CISO Manifesto: Rules for vendors — 2023 Edition

As Security Executives, we collaborate with many in our community, and in our discussions, we continue to hear about each other's frustrations when working with vendors. From a sales and marketing standpoint, I understand companies need to get before the decision-maker to sell their products. However, after writing about this issue over the last several years, I am still surprised that many of us continue to see these same issues. Since writing the original essay almost six years ago, I believe it's even more critical to have technology partners that CISOs can trust and work with to protect their company, assets, and business operations. I have written this article with some recommendations in each rule statement that I hope will assist vendors in understanding how CISOs view their security programs and the technologies they select to upgrade or integrate into the current security portfolio. So now that you have some insight into my approach let's have some fun:

1.???"Don't pitch your competition"?— my peers and I don't care for vendors trash-talking their respective competitors' technologies. We understand you do it to compare/contrast why your solution is better, but it's unprofessional. You have limited time to speak with us about why we need your product, so why are you wasting your opportunity to talk negatively about your competition?

a.???Recommendations: Now, with that said, CISOs know there are times you need to ask a question to start the discussion; I would recommend something like, "Speaking with some of your peers <insert name ??> I know you are dealing with numerous issues, what problem can we work together to solve?" This question quickly explains why they are interested in speaking with you. If they ask you how you're different from a competitor during the discussion, then feel free to point out what you do better because the CISO specifically asked the question. However, keep your answers professional and focus on the value you will bring to their team and company. There is always a discreet way to say how you rock!

2.???"Don't tell me your solution provides 100% of <insert adjective>"?— This is a major pet peeve for me, don't make sweeping statements like this because we all know there are no silver bullets. When we hear vendors say they do 100% of something, such as "We use blockchain to catch 100% of the vulnerabilities," — many of us with cybersecurity experience cringe and view these vendors negatively. To make a point about how important this is for me, I don't allow my teams to say they know something is 100% or they can prove something to be 100%. One lesson I have learned as a CISO is that the only thing I would ever guarantee an executive team or a board of directors 100% is that the threat environment will change continually, and security is a continuous process.

a.???Recommendations: Don't waste the time you have to speak with a security executive making definitive states like your solutions provide 100% coverage, 100% remediation, or 100% capturing of anything. Security executives today are mature; we research, collaborate, and compare information on vendors. You lose your credibility the first time you are not 100%, and you know it will happen!

3.???"Don't try to sell me a proprietary tool"?— Many new security technologies use innovative methods to protect companies and provide unique services to their security teams daily. As a CISO, I am suspicious of technologies written in a proprietary language that will need expensive professional services and extra add-on modules to get their full potential. I am also wary of vendors who can't fully explain how their technology works because it's proprietary. CISOs have numerous security controls, compliance requirements, and risk mitigation initiatives they must manage with limited resources.

a.???Recommendations: Your technology needs to easily integrate into the current security environment with relative ease and be painless for the security teams to operate. Be able to speak about how your technology will enhance the existing security solutions in place or provide a service that is currently missing. As a security executive that continually reviews technologies to refine my security stack, I look for ones that can grow with my organization as we mature. I seek flexible solutions that can help provide resiliency, not proprietary, static, or rigid ones. So be flexible! Help CISOs build resiliency into their security portfolios.

4.???"Don’t try to sell me on an overcomplicated solution”?— This is still a big concern in mature vendors and even cybersecurity startups. To me, it’s the “kitchen sink” effect. Instead of solving one problem consistently with excellent service, a vendor lumps multiple technologies together to try and resolve several issues. I rarely see this go well, and I have a rule of thumb: if it takes numerous sales engineers to explain it to me and hours to demonstrate the technology, it’s too complicated.

a.???Recommendations: As I previously stated, CISOs manage risk with tight resources and small teams. Each team member is expected to learn several technologies and related work processes. If CISOs must dedicate one full-time team member to use your technology alone, then it’s not providing the required business value. Now that doesn’t mean they don’t look at platforms that can add functionality when needed; the point here is the core purpose of the solution should be focused on a specific problem, be easy to use, and provide concise real-time data/reports when required. It should not be cumbersome, overly complicated, and require extensive training for basic user operations.

5.???“Do your research” ?— Before you step through the door to speak to the CISO, expect they will have researched you, read some articles about your product, and talked to several peers about your technology, your company, and you as a partner. If they are researching you, I highly recommend you do the same. You typically have 30 minutes to 1 hour to speak to them; if you have done your research, you will know if they are experienced or not.

a.???Recommendations: This “experience” knowledge is vital because in addressing experienced security executives, half the slides in your sales deck will not interest them; they don’t need to have basic security concepts explained to them. Better yet, send the slide deck to the CISO beforehand, and when you arrive for your meeting, assume they are professional, have read it, and jump right into your presentation. Use your time wisely and discuss how you can help them effectively solve their problem. I mention this because I have had vendors talk to me and spend half our meeting time explaining why NIST is necessary or ransomware is terrible. Know your audience.

6.???“As a potential partner, speak to my compliance needs as well”?— In conducting the above research before meeting a CISO, you should also have researched their company’s business landscape. I would suggest you look up any compliance requirements/restrictions that pertain to their organization’s business operations, such as (PCI, HIPAA, GDPR, NIST, SOC2, etc.). Understanding their compliance landscape helps you see what problems your solution will solve for them.

a.???Recommendations: These business compliance/regulation regimes have unique terms and requirements. I recommend using them when you talk to the CISO to demonstrate you understand their needs and how your solution will help them meet their obligations to these requirements. It is essential that you, as a potential partner, understand these mandated requirements and, in your discussion, give examples of how your technology works within them. Use this as another touchpoint to explore why the CISO contacted you and what else she needs to mature her security program.

