The focus of the cybersecurity leader has evolved. Previously, this role was tactical and very focused on specific technical issues.To be successful today a cybersecurity executive must drive strategy that is based on sound risk management concepts, understand changing technology to adopt and integrate the appropriate security controls, and also be an influencer across the organization to surface and escalate dangerous risks so partner teams drive them to resolution.However, the job has become increasingly more challenging with the rapid pace of technology adoption, the movement of data across data centers, cloud services and business partners, and the expectation of detecting/preventing every attack, security misconfiguration, or mistake across a wide range of systems.
As former CISO of Twitter my goal was to build
a solid security and risk management program that identified the most crucial
risks to the company, develop security programs to drive down such risks, and
to build or buy effective security solutions to securely enable the business.
The job was heavily focused on marrying together the right mix of technology and
the right team of individuals. I learned many lessons along the way but in the
space of security solutions, one item that particularly stood out is that most
infosecurity vendors do not sell to CISOs effectively.Unfortunately, the process of identifying and
selecting security solutions is much more challenging than it should be. There
are two major problems contributing to this challenge. First, with the
explosion of investments in the security space it’s nearly impossible to keep
track of which solutions are available for particular needs and which ones are
good. Second, the vendors all appear to be watching poorly written hacking
movies. The amount of FUD and buzzword overloading severely obscures what a
product is actually doing. Together this makes it very challenging for a CISO
to hear through the noise to find the right solution.Is
Self-Service Selling the Key?The way security vendors are selling their
products is broken. CISOs are tasked with sifting through emails and signing up
for and sitting through intro calls or onsite meetings just to learn what the
product actually does. A CISO and their team has more work than time available
and this whole process is cumbersome. As a result, I shunned all sales pitches
and only relied on word-of-mouth recommendations from my trusted network of
peers. This worked, but feels like a larger failure of the industry.The infosec sales process can - and should -
be easier if vendors learn to better address the needs of today’s CISOs:
Outline the specific problem, then provide the solution: Consider that the average CISO likely has a list of 25-50 known security problem areas of varying risk and priority. The top five to ten may be getting focus each quarter. Sometimes it's not whether or not 'X could be better' but whether that's the current focus based on risk prioritization. Vendors should outline the problem they are solving and seek alignment to priority, rather than claiming they are a “silver bullet” or just touting “interesting” security features of their tool.
Omit buzzwords and FUD from your vernacular: Most CISOs are already inundated with newspaper headlines, “sky is falling” claims and misinformation. Instead of using scare tactics, use clear, descriptive words to illustrate the value proposition. Clearly outline the problem solved, the method of integration, and how this product serves as a function of the organization’s risk management processes.
Offer a self-service model: Allow potential customers to try out the product, ideally without even an intro meeting, to see if it fits their needs. Then let the prospect come to you with questions. A demo environment is the most efficient approach to connect with a CISO and their team. Plus it lets your product to do the talking!
There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]
It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
