Podcasts
CISO Perspectives (Pro)
Ep 139
CISO Perspectives (Pro) 7.1.25
Ep 139 | 7.1.25

Why is the vendor role so contentious in the cyber ecosystem?

Show Notes
Transcript

Kim Jones: Welcome back to CISO Perspectives. I'm Kim Jones, and I'm thrilled that you're here for this season's journey. This past season, we've pulled the deep conversations out of the conference bar to tackle these complex issues from every conceivable angle. Today, we ask the question: What role does the vendor play in the cyber talent ecosystem? Let's get into it. [ Music ] Before I go on, I'd like to take a moment to dedicate this episode to my friend and colleague, Joel Anderson. Joel suffered a devastating loss several weeks ago and thus had to cancel his appearance for this episode. As I fly solo for this podcast outing, I wanted Joel to know that he is in my thoughts and to honor him and his family during their time of grief. Joel, please know that the Jones clan is here for you and that your cybersecurity family mourns with you. Some years ago, a friend of mine and longtime CISO left the chair to become the chief security strategist at a well-known security technologies company. A few weeks later, we sat down for a long-overdue dinner with some friends. During the meal, we discussed their transition from responsible charge to vendor, which they were less than thrilled about. "Overnight, I went from being a respected colleague to just another vendor," my colleague complained. "I'm no longer allowed at CISO events. I'm no longer eligible to sit in CISO exclusive meetings, professional organizations that I have supported for years treat me like a second-class citizen, and folks whom I've interacted with freely and openly won't return my calls. Why do CISOs treat vendors like dirt?" As I was about to respond, another colleague of mine who had crossed over to the vendor side nodded her agreement. "You're an anomaly, Kim," she asserted. "You treat vendors as partners. Most of your peers treat us like dirt." As the only non-vendor at a table of colleagues in four-round mode, I didn't pursue this conversation further over dinner, but I did spend some time mulling over the problem. I admit that I was taken aback by these comments, but only a little. Vendor opinions of me tend to be bipolar. I tend to be direct and sometimes pointed. While many vendors enjoyed this honest dialogue, many more found me difficult to engage with. Like most relationship challenges, vendor-CISO relationship problems are two-sided. Regarding CISOs, I would say they are issues centered around something I'd like to call the egoism of motivation. While our careers tend to be fairly lucrative these days, most of us end up fighting an uphill battle for resources and understanding with those who would quickly turn us into scapegoats. Yet, despite this environment, we keep going back into the fray with zeal, passion, and dedication. We are not cops or soldiers, priests or firemen, but in some visceral level, we have tended to share the same passion for service and making a difference. Keeping this in mind, it can be difficult to work with those who understand our concerns, yet do not necessarily share our motivations. CISOs have no objection to money or profit motives. That being said, it is at times vexing to engage in conversations about a tool or service with vendor personnel who either A, don't share your motivations; B, in many cases don't necessarily have similar experiences; C, have left responsible charge positions to pursue potentially more lucrative roles; and/or D, seem more concerned about acquiring your very limited dollars versus resolving your near and long-term challenges. In short, it often appears as if some of the fundamental tenets and characteristics valued by operational security teams are either less evident or less important amongst our vendor brethren. Even for those of us who managed to get past our own egoism, there still exists the challenge of vendor CISO communication. Several years ago, I came across a webinar by Paul Glen, author of the book "Leading Geeks." Mr. Glen discussed several contraxiums, axiomatic concepts for which geeks and non-geeks have contrasting ideas. Glen's sixth contraxium -- one which I feel is especially relevant to the topic -- centers around the concept of lying. For the geek, lying is evil. Truth is sacred. Answering yes to a question when you don't absolutely know if something is true is a lie. The exaggeration and opinion stated as fact are lies. For the non-geek, lying is not good. It is bad manners. Answering yes to a question that you know is false is a lie. And exaggeration and opinion stated as fact are simply a part of normal speech. With such a disconnect in terms and terminology, CISOs often find it daunting to trust vendors. Our differences leave