CISO Manifesto, helping our Vendors be Partners – RSA 2024 Edition

As Security Executives, we collaborate with many in our community, and inevitably, we discuss our frustrations with vendors. Luckily, many community professionals are discussing these issues and trying to develop a way forward. For those of you reading this article for the first time, be advised that I have been writing on this subject for several years, as the CISO and their security teams must have vendors who are partners they can trust. So, in the spirit of building partnerships and preparing for the upcoming gathering of our community at RSA, I am releasing an updated version of this article. I will highlight my frustrations with some of the current sales and marketing processes and provide recommendations for a better approach.

1. Issue: "Don't pitch your competition" — I don't care for vendors in my office talking about their company and spending all their time trash-talking their respective competitors' technologies. I understand you must compare/contrast why your solution is better, but there is a fine line between how you are better than them and being unprofessional. You have limited time to discuss why I need your product. Don’t waste our time together - stay focused on how you will help me.

• Recommendation: CISOs know there are times you need to ask a question to start the discussion, and typically, it will involve talking about competitors. I recommend avoiding going negative and instead trying something like, "Speaking with some of your peers <insert name ??> I understand you are dealing with numerous issues; what problem can we work together to solve?" This question allows the CISO to explain their problem and helps you explain why they should be interested in working with you. If the CISO asks you how you're different from a competitor during the discussion, then feel free to point out what you do better because the CISO specifically asked the question. However, keep your answers professional and focus on the business value you will bring to their team and company. There is always a discreet way to say how you rock!

2. Issue: "Our technology provides 100% of <insert adjective>" — This is a major pet peeve for me; no technology is perfect, not even GenAI – especially not GenAI. When I hear vendors say they do 100% of something, such as "We use GenAI, and we have special LLM models to prevent 100% of <insert claim>," — I lose trust in that vendor as I feel they are not truthful. Saying you are 100% to me is marketing speak; anyone who works in technology knows technology is never perfect, so how can you honestly claim to be perfect? To make a point about how important this is for me, I don't allow my security teams to say they know something is 100% or can prove something to be 100%.

• Recommendation: Don't waste the time you have to speak with a security executive making definitive states like your solutions provide 100% coverage, 100% remediation, or 100% capturing of anything. Security executives today are very knowledgeable; we research, collaborate, and compare information on technologies, vendors, and services. You don’t want to say you are 100% because you lose your credibility the first time you are not 100%, and you know it will happen! Instead, I would use metrics in discussing your technology that help the CISO see its benefit to them. Your technology helps reduce a specific percentage of vulnerabilities or increases data integrations by a specific measuring factor. Stay away from the 100% game; we are watching you and will remember if you make those claims.

3. Issue: "Don't build and sell proprietary tools."— As a CISO, I have a limited budget and resources to build and manage my security stack. I need technologies and services that can communicate with each other. I will not look at technologies written in a proprietary language that requires expensive professional services and extra add-on modules to reach their full potential. I am also wary of vendors who can't fully explain how their technology works because it's proprietary or they don’t use the most current protocols, software libraries, or integration processes.

• Recommendation: Your technology must easily integrate into my current security environment; the more accessible, the better. You should be able to explain how your technology will enhance the existing security solutions or provide a service currently missing. As a security executive who continually reviews technologies to refine my security stack, I look for ones that can grow with my organization as we mature. I seek flexible solutions that can help provide resiliency, not proprietary, static, rigid ones. So be flexible! Help CISOs build resiliency into their security portfolios.

4. Issue: “Do your research” — Before you step through the door to speak to the CISO, expect they will have researched you, read some articles about your product, and talked to several peers about your technology, your company, and you as a partner. If they are researching you, I highly recommend you do the same. You typically have 30 minutes to 1 hour to speak to them; if you have done your research, you will know if they are experienced, so come prepared.

