Chris Tilton is a true cybersecurity marketing veteran. He’s a fractional CMO and event curator who has spent nearly 30 years building marketing teams and scaling cybersecurity startups. In that time, he’s held CMO roles at companies including BugCrowd and Cobalt. Today, he splits his time between advising companies and running Black Hat’s most exclusive CISO networking event: a helicopter tour of the Vegas Strip.
In this interview, Chris discusses his path, his advice for his fellow marketers, and his take on the state of cybersecurity marketing today.
Tell us about your journey into cybersecurity marketing. How did you get started?
I started selling advertising for a newspaper right out of college. Sales, any type, is a great pathway for marketers, because you learn how hard it is, and what the pressure of a quota feels like! It also helped that I was selling advertising, which is creative, and that taught me what copy works and what copy doesn’t.
From there I moved into a marketing coordinator role at a computer assembler, then marketing manager roles in tech. My first real startup was a company that got funded with 12 employees. The ‘marketing department’ was pretty much just 8 salespeople and me. That’s where I learned demand generation and how to leverage content for lead gen.
I eventually moved into leadership roles building marketing teams from scratch. I took BugCrowd from zero to 17 million in revenue, then did the same at Cobalt, growing them from 200K to 40 million over six years. Cobalt also got me to Berlin, where I learned how different European marketing and buying patterns are.
After that, I had a couple of CMO roles, which I liked, but now I’m consulting and really enjoying what I do!
You’ve been through all of that. What’s the biggest shift you’ve seen in how security teams are marketed to?
Publications used to own the audience. If you wanted to reach CISOs, you went to Dark Reading, Security Boulevard, or CSO Online. Those magazines held the majority of who you wanted to sell to, and everyone knew it. You’d run ads there and your PR team would get stories placed. It was a clear, concise ROI playbook for organic and paid marketing.
That’s completely gone. What you have now is maybe 20 or 30 influencers holding pockets of audience. It really surprised me how big their audiences are. And they know their audiences, their click-through rates, their time on site metrics. Really, they’re no different from a very sophisticated publication.
There are maybe five legacy publications that still have a meaningful impact. But even then, the content those publications post has become formulaic, their audiences have tuned out, and their impact is waning.
How does that change what you recommend to clients?
For a recent product launch, we worked with influencers more than traditional publications. They were authentic, creative, and collaborative. They didn’t just take what we handed them. They said, “Let’s talk about this angle and this perspective. That would resonate.” And it didn’t feel like marketing. It felt like they believed in it.
Compare that to publications, where it’s transactional. I want to buy an ad. I want a story placed. Here’s the price. Here’s what you get. Everyone’s doing it. No one stands out. And with influencers, because they have skin in the game with their audience, they’re going to push back and make sure what goes out is worth their credibility.
Did it generate massive sales? No. But we got solid traffic, solid views, and from what I hear, actual CISOs are paying attention to those voices. That matters.
What about analyst relations like Gartner? That used to be table stakes.
I’d tell any startup right now you’re wasting money on Gartner unless they’re a large publicly traded company. It used to be straightforward. You got a Gartner subscription, an analyst covered your space, and eventually maybe you hit a Magic Quadrant. Now that’s just gone.
Gartner lost revenue because fewer companies want to pay them anymore. And they let go a lot of their best analysts. They don’t have anyone covering emerging markets or startups anymore. They wait until an industry actually becomes an industry, and by then you’ve already had two rounds of funding. For a startup with an innovative product, there’s literally no one at Gartner to work with. You’re still paying $60k, $70k just to get in the door.
And then you layer on that the research itself isn’t what it used to be. They used to hold the key to a trove of information, but AI has killed that. Systems don’t care as much what Gartner says anymore either. They validate through Slack channels, peer reviews, talking to other CISOs directly.
So what works now?
Nothing beats customer-led marketing. But it has to be authentic: Customer voices, customer testimonials, customer videos leading your webinars. If a CEO reaches out to me asking for help, the first thing I do is go to their website.
Do they have customer quotes? Customer logos? Customers actually talking about what they do? Most of the time, the answer is no. They’re trying to do everything themselves with generic content. That’s a missed opportunity.
Customer-led marketing works because it’s true peer-to-peer recommendation. People buy from people they trust. If they’re looking at a $100K cybersecurity product from a startup, they want to know the team is smart, dynamic, always learning. They want to know humans built this thing. Seeing that authenticity matters.
