Email Sequence — 5 Emails over 19 Days
E1
Direct Identity
Subject: compliance vs capability
Hi {{firstName}},
I spent years on the regulatory side overseeing compliance across 750 financial institutions. One pattern kept repeating: organisations that were certified but not capable.
I wrote a piece on this recently. The finding that surprised people most was a research result showing highly regulated industries perform nearly 200% better on cybersecurity than their low-regulated counterparts. Not because regulation is perfect. Because it forces the uncomfortable conversations.
If your compliance process has never made you uncomfortable, that might be the problem.
I would be happy to send the article through if it is relevant to what you are seeing at {{company}}.
Raif's regulatory authority (750 financial institutions). 200% stat as hook. "Uncomfortable conversations" = provocative framing.
E2
Insight / Story
Subject: certified but not capable
Hi {{firstName}},
There is a quadrant most compliance teams do not talk about: certified but not capable. The organisation passed the audit, got the certificate, but the underlying security posture did not change.
A professor I respect put it well: "Compliance checks if you have the right pieces on the chess board. Compliance doesn't consider how well you play chess."
From my time as a regulator, I saw this constantly. The compliance ecosystem has optimised for speed of certification rather than substantive capability development. Organisations end up in the danger zone without realising it.
I wrote about this in more detail recently. Happy to share if you are navigating something similar at {{company}}.
"Certified but not capable" quadrant = sticky framework. Prof. Ahmad chess quote. Regulator perspective.
E3
Real Proof
Subject: the framework people keep sharing
Hi {{firstName}},
I shared the compliance vs capability piece I mentioned with a few people in my network. The response that stood out came from a government official who said the two-axis framework articulated something their team had been struggling to communicate internally.
The distinction between "we passed the audit" and "we are genuinely secure" is not a new idea. But having a framework to talk about it seems to be helping people have better internal conversations.
If that distinction matters at {{company}}, happy to send it through.
Social proof from government official. "Framework people keep sharing" = social currency.
E4
Exact Value
Subject: from article to action
Hi {{firstName}},
The article I mentioned explores why organisations end up certified but not capable. The harder question is what to do about it.
We built Sabah to address exactly that gap. The platform reads your actual compliance evidence and tells you whether it proves capability, not just whether it exists. One customer self-assessed at 84%. Sabah scored the actual evidence at 43%. The difference was not negligence. It was a compliance process that never challenged them.
Smart Prep, a feature we recently added, prepares you for the uncomfortable audit conversations before the auditor arrives.
If that gap is relevant to {{company}}, worth a conversation.
First product mention. Sabah + Smart Prep positioned as answer to article's question.
E5
Clean Exit
Subject: standing offer
Hi {{firstName}},
Sounds like the timing is not right. Completely understand.
The compliance vs capability article is there whenever the distinction between passing an audit and genuinely being secure matters at {{company}}. Just reply if you would like it.
Clean exit. Article as standing offer. No guilt.
Campaign Rules
- Article URL NEVER in cold emails — reply-first rule
- Article sent only after prospect replies expressing interest
- Leads with
audience_segment = 'ciso'only — no greenfield / maturing contacts - Cross-campaign exclusion: authority leads excluded from pain-point campaigns 238-241
- Product (Sabah) mentioned only in Email 4 — thought leadership tone throughout
- 20-contact manual test. Raif personalises each send.