CISOs and Security Vendors: A Challenging Symbiotic Relationship

Written by

Larry Larsen, director of cybersecurity at Apple Federal Credit Union in Fairfax, Virginia, has little time for security vendor representatives who call on him out of the blue and want to know, right away, everything his organization is doing to secure its network.

“That tells me they don’t even know enough about cybersecurity best practices to be worth an introduction,” he says.

In his role, Larsen is accustomed to dealing with a variety of vendor idiosyncrasies but the one that annoys him the most is ignorance of basic security protocols. “No CISO that I know will ever, ever, tell some guy they just met how they’re securing their networks,” he claims. “I’ve had that happen at a cocktail reception, and got the classic deer-in-the-headlights look when I replied that I don't kiss on the first date.”

CISOs and security vendors have something of a symbiotic relationship – neither can do without the other. Yet the relationship is often fraught with mistrust and skepticism. For security executives like Larsen, trust and honesty are paramount to a good vendor relationship, but establishing that relationship can be a hugely frustrating experience for both sides especially considering the crowded and hype-driven nature of the security industry.

For CISOs, the challenge lies in cutting through the vendor speak and techno-babble and finding firms with technologies they truly need, that work as advertised and are compatible with existing investments and strategy. According to CSO Online, there were over 1440 security vendors at last count, and way too many products to enumerate. Trying to find a vendor that fits your organization’s needs can be a truly monumental task.

For vendors, the challenge is getting through to CISOs that are cautious about hype, weary of dealing with over-eager vendors and blessed with an abundance of choice.

“The bolt-on cybersecurity industry is large with hundreds of vendors and a market size of almost $200bn,” says David Jordan, CISO of the Arlington County government in Virginia. “Developing a trust relationship is always critical in support of a long-term relationship, but how that happens is a very individual process.”

Here, according to Jordan and others, are some tips for minimizing friction in vendor relations.

“Developing a trust relationship is always critical in support of a long-term relationship, but how that happens is a very individual process”

Spell Out Your Tech Requirements

A clear understanding of technology requirements is critical for both sides. Before you go technology shopping, make sure you as the CISO understand your requirements, says Chris Pierson, CEO of Binary Sun Cyber Risk Advisors, a former CISO who now offers strategic security advice to CISOs and the C-suite. “In the security space there are too many products with too many overlaps right now,” he adds. Instead of chasing after every new technology, follow your strategic roadmap and make sure what you are looking for aligns with your company’s existing products, he says. Where possible, companies should be looking for opportunities to slim down their vendors and security controls.

From a vendor perspective “the most important questions to ask are ‘what is the problem you’re trying to solve?’ and ‘what does your enterprise architecture look like?’” says Guy Bejerano, CEO of SafeBreach and a former CISO at messaging service LivePerson.

The vendor’s product must not only address the problem being outlined, but also deliver a seamless deployment. “Understanding the architecture ensures that the proof of concept and actual deployment will go smoothly,” Bejerano says.

Articulate Your Strategic Direction

CISOs need to articulate their strategic security objectives and vendors need to make sure they understand them.

“A CISO is critical in outlining a company’s entire security strategy and where a specific technology fits in,” Bejerano explains. It is vital for them to set the right expectations up front for technologies and services.

Vendors meanwhile need to serve more of an innovation-factory role by bringing strategic or relevant technologies to a CISO. To serve in that role,they need better insights into the strategic direction the CISO is trying to take as well as on any near-term issues or crisis they may be attempting to resolve, says Phil Quade, CISO at Fortinet.

“Too many vendors are pitching solutions without understanding what an organization’s strategic direction is, or what their near-term weaknesses are,” Quade states. This often results in vendors reaching out to CISOs with pitches for problems that have already been appropriately addressed.

To truly understand a CISO’s requirements, vendors need to be prepared to ask questions pertaining to the strategic thrust of their security initiative, adds Quade. Equally, vendors need to be asking CISOs about any near-term implementation gaps that need to be addressed and the problems which the CISO thinks they already have under control. Vendors also need to discover whether there are any areas the CISO would like to see a game-changing level of increase in either the efficiency or the effectiveness of their security controls.

