CISO Manifesto: Rules for vendors — 2022 Edition
In 2017 I wrote an article titled “10 Rules for Vendors” that had been requested by fellow CISOs and Security Professionals. Since then, I have updated it multiple times and usually release it to the community for comment before starting the security conference season. As the world has been on hold for the last two years, I am delighted to continue the tradition and publish the updated 2022 version.
As a Security Executive, I collaborate with many in our community, and in our discussions, I continue to hear about frustrations they have working with vendors. From a sales and marketing standpoint, I understand companies need to get in front of the decision-maker to sell their products. With that said, I am still surprised that many of us are having these same issues. Many of my peers feel these issues are severe enough that they requested I update this article and release it before this year’s RSA. With that in mind, I hope this updated information provides some insight for vendors and many of the professionals in our community on how we can better communicate with each other and solve our security and risk-related issues as partners.
My original purpose at the time of writing the first article in 2017 was to discuss my views on the skill sets the CISO role needs to be aligned to business operations. In that article, I wanted to explore how I believe one of the core requirements a CISO should develop is the ability to define their “Vision” of cybersecurity for their organization. They should also be able to explain the value of this “Vision” and effectively communicate it to executive leadership for support and resources. In talking about how CISOs manage their security program and implement their vision, I laid out why these rules for vendors were necessary. CISOs spend a significant portion of their time working with third-party vendors to mitigate risks. We partner with trusted vendors to help us build our security programs, and therefore I felt it was critical to highlight problems that should be addressed to improve the collaboration between CISOs and these trusted partners. I realized it was enough content for two essays in writing that article, so I have posted the rules you see here separately for easier reader consumption.
Since writing the original essay almost five years ago, I believe it’s even more critical to have technology partners that CISOs can trust and work with to protect their company, assets, and business operations. I have written this updated discussion with some recommendations in each rule statement that I hope will assist vendors in understanding how CISOs view their security programs and the technologies they select to upgrade or integrate into the current security portfolio. So now that you have some insight into my approach, let’s have some fun:
“Don’t pitch your competition” — my peers and I honestly don’t care for vendors trash-talking their respective competitor’s technologies. We understand you do it to compare/contrast why your solution is better, but it’s unprofessional. You have a limited amount of time to speak with us about why we need your product, so why are you wasting your opportunity to talk negatively about your competition? Now with that said, CISOs know there are times you need to ask a question to start the discussion; I would recommend something like, “Speaking with some of your peers <insert name 😊> I know you are dealing with numerous issues, what problem can we work together to solve?” This question quickly gets us to why they are interested in speaking with you. If they ask you how you’re different from a competitor during the discussion, then feel free to point out what you do better because the CISO specifically asked the question. With that said, keep your answers professional and focus on the value you will bring to their team and company. There is always a discreet way to say how you rock!
“Don’t tell me your solution provides 100% of <insert adjective>” — This is a major pet peeve for me, don’t make sweeping statements like this because we all know there are no silver bullets. When we hear vendors say they do 100% of something, such as “We use blockchain to catch 100% of the vulnerabilities,” — many of us with cybersecurity experience cringe and tend to view these vendors negatively. To make a point about how important this is for me, I don’t allow my teams to say they know something is 100% or they can prove something to be 100%. One lesson I have learned as a CISO is that the only thing that I would ever guarantee an executive team or a board of directors that is 100% is that the threat environment will change continually, and security is a continuous process. Everything else is just fluff, don’t waste a CISOs time stating you do 100% coverage, 100% remediation, or 100% capturing of anything. Security executives today are mature; we do our research and collaborate and compare information on vendors. Overpromising reduces your credibility!
“Don’t try to sell me a proprietary tool” — There are many new security technologies that use innovative methods to protect companies and provide unique services to their security teams every day. As a CISO, I am suspicious of technologies written in a proprietary language that will need expensive professional services and extra add-on modules to get its full potential. I am also wary of vendors who can’t fully explain how their technology works because it’s a secret. CISOs have numerous security controls, compliance requirements, and risk mitigation initiatives they must manage with limited resources. They need technologies that can be integrated into the current security environment with relative ease and are painless for the security teams to operate. As a security executive that continually reviews solutions to refine my security stack, I look for technologies that can grow with my organization as we mature. I seek flexible solutions that can help provide resiliency, not proprietary, static, or rigid ones. So be Gumby! Help CISOs build resiliency into their security portfolios.
“Don’t try to sell me on an overcomplicated solution” — This is still a big concern that I see in mature vendors and even cybersecurity startups. To me, it’s the “kitchen sink” effect. Instead of solving one problem consistently with excellent service, a vendor lumps multiple technologies together to try and resolve several issues. I have rarely seen this go well, and I have a rule of thumb, if it takes numerous sales engineers to explain it to me and hours to demonstrate the technology, it’s way too complicated for me. Again, as I previously stated, CISOs manage risk with typically tight resources and small teams. Each team member is expected to learn several technologies and related work processes. If CISOs must dedicate one full-time team member to use your technology by itself, then it’s not providing the required business value. Now that doesn’t mean they don’t look at platforms that can add functionality when needed; the point here is the core purpose of the solution should be focused on a specific problem, easy to use, and provide concise real-time data/reports when required. It should not be cumbersome, overly complicated, and require extensive training for basic user operations.
