If you’ve ever tried sending a cold email to a CTO or CISO, you know how it usually ends. Silence. Maybe a bounce. Maybe a one-word reply two weeks later, if you’re lucky. These inboxes are a graveyard for most outreach attempts, and there’s a reason why.
Technical decision-makers are some of the hardest people to reach in B2B. Not because they don’t need help. But because everyone is trying to sell them something, and most of it sounds the same. They don’t want another pitch. They want something that respects their time and doesn’t make them work to understand why it matters.
The real reason they’re ignoring you
CTOs and CISOs are under constant pressure. They’re dealing with fires, updates, audits, infrastructure planning, and the occasional 3 AM breach. Most have a low tolerance for fluff and zero patience for emails that don’t get to the point. If your subject line is vague, your value prop is buried, or your tone feels generic, you’re done.
These people aren’t just hard to reach — they’re skeptical by default. And if you’re in cybersecurity, it’s even tougher. They assume you don’t know their environment, you’re overselling, and you’re going to waste their time. The bar is high, and most cold outreach doesn’t clear it.
Why most cold emails flop
Most cold emails sound like they were written by someone who’s never done the job they’re selling to. They’re either too fluffy or too technical too soon. Or they ask for a call before offering anything useful. It feels like the whole point is to move the problem off your desk and onto theirs.
The irony is, some of these products are genuinely good. But the message is off. And with no prior relationship, the wrong message kills any chance of getting a reply.
What actually works (and why)
The best cold emails don’t feel like cold emails. They feel like a smart peer reaching out with something useful. That could be an insight, a recent observation, or a relevant piece of content. The goal isn’t to get a meeting — it’s to spark interest. To make the person reading think, “this is worth a reply.”
Instead of asking for time, you can:
- Offer a POV
- Talk about a trend you’re seeing across their industry
- Share something specific to their stack, team size, or compliance needs.
- Mention how other teams are approaching the same challenge.
- If you can reference something from Gartner, Forrester, or a respected industry voice, even better. They don’t need to know you yet — but they’ll trust the names they already follow.
Keep it short. Two to three lines max. If it feels like work to read, it won’t get read. If it feels like a pitch, it won’t get opened.
A simple example
Here’s a before and after from a recent cold outreach audit we ran for a cybersecurity startup.
Before:
“Hi John,
We help mid-market SaaS companies streamline their SOC-2 audit readiness by automating evidence collection, risk tracking, and control mapping. Would you be open to a quick 15-minute call this week or next to learn more?”
After:
“Hi John,
We’re seeing more mid-market SaaS teams shift to continuous audit models to avoid the SOC-2 scramble each quarter. Curious how your team’s handling that today. Wrote a quick breakdown here: [link] — would love your thoughts.”
The second one opens a conversation. It doesn’t ask for time, it offers insight. That’s the shift.
Where most cold emails go wrong — and what to do instead
| What most emails do | What effective emails do instead |
| Start with a generic pitch | Start with a clear POV or question |
| Ask for a call right away | Offer content or insights first |
| Lead with features | Lead with relevance and timing |
| Use fluffy or technical jargon | Use simple, direct language |
| Talk about the product | Talk about the prospect’s problem |
| Feel like a sales move | Feel like a peer sharing value |
Testing tone is part of the job
You won’t know what works until you test it. If you’re just starting out, try running two campaigns side by side. One casual, short, and conversational. One technical and insight-heavy. Track your open and reply rates. Watch for positive signals in how people respond, even if they don’t take a meeting right away.
CTOs and CISOs don’t make decisions fast. They forward, they sit, they resurface the email when it’s relevant. If you get a reply two weeks later, it means the message stuck.
Cold calling can still work — but only with context
One person in a recent Slack thread shared how they closed their startup’s largest deal with a cold call. But that only happened because the value prop was crisp, the research was tight, and they had something worth listening to. Timing probably also played a factor. Cold calls work when they follow a useful email or show real understanding of the person’s world. Not when you’re reading off a script.
Use content as a door-opener
Technical content still plays a role — just not the way most people think. You’re not sending white papers to get meetings. You’re using them to show that you’re in the room, paying attention, and contributing something worth their time.
Write about the exact challenges your audience is facing. What’s changing in SOC-2 compliance? How are teams adapting to the shift away from in-house SIEM setups? What does AI actually mean for vendor reviews and security workflows?
Publish that content. Then send it in an email that says: “Curious if this feels true to your team.” It invites a response. It’s low pressure, but high context.
Final thought
You don’t win deals with cold email. You earn attention. Then trust. Then, maybe, a shot at the deal.
Don’t start with a pitch. Start with proof that you understand their world. Do that consistently, and your reply rates will change.
Mo is the founder and CEO of Column Content, a thought leadership content agency that helps leaders get seen. Connect with him on LinkedIn.
