What CISOs really want from security vendors

Less risk? Better security? Value for dollars spent? Check, check, and check. But of all the things CISOs want from security vendors, trusted partnership tops the list. Here's how leading CISOs find and foster those relationships.

questions to ask a vendor curious hand with question mark tablet ipad by stevanovicigor getty
stevanovicigor / Getty Images

Terry Grogan found herself in a situation familiar to many security leaders. She was working at an organization going through a major tech initiative with big security implications put on an understaffed department.

As a result, Grogan needed to implement new, more advanced network monitoring capabilities.

She found an exemplary partner: a vendor who laid out a plan to pilot its solution at no charge for three months to determine the hospital’s biggest gaps and whether the solution could close them.

Terry Grogan, CISO, Pixel Health Pixel Health

Terry Grogan, CISO, Pixel Health

“We were able to see how this product not only solved problems we thought we had, but helped bring efficiencies we didn’t even know we could get,” Grogan says.

Grogan was impressed and inked a long-term deal with the vendor.

Grogan’s decision to finalize a contract with that vendor wasn’t based solely on its solution’s capabilities.

Of course, she wants the products she buys to work, but it was the vendor’s ability to work with the hospital, fit its solution into the hospital’s technology stack and advise Grogan on the best security strategy moving forward that really distinguished it.

“I absolutely need a vendor who is a partner; there’s almost no exception to that need,” says Grogan, now CISO for Pixel Health. “You used to be able to buy something, like an antivirus, have them install it and leave. Now security is so complex and touches so much and overlays all of the infrastructure and changes so quickly that you need a vendor who is an advisor.”

CISOs have always relied on vendors to provide them with the tools they need to secure the enterprise; there aren’t many homegrown solutions in a typical enterprise security operation. But CISOs also have a choice of vendors, and given their limited time and budget, as well as the ever increasing importance of the work they do, they’re becoming more selective and discerning about which vendors they engage.

This isn't just about trimming the number of vendors they use, though Gartner, the tech research and advisory firm, lists vendor consolidation as one of the top trends in enterprise security for 2021 and notes that “most organizations recognize vendor consolidation as an avenue for reduced costs and better security.”  Ultimately, CISOs want to ensure that the select vendors they use are delivering both quality solutions and the value-adds they seek so that their security teams can perform at a higher level.

Know their needs

What CISOs want from vendors varies, and they seek different attributes from different vendors at different times, says Thomas Cary, director of technical operations with Golisano College of Computing and Information Sciences at Rochester Institute of Technology and an adjunct computing security faculty member.

Thomas Cary, director of technical operations, Rochester Institute of Technology Rochester Institute of Technology

Thomas Cary, director of technical operations, Rochester Institute of Technology

CISOs do still want some vendors simply to deliver a needed solution, maybe implement it and then go, Cary and others say. But those cases are in the minority now.

Cary has a list of expectations he has from vendors. He wants vendors who get to know and understand his organization and its existing security tools so they can help identify strengths and weaknesses and propose ways to close gaps, strengthen his security posture and help his team achieve its goals.

“Vendors have to take the time to get to know the organization and do their homework so they can create a solution that’s tailored to meet the organization’s needs,” he says. “That’s what can really distinguish the vendor.”

Cary also wants his vendors not to overreach; he says he wants them to be upfront about their products’ capabilities as well as their limits.

He points to one vendor providing his organization with an email filtering platform that had a range of capabilities. The vendor sold him on a plan to bring in the requested filtering capabilities that worked within his existing workflow but also pointed to where additional features could automate some functions within those workflows. At the same time the vendor acknowledged that Cary’s team already had from other vendors some capabilities it could offer and that there was no reason to switch.

“The vendor really had our best interest in mind and they didn’t oversell, so we knew we could rely on what they were saying and as a result they really helped us improve our overall incident response,” Cary says.

Other CISOs have expressed similar expectations.

The marketing firm Merritt Group in 2020 issued a report titled Marketing & Selling to the CISO that echoed much of what Cary and other CISOs now say they want from their vendors.

According to the report, “Above all else, marketing to the CISO requires a personalized and problem-focused approach. There’s no such thing as a one-size-fits-all solution in cybersecurity, and CISOs tend to be wary of any such promise. CISOs do want solutions that address their unique pain points, and nearly half of all CISOs want vendors to do their homework before making a sales or marketing call.”