• Recommendation: Understanding if you are meeting with an experienced security professional is critical for establishing a relationship with them. When addressing experienced security executives, half the slides in your sales deck will probably not interest them; they don’t need to have basic security concepts explained to them. Better yet, send the slide deck to the CISO beforehand, and when you arrive for your meeting, assume they are professional, have read it, and jump right into your presentation. Use your time wisely and discuss how you can help them effectively solve their problem. I mention this because I have had vendors talk down to me like I just started working in IT/Cybersecurity - Know your audience!

5. Issue: “Don’t forget my compliance needs” — This may not apply to all vendors. However, for those in the GRC space, I suggest using the research you collect in #4 above and include intelligence on the CISO and their company’s business landscape. In completing this due diligence, note any compliance requirements/restrictions that pertain to the organization’s business operations, such as (PCI, HIPAA, GDPR, HITRUST, SOC2, etc.). Understanding the regulatory landscape the CISO operates in will help you see what problems or gaps your company can help them solve to protect their business.

• Recommendation: Compliance/Regulatory regimes have unique terms and requirements. I recommend including them in your discussion with the CISO to demonstrate that you understand their needs and how your solution will help them meet their obligations. It is essential that you, as a potential partner, understand these mandated requirements and, in your discussion, give examples of how your technology works within them. Use this as another touchpoint to explore why the CISO contacted you and what else she needs to mature her security program.

6. Issue: “If your product requires integration, be knowledgeable about the process.” — CISOs manage many threats, projects, audits, politics, budget issues, compliance requirements, etc., daily. When we research enterprise solutions such as ZTNA or SIEM, for example, that require extensive integration, we expect you to understand the use cases for installation as my new partner.

• Recommendation: As a technology partner, you must provide specific examples of how your solution integrates with the CISOs current security portfolio. As security professionals, we know technology doesn’t come out of the box and work; we expect some professional services to set it up. If the technology you want the CISO to purchase requires heavy integration, don’t shy away from it; own it and speak to it. Speak to how it can be done and have specific use cases available for the CISO to review. Better yet, ask some questions before your meeting to understand the current security environment, and come prepared to speak on how your technology can be tailored to the CISO's needs. As mentioned, CISOs speak to other CISOs, just as I am sure you talk to fellow vendors and sales reps. In discussions with peers about your technology, CISOs will ask about integration and if they need to be aware of problems or good integrators they should use. So, have an open dialogue and talk about it.

7. Issue: “Know the problem your technology solves.”— It is really on you as a vendor to understand the technology you are selling. You should understand and know the problem it solves. You and your company aren’t just creating an application or a service; you have better technology than your competitors because it can do “x, y, and especially z.”

• Recommendation: It is incredibly frustrating as a CISO to speak with a vendor, and as we listen to you talk about your solution, we sense you don’t understand why the technology would be implemented in an enterprise cybersecurity program. For example, if it’s a technology focused on breaking attack methodologies, you should know where it fits into MITRE’s ATT&CK framework. You should be able to describe how, if the CISO were to employ your technology, it would provide better fidelity for particular security controls and reduce risk exposure. If you don’t understand the value your product provides for the security professional, it’s tough for the security professional to know why they need it.

8.?Issue: “Automation, Integration, Consolidation, Platformation, it is the future.” — When the CISO meets with you about your product, be prepared for them to ask about automation, integration, or tool consolidation. As previously stated, CISOs have small teams and limited resources; we want to be as productive as possible with any new solution we add to our security portfolio.

• Recommendation: Plan to talk about automation and where your technology can reduce the workload on security teams. With today’s threats and changing security requirements, it is essential that, as a vendor, you describe to the CISO how they could improve a currently manual process with your technology or replace several expensive technologies through consolidation or expanded platformation (invest more in a current platform through new services). The risks businesses face today occur at a frightening pace, and extensive security stacks no longer provide a benefit that CISOs can defend during their budget review. So, as my partner, let me know how I can automate, integrate, platform, or consolidate with your solution to reduce costs and make my security program more efficient.