Gartner Peer Insights and G2 also work because they’re actual customers saying what they think. That’s where the credibility has moved.
Where else are you seeing companies get stuck?
Startups often feel like every piece of content has to be laser-focused on their ICP. It has to be about the exact product and the exact market. In reality, some of the best performing content is tangential.
I had a startup go through SOC 2 compliance. They’re not selling compliance. But they published their path to SOC 2, and it became one of their best pieces. It signals that they care deeply about security. It attracts engineers and technical people who are also going through SOC 2. There’s no sales pitch anywhere. But people read it and think, “These people take security seriously.”
That’s what I mean by thinking creatively about the audience. You can get really trapped in your lane. The second you do, the board starts asking why you don’t have more blog posts about your core product, and then your team stops experimenting.
How do you get engineers and threat researchers to contribute to marketing efforts?
The first thing to do is ask the team lead. And then I go to the rest of the team. Sometimes I’ll offer an incentive, like a North Face jacket or something small for the first person to step up. Usually one or two will raise their hand. Then you coach them, work with them, and publish their work. You make them stars, and the CEO pats them on the back.
Next thing you know, another three or four people volunteer the following year. You never get full adoption, but you don’t need it. I’ve got five technical contributors now instead of zero, and their blogs consistently outperform everything else we publish. They have something to say. They have an opinion. There’s a point of view there that comes across authentic.
For a startup building from scratch, where would you put a 20% budget increase right now?
It depends on the stage. If you’ve got customers, pull them into every format you can. Speaking engagements, videos, hosting dinners. Get that customer voice everywhere your ICP can see it.
If you’re tiny with no customers yet, spend that 20% on one-to-one relationship building. Get in front of ten CISOs. Not an email blast or a campaign. Personal, curated introductions. That’s how you get to your first 25 customers. Build genuine relationships with the right people.
The third thing I’d allocate to is technical education content, not generic blog posts. I mean truly educational content. Tips and tricks, prompts, small scripts, agents you built. Something so valuable that people would be happy if someone shared it with them, with zero regard for whether it sells your product. That’s the test. If it passes that test, it works.
Most startups see that and think it’s a good idea but never do it because it’s actually a lot of work. Courseware is a skill. You need either someone on your team who can do it or you hire a consultant. But when companies do it well, their inbound explodes. They get speaking engagements from it. It’s way cheaper than ad spend. And you own it completely.
What about the human side of this? There’s a lot of AI hype right now.
I’m all for using AI to get to 25% of an idea fast. The initial rough draft of a concept, a webinar abstract, a messaging angle. It’s a tool for ideation and acceleration. But then you must pull it back, test it, and refine it. It goes off on tangents. It gets stuck and repeats itself. You have to own the loop.
Where AI completely breaks down is true creativity. You ask it for something genuinely edgy or novel and it’ll get maybe 50% there. But compelling ad copy, attention-grabbing blog headlines, truly creative ideas that make someone stop scrolling – AI can’t do that. It sparks ideas in your head, but you have to do the work.
People genuinely appreciate when you don’t use AI. I spent a lot of time on follow-ups after hosting a CISO dinner at RSA. I personalized every single one, changed the copy, made them individual emails. I even put in some intentional spacing errors that AI would never make. Not typos, just enough to signal that a real person wrote it.
The people I followed up with knew I really wrote that. It mattered to them. That human touch is what’s becoming scarce and valuable right now.
What does success look like for you at this stage in your career?
I left my last CMO role because the politics wore me down. I don’t know if I’ll ever do another full-time CMO role. Right now, I’m consulting with a few clients and spending most of my time on events.
I run the Black Hat helicopter event every year. We started at 45 people seven years ago. Last year we had 218. I personally vet every invite. You can’t come unless you’re a cybersecurity buyer or evaluator.
I get thousands of requests from salespeople, VCs, systems people selling something. I say no to almost all of them. That’s why the sponsors get so much value. The attendees are real. It’s exclusive and experiential, not another rubber chicken dinner.
It takes a lot of work. But that’s the only way it works. The human touch is where the real value is right now.
Chris Tilton is a fractional CMO and marketing consultant. You can follow him on LinkedIn.
About Bora
We’re Bora. We work with security companies to turn complex technical capabilities into clear, credible market narratives.
Get in touch for a free 30 minute consultation. If we’re not the right fit, we’ll help find someone who is.