Show, don’t tell

The report further noted that 34% of responding CISOs say vendors have a better chance of success if they understand the CISO’s problems—and can demonstrate that knowledge.

“Once vendors understand what the CISO needs, the next step is to show—not tell—how a particular solution can help. CISOs much prefer product demos to any other form of follow-up,” the report stated, noting that 34% of respondents expressed that preference.

In other words, vendors have to demonstrate how they can help CISOs be more effective and more efficient in securing the enterprise, says Brian M. Gant, an assistant professor of cybersecurity at Maryville University who has two decades of corporate and federal government experience in analytics, threat intelligence and executive protection.

Brian M. Gant, assistant professor of cybersecurity, Maryville University Maryville University

Brian M. Gant, assistant professor of cybersecurity, Maryville University

Moreover, Gant says, vendors must show how they can meet both current needs and emerging ones by sharing the knowledge they’ve gained by working across multiple organizations.

“They have to meet those immediate needs but also help CISOs expand their knowledge,” Gant says.

Vendors must be agile, too, willing and able to adapt, scale and deliver as rapidly as an organization’s circumstances change.

The pandemic illustrated that need, he says, but more mundane business events do, too. He points to one case where he was working with a CISO whose organization had layoffs that necessitated its managed security service provider to rapidly implement behavioral monitoring capabilities to ensure workers weren’t accessing, copying, or removing sensitive information.

“Vendors need to be able to come to the table with a diverse array of options for CISOs,” Gant adds.

Managing for maximum vendor value

Chas Heng, CISO for Altria Group (previously known as Philip Morris Companies), has a similar take.

Chas Heng, CISO, Altria Group, Inc Altria Group

Chas Heng, CISO, Altria Group, Inc

“We look to our security partners for strategic direction/input into our security strategy and roadmap,” he says, noting that he wants to leverage key strategic partners “to benchmark our security program against our industry peers to ensure we are investing appropriately in cybersecurity capabilities and are aligned to security industry best practices.”

As such, he’s looking for vendors that provide consulting and advisory services as much as products and solutions.

“I want them to be strategic thought partners. That’s the No. 1 thing I want help with, whether they’re a software vendor or they’re providing support services. I want them to bring in external perspectives so they can help us evolve our program.”

To do that, Heng and his team meet regularly with vendors, scheduling monthly reviews and quarterly sessions to develop roadmaps. Heng himself meets with the most strategic vendors monthly to discuss what they can bring to the table.

“We take time to talk about performance, where I might have additional asks, and I talk about upcoming needs and priorities so they can talk about what resources or supports they can provide,” he says. “And they know to come with recommendations on how we can improve.”

Bill Serowka, senior consultant at Swingtide, a management and IT consulting firm, says CISOs are wise to rely on their vendors for insight and guidance because their work across multiple organizations positions them to identify the blind spots that CISOs and their teams have.

Sanjay Macwan, CISO, Vonage Vonage

Sanjay Macwan, CISO, Vonage

At the same time, however, Serowka says vendors must still meet the basic wants that CISOs have: solutions that perform well, work within their organization’s existing structure, deliver what’s promised and, of course, improve the organization’s overall security posture.

Sanjay Macwan, the CISO of Vonage, developed a seven-point framework to ensure he gets all that from his vendors.

According to this framework, Macwan selects vendors who explain

  1. in clear, simple terms what their solutions solve and what they don’t solve;
  2. how their products complement the other solutions he has;
  3. how to operationalize their solutions within his organization -- in other words, what are the integration points and what work will his own engineers and architects need to perform to get the solution up and running;
  4. who will be the technical advocate from their side to work with his team;
  5. the algorithms that power any intelligence in the solutions – “There’s a lot of hype around artificial intelligence and machine learning [in security solutions] so I actually want to look under the hood,” Macwan says;
  6. the ongoing operational and technology engagement they’ll bring to the table along with how their technology will evolve;
  7. and how they’ll foster a strategic relationship with him and his team.

Macwan adds: “This is my lens, and I use it very consistently. I explain this right up front with vendors: Here are our expectations. These are the rules of engagement.”

Copyright © 2021 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)