us at an impasse where vendors are often perceived as disingenuous. And the time it takes to find proper questions to ask is taking away from our daily missions. Just last week, one of my esteemed colleagues said at a conference, "Every time a vendor speaks to someone in my organization, I lose a week's worth of work getting to the truth behind the sales pitch." With these type of cultural dynamics in play, it is easy to understand why CISOs and vendors operate at best under a guarded truce. But it doesn't have to be that way. As a CISO, I operate with certain guidelines when dealing with vendors. Be plain spoken. Understand what requirements you are trying to fulfill and communicate them directly. As part of that communication, ensure your vendor understands whether your engagement is exploratory, whether you are trying to fill a short-term spend, or whether this will be a long-term process happening within the next fiscal year. Like you, your vendors also have requirements they need to fulfill. It is disrespectful of their time and their mission to have them spend months with you for a supposed potential sale when, in reality, you have no intention of making a purchase. No loss leaders. While I freely admit that I will always try to obtain services as cheaply as possible, I recognize that the vendor must make a profit. I do not insist upon loss leaders or additional free services from a vendor in order to close a deal. If offered, I will accept them, but I do not make or break deals based upon the amount of free stuff I receive. Respect vendor budgets. This one plays in the realm of both ethics and mutual respect. Vendors will regularly offer up dinners, tickets, etc., to get your attention or your time. Notwithstanding appropriate legal and corporate guidelines for accepting such gifts, I make it a practice not to accept such offers if A, I'm not interested in the product, or B, I have no budget for such products. Respect vendor talent. It is nothing short of egoism to assume that the technical resources that vendors place in front of you are not equally as driven, passionate, intelligent, and capable as the operational talent on your own team. Their difference in perspective and path should not be seen as inadequacy in any form or fashion. On the other side of the relationship, the vendor reps with whom I've operated best also understood my expectations of them. Be plain spoken. I would rather be told, "No, I can't do that," than have someone tell me that their service or product meets a need of mine that they are not equipped to perform. Don't attempt to put a square peg into a round hole for the sake of a sale. Focus on the long-term. While I respect your near-term quota, I am looking for vendor partners who understand my long-term needs and constraints. Don't sacrifice a long-term relationship for the sake of a short-term sale. Deliver. Do what you say you're going to do and ensure your products do what they say they will do as well. I expect this level of discipline and results from staff. I should expect no less from my vendors. Vendors and CISOs do need to reevaluate the relationship if the collective profession is to improve. That relationship needs to start with mutual respect. Both sides have work to do in strengthening our ties if we are to succeed. My two cents. [ Music ] And that's a wrap for today's episode. Thanks so much for tuning in and for your support as N2K Pro subscribers. Your continued support enables us to keep making shows like this one. If you enjoyed today's conversation and are interested in learning more, please visit the CISO Perspectives page to read our company blog post, which provides you with additional resources and analysis on today's topic. There's a link in the show notes. Tune in next week for more expert insights and meaningful discussions from CISO Perspectives. This episode was edited by Ethan Cook, with content strategy provided by Ma'ayan Plaut, produced by Liz Stokes, executive produced by Jennifer Eiben, and mixing, sound design, and original music by Elliott Peltzman. I'm Kim Jones, and thank you for listening. [ Music ]

CISO Perspectives (Pro)
Podcast Info
HOST(S):
Kim Jones
Kim Jones is an intelligence, security, and risk management expert with nearly 40 years of experience in information security strategy, governance and compliance, and security operations. He has built, operated, and led security programs across industries, and is the principal architect of one of Arizona State University's cybersecurity education programs. Kim also teaches in SANS' leadership curriculum and UC Berkeley's MICS program. He holds a B.S. in Computer Science from West Point, an M.S. in Information Assurance from Norwich University, and CISM and CISSP certifications.
Schedule: Tuesdays (in season)
Creator: N2K CyberWire