7.???“If your product requires integration, be knowledgeable about the process”?— CISOs manage many threats, projects, audits, politics, budget issues, compliance requirements, etc., on a daily basis. When we research enterprise solutions such as SOAR or SIEM, for example, that require extensive integration, we expect you to understand the use cases for installation as a vendor.

a.???Recommendations: As a technology vendor, you should provide specific examples of how your solution integrates with the CISOs security portfolio. As security professionals, we know technology doesn’t come out of the box and work; we expect some professional services to set it up. If the technology you want the CISO to purchase requires heavy integration, don’t shy away from it; own it. Speak to how it can be done and have specific use cases available for the CISO to review. Better yet, ask some questions before your meeting so you understand the current security environment, and come prepared to speak on how your technology can be tailored to fit the CISO's needs. As previously mentioned, CISOs speak to other CISOs, just as I am sure you reach out and talk to fellow vendors and sales reps. In discussions with peers about your technology, CISOs will ask about integration and if they need to be aware of problems or integrators they should use, so have an open dialogue and talk about it.

8.???“Know what problem your technology is there to solve”?— This is really on you as a vendor to understand the technology you are trying to sell to the CISO. You should understand and know the problem it solves. You and your company aren’t just creating an application or a service but believe they have a better technology than its competitors.

a.???Recommendations: It is incredibly frustrating as a CISO to speak with a vendor, and as we listen to you talk about your solution, we can tell if you don’t understand why the technology would be implemented in an enterprise cybersecurity program. You should know, as an example, how it meets specific risk framework requirements. If it fits into MITRE’s ATT&CK framework, describe how it provides better services for particular security controls and reduces risk exposure. If you don’t understand the value your product provides the security professional, it’s tough for the CISO to know why they need it or if they should speak to you.

9.???“Automation, Orchestration, Integration, Consolidation, it is the future”?— When the CISO meets with you about your product, be prepared for them to ask about automation, orchestration, or tool consolidation. As previously stated, CISOs have small teams and limited resources; we want to be as productive as possible with any new solution we add to our security stack.

a.???Recommendations: Plan to talk about automation and where your technology can reduce the workload on security teams. With today’s threats and changing security requirements, it is essential that, as a vendor, you can describe to the CISO how they could improve a currently manual process with your technology or replace several expensive technologies. The risks businesses face today occur at a frightening pace, and extensive security stacks no longer provide a benefit that CISOs can defend during their budget review. So as a vendor, let me know how I can automate, orchestrate, integrate, or consolidate with your solution to reduce costs and make my security program more effective.

10. “Be ready to talk about price”?— vendors contact CISOs daily. We, in turn, continuously research technologies that would benefit our organization, and when we talk to you about pricing, let’s be realistic.

a.???Recommendations: CISOs understand that no technology has just one fixed price. They expect other costs for add-on services such as new modules, installation, or platform integration. As a good partner, provide those estimates because the CISO must understand the total costs to ensure available resources. Trust me, CISOs are researching and talking with peers to determine how much it will cost. One last note about cost, we hate having a price that fluctuates, such as the cost being based on consumed cloud storage or the amount of bandwidth used by the organization. The issue here is that the costs may jump up and down, which isn’t stable. Making the business case for a solution where the cost isn’t a set price is tough. I am just putting that out there as we are among friends here, and I would love to correct this problem.

11. “How do I measure success using your solution”??— As a vendor, your answer to this question is a crucial differentiator of why the CISO should use your solution. Be able to speak to the CISO about success metrics that show your technology provides some form of measurable value. CISOs don’t generate revenue for their companies but can enhance business operations by managing risk and protecting revenue-generating services.

a.???Recommendations: Provide success indicators that the CISO can use to measure your product's value to the business. What measurements do you have that show the CISO is unsuccessful and may require help? Do these indicators come in the form of dashboards or reports? Are these metrics tailorable for different audiences such as engineers, executive teams, boards of directors, or non-technical stakeholders? You should expect that if you are helping the CISO solve a problem, they will ask these questions because they must be able to speak to the value of your solution, it must be demonstrable, and it should be tracked over time.

In completing this discussion, I want to say this is in no way the completed list of issues or problems CISOs and vendors will have working together. I hope that continuing to update and publish this list, it can provide some value to our community, and I look forward to reading everyone's responses. I believe improved communications between CISOs and their technology partners significantly enhance our community’s ability to innovate and respond to the threats that put our respective organizations at risk. I look forward to meeting many of you soon at RSA and later this summer at Cyberweek and Blackhat. Please reach out if you have any recommendations for this list; thank you for your time, and be well.

***In addition to having the privilege of serving as a Chief Information Security Officer, I am a co-author with my partners?Bill Bonney ?and?Matt Stamper ?on the CISO Desk Reference Guide Volumes 1 & 2, and the Executive Primer. I have also authored The Essential Guide to Cybersecurity for SMBs and Developing your Cybersecurity Career Path. All are available in print and e-book on Amazon. To see more of what books are next in our series, please visit the?CISO Desk Reference website .?