9. Issue: “Be willing to discuss price” — vendors contact CISOs daily. We, in turn, continuously research technologies that would benefit our organization, and when we talk to you about pricing, let’s have an honest dialogue. CISOs understand that no technology has just one fixed price that never changes. They expect other costs for add-on services such as new modules, installation, or platform integration. One last note about cost: We hate having a price that fluctuates, such as the cost being based on consumed cloud storage or the amount of bandwidth used by the organization. The issue here is that the costs may jump up and down, which isn’t stable. Making the business case for a solution where the cost isn’t a set price is brutal. I am just putting that out there as we are among friends here, and I would love to correct this problem.

• Recommendation: As a good partner, provide estimates that cover all requested services. There should be no surprises, as the CISO must understand the total costs to ensure available resources. If some of the requested services won’t work unless another service is purchased, please share that information; telling a CISO after the fact is unprofessional. It’s best to lay out all the costs and provide multiple options in tiers, giving us choices to bring to the budget discussion with our CFO. I highly recommend never playing the “Take it or leave it card” because we will leave it and then talk to 200+ CISOs we know and tell them why they should leave it. That’s not a threat; it's just reality. Let's work together.

10. Issue: “How would the CISO measure success using your solution”? — As a vendor, your answer to this question is a crucial differentiator of why the CISO should use your technology. Be able to speak to the CISO about success metrics that show your technology provides some form of measurable value. Most CISOs and their security programs don’t generate revenue for their companies but can enhance business operations by managing risk and protecting revenue-generating services. How do you help the CISO tell that valuable story to their board?

• Recommendation: Provide success indicators that the CISO can use to measure your product's value to the business. What measurements do you have that show the CISO is unsuccessful and may require help? Do these indicators come in the form of dashboards or reports? Are these metrics tailored for different audiences, such as engineers, executive teams, boards of directors, or non-technical stakeholders? You should expect that if you are helping CISOs solve problems, they will ask these questions because they must be able to speak to the need for your solution; it must be demonstrable and can be tracked over time.

11. Issue: “Non-Technical Vendors wishing to partner” – You are a vendor that sells services not generally under the technology umbrella CISOs purchase to manage their security program. Maybe you are a consultant of some sort, and you reach out hoping to get the chance to present the services you would like to provide to the CISO or other technology executive.

• Recommendation: Your problem here is that typically, your email, voice mail, phone call, etc., are treated as spam because you don’t fit into the pressing strategic issues the CISO and security team are currently managing. Your approach and mindset should be “It’s about establishing a relationship.” I know that doesn’t tell you anything. I want you to understand that it’s best to first ask for help. Be upfront and tell the CISO you have difficulty understanding how to work with CISOs and that you could use some help understanding how they work and what services they need. The CISO that helps you doesn’t have to be a customer, but they can give you insight so you can be a better partner for your new customers. Your approach is all about finding how you fit into the needs of a security or technology professional, and it's okay to use one as a mentor.

12. Issue: "Hijacking Posted Content or Social Media Posts" - You are under pressure to close deals, and you feel you just need to get the brand some visibility, so you jump into posts and spray your company's name all over the place. To me, that is seriously unprofessional and it generates the wrong visibility.

• Recommendation: Talk with your marketing and sales teams and see if they can partner with someone who is creating content. This way, you will now have a reason to expose the brand and talk about your company professionally. Partner with content providers; don't hijack them.

As we finish our discussion, this is in no way the complete list of issues or problems CISOs and vendors have as they strive to work together. I hope that in continuing to update and publish this list, we can find common areas to work together to better our community. I believe improved communications between CISOs and their technology partners significantly enhance our community’s ability to innovate and respond to the threats that put our respective organizations at risk. With that said, I look forward to meeting many of you soon at RSA and this August at hacker summer camp – Blackhat/DefCon. Please reach out if you have any recommendations for this list; thank you for your time, and be well.

***In addition to having the privilege of serving as a Chief Information Security Officer, I am a co-author with my partners Bill Bonney and Matt Stamper on the CISO Desk Reference Guide Volumes 1 & 2 and the Executive Primer. I have also authored The Essential Guide to Cybersecurity for SMBs and Developing your Cybersecurity Career Path. All are available in print and e-book on Amazon. To see more of what books are following in our series, please visit the CISO Desk Reference website .