“Do some research before you come to talk to the CISO” — Before you step through the door to speak to the CISO, expect they will have researched you, read some articles about your product, and have talked to several peers about your technology, your company and you as a partner. If they are researching you, I would highly recommend you need to do the same. You typically have 30 minutes to 1 hour to speak to them; if you have done your research, you will know if they are an experienced CISO. This knowledge is vital because in addressing experienced security executives, you know half the slides in your deck will not interest them; they don’t need to have you explain basic security concepts. Better yet, you could send the slide deck to the CISO beforehand and when you arrive, assume they are professional and have read it and jump right into your presentation. Use your time wisely and discuss how you can help them be effective in solving their problem. I mention this because I have had vendors come to talk to me and spend half the time explaining why NIST is important or why ransomware is terrible. Know your audience.
“As a potential partner, speak to my compliance needs as well” — In conducting the above research before meeting the CISO, you should also have researched their company’s business landscape. I would suggest you look up any compliance requirements/restrictions that pertain to their organization’s business operations, such as (PCI, HIPAA, GDPR, NIST, SOC2, etc.). Note that these business compliance/regulation regimes have their unique language. I would recommend you use it when you talk to the CISO to demonstrate you understand their needs and how your solution will help them meet their obligations. It is essential that you, as a potential partner, understand these mandated requirements and, in your discussion, give examples of how your technology does/doesn’t work within them. You can use this as another touchpoint to explore why the CISO contact you and what she needs to mature her security program.
“If your product requires integration, you had better be knowledgeable about the process” — CISOs deal with many threats, projects, audits, politics, budget issues, compliance requirements, etc., daily and are continuously reviewing their security stack to ensure it provides value. When we research enterprise solutions such as SOAR or SIEM, for example, that require extensive integration, we expect you to understand the use cases for installation as a vendor. As a vendor of this technology, you should provide specific examples of how your solution integrates with the CISOs security portfolio. As security professionals, we know technology doesn’t come out of the box and work; we expect some professional services to set it up. If the technology you want the CISO to purchase requires heavy integration, don’t shy away from it; own it. Speak to how it can be done and have specific use cases available for the CISO to review. Better yet, ask some questions before your meeting so you understand the environment and come prepared to speak on how it could be tailored to fit the CISOs needs. As previously mentioned, CISOs speak to other CISOs, just as I am sure you reach out and talk to fellow vendors and sales reps. In discussions with peers about your technology, CISOs will ask about integration and if they need to be aware of problems or integrators they should use, so have an open dialogue and talk about it.
“Know what problem your technology is there to solve” — This is really on you as a vendor to understand the technology you are trying to sell the CISO. You should understand what problem you are trying to solve for the security executive and their needs. Your company isn’t just creating an application or a service. Instead, it believes they have a technology that can do something better than its competitors. I bring this up because it is incredibly frustrating as a CISO to speak with a vendor, and as we listen to you talk, we can tell if you don’t understand why the technology would be implemented in an enterprise cybersecurity program. You should know, as an example, how it meets specific risk framework requirements, how it fits into MITRE’s ATT&CK framework, or how it provides better services for specific security controls. If you as a vendor don’t understand the value your product provides the security professional, it’s tough for the CISO to know why they need it or should they speak to you.
“Automation, Orchestration, Integration, Consolidation, it is the future” — When the CISO meets with you about your product, be prepared for her to ask how its services are integrated and if they can be automated. As previously stated, CISOs have small teams and limited resources, so we want to be productive with any new solution that we add to our security stack. Expect we will want to automate, where we can reduce the workload on our teams but still review data in real-time as we orchestrate new automated response mechanisms. It is essential with today’s threats and changing security requirements that, as a vendor, you can describe to the CISO how they would integrate your technology into the current technology portfolio. The risks we as a community face today occur at a frightening pace, and standalone technologies no longer provide a benefit that CISOs can defend during their budget review. So as a vendor, tell me how I can automate, orchestrate, integrate, or consolidate with your solution to make my security program more effective.
“Be ready to talk about price” — CISOs are contacted daily by vendors who want to sell to us. We, in turn, continuously research technologies that would benefit our organization, and when we talk to you about pricing, let’s be realistic. From that statement, CISOs understand that no technology has just one set price. They expect other costs for add-on services such as new modules, installation, or platform integration. As a good partner, provide those estimates because the CISO needs to understand the total costs to ensure resources are available. Trust me, CISOs are researching and talking with peers to get a range of how much it will cost, so be ready and provide that information upfront so you can then get down to talking about how you will help them and their teams. One last note about cost, we hate having a price that fluctuates, such as the cost is based on consumed cloud storage or the amount of bandwidth used by the organization. The issue here is the costs may jump up and down, and it isn’t stable. It’s tough to make the business case for using a solution where the cost isn’t a set price. I am just putting that out there as we are among friends here, and I would love to correct this.
“How do I measure success using your solution”? — As a vendor, your answer to this question is a crucial differentiator of why the CISO should use your solution. Be able to speak to the CISO about success metrics that show your technology provides some form of measurable value. As a CISO, I usually don’t generate revenue for my company, but I enhance our business capabilities by managing risk and protecting revenue-generating operations. What metrics do you provide that show the CISO successfully uses your product? What metrics do you have that show the CISO is unsuccessful and may require help? Do these metrics come in the form of dashboards or reports? Are these metrics tailorable for different audiences such as engineers, executive teams, boards of directors, or non-technical stakeholders? You should expect that if you are helping the CISO solve a problem, they will ask these questions because they must be able to speak to the value of your solution, and it must be demonstrable.
In wrapping up our discussion, I hope this updated list of information provides some value to our community, and I look forward to the community’s input. I genuinely believe improved communications between CISOs and their technology partners who serve them significantly enhance our community and increase our ability to innovate and respond to the threats that put our respective organizations at risk. I look forward to meeting many of you soon at RSA and later this summer at Blackhat. Please reach out if you have any recommendations for this list; thank you for your time, and be well.