“It is important for CISOs to let vendors know timelines with accuracy,” says Pierson. They need to let the vendor know if a project is a priority for the team right now or, if not, when it might be. “Be forthcoming about your worries on the front end,” Pierson advises. “Making sure everyone knows what success looks like keeps the relationship and teams strong.”

“Too many vendors are pitching solutions without understanding what an organization’s strategic direction is, or what their near-term weaknesses are”

Don’t Get Oversold

The vendor’s primary mission is to sell a CISO their product. It really is up to the CISO and the security team to figure if they are being oversold on a product’s capabilities.

“You have to know what you want,” says Jordan. “Knowing what you want and knowing if you are going to get what you want ensures you will have a great vendor relationship.” A lot of the angst over dealing with vendor hype boils down to the CISO’s understanding of the products and issues being mitigated with them, he adds.

Vendors need to always keep in mind that overselling product capabilities and ease of implementation is a great way to end a relationship, Pierson warns. “Make sure you have your technical engineers and deployment professionals on sales calls to keep the technology grounded in the 21st century.”

Do Your Due Diligence

If you don’t want to be stuck with a technology that falls short of your expectations, don’t take your vendor’s performance claims at face value: vet the claims yourself.

Most vendor tools look great on paper, but the proof is in deployments, says SafeBreach’s Bejerano. If you are a vendor, be prepared to show how other organizations are using your products to solve similar business problems, he says. Also be prepared to drill into support and service agreements because enterprises will want to know they will be supported post purchase.

Larsen thinks the best way to avoid conflict with your vendor further down the road is to do a thorough vetting before you even let them get to the point of presenting a proposal. As the security leader of an organization with a tight budget, Larsen says he makes absolutely certain that a vendor’s product or service meets organizational requirements.

“That’s why I insist on demos, Q&A meetings with my engineers and analysts, and a proof of concept trial run for any new solution,” Larsen says. “If a vendor won’t agree to any of those, I’ll tell them to have a nice day and move on!”

Usually, once that level of competence and commitment is established, maintaining the relationship becomes less of a hassle, unless of course service levels drop off or the vendor can’t keep up with evolutions in technology. “My vendors end up as partners on my team, and usually appreciate the gauntlet

I make them run. They like being held to a standard of performance,” he says.

When vetting a technology or a vendor, make sure the team that is doing the vetting includes members from the architectural, security and infrastructure teams, Pierson notes. Such inclusivity is critical to understanding what a product does and where it plugs into your overall infrastructure, he says.

Few things are more annoying to security leaders than vendors who try to do an end run around them. When a vendor is assigned to work with a particular individual on a security team, it is important the vendor works primarily with, and through, that point person, Pierson argues.

“Going around the process or behind the backs of team members is usually a great way to fall out of grace with the team.”

Ask Around

Before you sign up with a vendor, make sure you can get along. If you are unsure about a vendor or a technology, don’t be shy to ask others for their opinion, says Jordan of Arlington County.

“I might ask my regional CISOs what has been their experience with a certain vendor,” he says. “Or I may pose the question that I’m looking for a specific service or tool and would like recommendations or a virtual introduction to a respected vendor representative.”

Another approach that Jordan uses is to go to other CISOs and ask for references about a particular vendor. “Since we are all operating in the same region the chances are high that someone in the group has met the vendor or is using their product.” If you don’t have a group, ask the vendor for references you can trust, he says.

CISOs depend on vendors for the technology tools needed to keep up with modern threats and vendors need CISOs for their business. While secure processes and practices certainly matter, no organization can hope to protect itself against threats without deploying at least some technology controls. Both vendors and security leaders have a part to play in ensuring the symbiotic relationship doesn’t become a poisonous one

How vendors and CISOs can most effectively work together:

1.  Spell out your tech requirements

2.  Articulate your strategic direction

3.  Don’t get oversold

4.  Do your due diligence

5.  Ask around

What’s hot on Infosecurity Magazine?