A few weeks ago, we attended a gathering of CISOs and Venture Capitalists in the US. Lots of topical areas were covered. Here are a few reflections based on what we heard…
“Sell it to me in 2 minutes … preferably less.”
CISOs and VCs alike are frustrated with pitches that don’t clearly explain the gap a solution is filling. Too many vendors are failing to communicate in practical terms: security leaders want to quickly understand what they can do once they have a solution, not what the technology does. If they’re interested enough in what they hear to ask about pricing models, they want unambiguous answers. Vendors should also know their competition: “Don’t say you don’t have any”.
“Incremental changes, meh. Game changes, yes.”
There are several strategic areas proving continuously problematic for CISOs. One is how to implement a risk based approach to security. While prioritizing based on risk is essential, because security teams can’t address everything, the criticality of risk is subjective and difficult to define. This means the way risk is ranked isn’t always right. Other problems include ‘getting the basics right’, simplifying Board communication and articulating how well critical assets are protected.
“I’d rather have a partner than a technology.”
Partnerships and relationships are important to security leaders. They want solutions that can adapt as their needs change. As one CISO said “We know it’s not build vs buy; it’s build and buy”. Vendors that make better partners are agile, open to CISOs they work with influencing their roadmap, and deliver a solution that doesn’t necessitate another hire into the security team. Importantly, CISOs want vendors who can help them quickly do something they need, which they can’t do themselves. This means they care about the team they are working with as much as the product. Talent is a top purchasing criteria.
“Don’t just answer ‘so what’, tell me ‘what now?’”
Every product has a dashboard. Some answer the ‘so what’ question, but that isn’t enough. CISOs need to know what to do as a result of what they’re seeing.
“Say ‘single pane of glass’ one more time … I dare you”
Finally, vendors need to show how they integrate into the environment a CISO is managing, and how they work in partnership with other technologies they already have. CISOs know that there is no ‘single pane of glass’ – open APIs are crucial so that data can be easily pushed to other locations. They need technologies that are extensible.