How Vendors Should Approach CISOs


Manage episode 269033490 series 2478315
By David Spark and Allan Alford. Discovered by Player FM and our community — copyright is owned by the publisher, not Player FM, and audio is streamed directly from their servers. Hit the Subscribe button to track updates in Player FM, or paste the feed URL into other podcast apps.

All links and images for this episode can be found on CISO Series (

"How do I approach a CISO?" It's the most common question I get from security vendors. In fact, I have another podcast dedicated to this very question. But now we're going to tackle it on this show.

Check out this post for the basis of our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Ian Amit (@iiamit), CSO, Cimpress.

Here also is my original article with Allan Alford when he first launched this engage with vendors campaign.

Thanks to this week's podcast sponsor, Sonrai Security.

Identity and data access complexity are exploding in your public cloud. 10,000+ pieces of compute, 1000s of roles, and a dizzying array of interdependencies and inheritances. Sonrai Security delivers an enterprise cloud security platform that identifies and monitors every possible relationship between identities and data that exists inside your public cloud.

On this episode of Defense in Depth, you’ll learn:

  • All CISOs are different so any advice we provide will vary from CISO to CISO. Plus, we have an entire other show, CISO/Security Vendor Relationship Podcast, dedicated to this very topic.
  • We acknowledge that this is tough because to be really on target you need to know what the CISO has, what their mix of products are, and how your product could work in their current security maturity and mix of security products and processes. It's all a very tall order for a security vendor.
  • Vendors must stop thinking of themselves as point solutions, but rather how they fit into the overall makeup of a security program. You're not coming in with a blank slate. How do you interoperate with what's existing?
  • There's unfortunately the trend of the people who make the contact, then initiate a meeting, and hand off to someone else. CISOs do not welcome that kind of engagement, although it may be very cost effective for security vendors to hire junior people to make those contacts and hand offs.
  • Lots of argument about the efficacy and the acceptance of cold calling. Those who claim they don't like it are often working at organizations that do it repeatedly to great success.
  • The pushy salesperson who eventually gets through after repeated attempts even when they're told no may show success, but they don't calculate all the people they've angered and the word-of-mouth negativity that has resulted from that behavior. If you push beyond a request to stop, the worse that can happen is your reputation will be destroyed.
  • CISOs are more receptive to market pull into your organization. That can happen through traditional marketing, content marketing, podcasts, analyst reviews, and word-of-mouth. Problem is these techniques don't leave any room for salespeople to operate.

92 episodes