Hey Vendors, What Problem Is Your Product Solving?
Vendors like to focus on new features and capabilities. But that misses the ultimate point of why they are selling in the first place. CISOs want vendors that can solve problems. So why do so many fail to communicate that?
Check out this post from Yaron Levi for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark , the producer of CISO Series, and Mike Johnson , CISO, Rivian . Joining us is Yaron Levi , CISO, 杜比实验室 .
Thanks to our sponsor Scrut Automation .
A knowledge deficit?
Vendors don’t talk about solving problems because CISOs aren’t talking to the right people. "Salespeople often lack technical knowledge about their product’s limitations, leading to overcommitments just to close a deal," said John Patrick Lita ???? of ING Hubs Philippines , adding that poor communication around product updates makes planning and integration challenging. This pressure to close can greatly influence startups, but established companies still struggle with communication. "Many startups have only a concept with several features but lack a cohesive roadmap. Sadly, the same is true for some large vendors, where sales teams don’t even understand how their solution addresses security challenges," said Phillip Miller, MA, CISSP of Qurple . CISO teams often find themselves educating vendors about their products rather than receiving clear, actionable solutions.?
Talk is cheap
Vendors make bold claims about their security solutions, but real-world implementation is another story. "In the real world, with legacy code bases, tech debt, and on-premise environments, how many can deliver on their promises? The hard part is that there isn’t a way to create a guarantee or warranty on the claims," said Brian Druckenbroad of Newfold Digital . The lack of clarity in vendor messaging only adds to the challenge. "I’m reminded of my first English writing class in high school. Answer the five W’s (who, what, why, where, when, and how) in the first paragraph,” said Tim Golden of Compliance Scorecard , emphasizing that vendors should provide clear, upfront answers rather than relying on vague marketing buzzwords.?
What’s the difference?
The marketplace is crowded. Vendors struggle to differentiate their products meaningfully, leading to frustrating sales tactics. "I always like the 'I know you have product X, my product does the same but 1% better, or has one hardly used feature. So, I suggest you pay for both,'" said Richard B. of the Department of Water and Environmental Regulation , highlighting the minimal value-add in many pitches. Adding to that frustration, cold calls remain a pain point for security professionals. "I read Yaron’s post as more of a PSA and less of an invitation for vendors to randomly shoot their shot to hone their cold outreach skills—but maybe I misread this one," said David Rawlings of World Wide Technology . The irony is that without clear differentiation and thoughtful engagement, vendors risk being ignored before making their case.
Answer the preliminaries
Vendors must focus on the value they bring rather than marketing bluster. CISOs already know the problems they are trying to solve. "The big three questions are: What problems do you solve? Why is this an urgent issue to fix? What differentiates you from vendors in the same quadrant?" said Ross Young of Team8 . If getting ahold of a CISO is so tricky for vendors, why waste time not giving them the necessary information??
Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.
Thanks to our podcast sponsor, Scrut Automation
Subscribe to Defense in Depth podcast
Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.
Join us TOMORROW, Friday [03-21-25], for "Hacking Narrative Threats"
Join us Friday, March 21, 2025, for?“Hacking Narrative Threats: An hour of critical thinking about measuring the risks you least control.”
It all begins at 1 PM ET/10 AM PT on Friday, March 21, 2025,?with guests Nick Loui , CEO and co-founder, PeakMetrics , and Jason Elrod , CISO, MultiCare Health System .?We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.
Thanks to our Super Cyber Friday sponsor, PeakMetrics
Security You Should Know
Solving Data Sprawl with Tuskira
The fragmentation and vast amount of data generated from enterprise tools create a convoluted landscape for cybersecurity professionals to navigate. This complexity is exacerbated in large companies with dynamic environments, where innovation and growth must be balanced with the ever-present need for security.
In this episode of Security You Should Know, Piyush Sharrma , CEO and co-founder at Tuskira discusses what the company is doing to unify security tools and validate defenses in this sea of data. The show is hosted by Richard Stroffolino with question from our panelists, Mike W., vp, cybersecurity, GE Vernova , and Keith McCartney , vp, security and IT, DNAnexus .
Listen to the episode here: https://cisoseries.com/solving-data-sprawl-with-tuskira/
Subscribe to Security You Should Know via your favorite podcast app here: https://cisoseries.com/podcast/security-you-should-know/
Huge thanks to our sponsor, Tuskira
Cyber Security Headlines - Week in Review
Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino . We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Christina S. , CIO, KIK Consumer Products . Thanks to our sponsor, DeleteMe .
Thanks to our Cyber Security Headlines sponsor, DeleteMe
Jump in on these conversations
"What frustrates you the most about working in the field, and what keeps you going anyway?" (More here)
"What percentage of breaches are caused by negligence/vulnerabilities?"?(More here)
"Does cybersecurity tend to attract people who know little about the field vs other tech fields?"?(More here)
Coming up in the weeks ahead?on?Super Cyber Friday?we have:
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at cisoseries.com.
Interested in sponsorship, contact me, David Spark.
It was a great podcast! thanks for the shoutout! looking forward for more content like this.
Founding PMM @Filigran | Threat Management | MBA | Marketing Mentor
2 天前Talking about problem solving is the easier part but what I find tricky is for whom! There is a long chain of command from CISO down to the actual user whose day-to-day issues could be very different from those of a CISO’s. It’s the typical buyer vs user persona balancing. What are the most likely channels for CISOs to read/hear about vendor messaging?
Global Client Executive at World Wide Technology
2 天前Great advice and perspective on the podcast. Thanks for the shout out Yaron and CISO Series!
I’m on a mission to help MSPs turn compliance into a revenue generating service…not a burden. If you’re a 3–25 person MSP struggling to package, price, or deliver GRC, you’re not alone.. ComplianceScorecard.com
2 天前Great point -> . Vendors struggle to differentiate their products meaningfully!