in security faster than a stretched internal team usually manages. The limitation is structural rather than a knock on quality. Knowledge delivered by an outside firm to an individual rep does not compound on your team, so when that rep churns, you re-purchase it for the next hire.

References

1. The Bridge Group, via Charlie Cowan. 5 Essential Learnings From the 2024 SaaS AE Report. Average AE ramp time of 5.7 months, up from 5.3 in 2022 and 4.3 in 2020, with quota attainment down from 66 percent in 2022 to 51 percent in 2024. Charlie Cowan
2. The Bridge Group, via Blossom Street Ventures. SaaS Account Executive Data. Average AE tenure of about 2.8 years, median annual turnover near 30 percent, and roughly 24 months of productive selling after ramp. Blossom Street Ventures
3. ISC2. 2025 ISC2 Cybersecurity Workforce Study. 59 percent of organizations cite critical or significant skills needs, up from 44 percent a year earlier; 88 percent experienced at least one significant consequence from a skills deficiency; 95 percent report at least one skill need; ISC2 did not publish an overall workforce gap number this year. ISC2
4. ISC2, via PR Newswire. ISC2 Study Finds Cybersecurity Budget Constraints Remain, But Do Not Worsen, While Skill Needs Grow. Press release detailing the 2025 study's skills-gap findings. PR Newswire
5. ISC2. Results of the 2024 ISC2 Cybersecurity Workforce Study. The 2024 study put the global cybersecurity workforce gap at a record 4.8 million professionals (about 4.76 million), the last year ISC2 published a single gap figure. ISC2
6. A Sales Growth Company. Cybersecurity Sales Training. An outside firm teaching reps to sell security through a risk-based Gap Selling method rather than feature pitching. A Sales Growth Company
7. Unstoppable. Cybersecurity Sales Training and Enablement. An outside firm providing cybersecurity sales enablement to security vendors, including a new-hire program built to shorten ramp. Unstoppable

*Written by Jonathan, co-founder of KillChain Sales. Former offensive security operator, now leading go-to-market for an AI competitive intelligence platform built for cybersecurity AEs. If you are staffing a cybersecurity sales team and quietly wondering how much of your ramp is happening on your own floor, join the waitlist or connect on LinkedIn.*