Podcasts
Special Editions
Ep 47
Special Editions 1.25.23
Ep 47 | 1.25.23

Cyber Marketing Con 2022: From the horse’s mouth: CISO Q&A on solving the cyber marketer’s dilemma.

Show Notes
Transcript

Rick Howard: Hey, CyberWire listeners. At the 2022 Cyber Marketing Con, the CyberWire presented a CISO Q&A panel on how to help cyber marketers reach CISOs and other security executives in the industry. The panel included myself, the CSO of N2K, Jaclyn Miller, the CSO of DispatchHealth, and Ted Wagner, the CISO of SAP NS2, and was moderated by board director and operating partner Michele Perry. Stay tuned until the end to hear us answer some additional bonus questions submitted by the attendees. Enjoy.

Unidentified Person: Alright, friends. Get excited about this next session. Our panelists are here to bring a security buyer perspective on how, why and where they buy security products. So I want you to welcome to the stage Michele Perry, board director, operating partner and investor in multiple companies; Rick Howard, the chief analyst, chief security officer and senior fellow at the CyberWire; Jaclyn Miller, head of IT and info security chief security officer at DispatchHealth; and Ted Wagner, CISO at SAP NS2. A round of applause for all of them, folks. Enjoy. 

(APPLAUSE) 

Michele Perry: Am I on here? OK. Well, first of all, thank you, everyone, for joining us here today to educate all these cyber marketing folks here on the best way to reach you and ultimately sell you 'cause they don't want to just reach you. They want to sell you. You don't... 

Rick Howard: No, no. 

Michele Perry: (Laughter) So you don't want your time wasted. And, you know, the sales and marketing folks here don't want their time wasted as well if their - you know, their methods don't work. So a quick little background - I originally was - it's been a while since I was in the marketing trenches in the security space specifically, trying to break through all the security noise. I was the CMO at Sourcefire and came up with pink pigs as a way to break through the noise. So that's what we did. We built a whole brand around some pink pigs. But there was a lot more to it than that. But that's how long ago it was that. But since then, I've been... 

Rick Howard: That's all I remember. 

Michele Perry: ...Is the pink pigs? 

Rick Howard: The pink pigs. Can you hear me now? Yeah. 

Michele Perry: Yeah. 

Rick Howard: OK. I will work on that. 

Michele Perry: Yeah. 

Rick Howard: Yeah. Thank you. 

Michele Perry: So since then, I've been an investor, a board member in a bunch of security companies such as ThreatConnect, BackBox and Greymatter.io. So as you know, we have three very talented CISOs here with us today. We did a prep call. And, you know, sometimes you do the prep calls, and you're, like, pulling things out of people, trying to get them to want to talk. And they opened up on the prep talk, like, all these different ideas. So I couldn't wait for the panel to come so that we could really share these ideas. 

Michele Perry: So again, just a couple of little things - according to CyberDB, there's over 3,500 cyber companies in the U.S. right now. And globally there's 5,685. So that's your competition on getting through to these folks. So you've got to be very precise in understanding what works and what doesn't work 'cause your budget's never going to be big enough. And again, as we do some recession and cutbacks and everything, what's one of the first places that lots of times gets cut? Marketing? Yup. So we've got to be precise and really make sure we're not wasting money on the wrong things. So what I thought I'd do is my very first question down the panel here - and we'll start with you, Rick - is what things should companies not be doing, and what should they not be wasting their time and money on, besides stalking you? Yeah, what are those things? 

Rick Howard: How many companies did you say are security companies - 56 bazillion? 

Michele Perry: Fifty-six eighty-five globally on the CyberDB. 

Rick Howard: Yeah, 'cause I know that because I get email from all the salespeople every day from that, right? And so the one thing I would say is you're never going to get the attention of somebody like me - probably these two, also - by sending me cold emails or trying to call me on the phone, all right? I don't have enough time to address all of them, all right? So that's one thing that will never work for most of our peers. I don't know. Do you guys believe... 

Ted Wagner: Yeah. 

Rick Howard: ...The same thing? 

Ted Wagner: So, I mean, I was - I mentioned to you earlier, I came off the elevator, and I got a cold call. And I know what you're saying. 

Rick Howard: Did you whip out your checkbook right there? 

Ted Wagner: The only reason I answered the phone was because I'm arriving at a conference. Maybe they're looking for me. And as soon as the guy started talking, I just hung up on him. I mean, it's just reality. 

Jaclyn Miller: Yeah, I agree. It's - I try not to be rude, either. I know everybody's got a job to do. But at the same time, there's such a flood of cold calls, cold LinkedIn reach-outs. LinkedIn - let's talk about LinkedIn for a minute. I have had to just plain stop accepting anybody that has business development, marketing sales in their title. I check your title, and if it's that, then I just ignore or decline your invite because I don't have the time to interact with you on LinkedIn. You might have something great to say, but at this point I've gotten flooded with requests on LinkedIn, and it's just untenable. So unfortunately, LinkedIn is not your best friend. 

Ted Wagner: I mean, my standard is I have to physically meet you. I will not accept a LinkedIn request unless we have physically met. 

Jaclyn Miller: Yeah. 

Rick Howard: Well, I'll give you a part two to the no cold call thing. If you - if I don't answer you and then the next - your next move is to send me a note that you're mad at me 'cause I didn't... 

(LAUGHTER) 

Rick Howard: ...Respond to you - OK? - you're never going to get in the door - OK? - ever 'cause - you're just not, right? I have a different standard for LinkedIn, though. When people reach out to me, if they are actually talking about something that I'd been talking about on LinkedIn, they have an idea about it or they have a way and they think, hey, I heard your thing; I think you can - there's a new way to think about that - I will talk to those people, right? So I'm looking to solve problems, not hear a... 

Ted Wagner: Right. 

Rick Howard: ...Product pitch. 

Michele Perry: OK, great. Well, those are the things not to do - no LinkedIn, no cold calling, no emails. What are the things to do? So, you know, we talked about what's a day in the life? What are the things that you guys are, you know, reading, listening to, going to? Who are the industry - you know, what are the webinars you like? What are the podcasts you like? So let's start with Ted on this one. 

Ted Wagner: So I was thinking about it a little bit. Obviously, the CyberWire is first and foremost. 

Michele Perry: (Laughter). 

Rick Howard: Absolutely. You should all be listening to the CyberWire. 

Ted Wagner: But a variety of different threat-based sources of information - I am a subscriber to Gartner. I do a lot of research on Gartner. I know Forrester is another source of that kind of information. I work in regulated industries, so I spend time on, like, D4 websites and pyramid websites and regulations because I have to be current on how do we do our business, which draws back to what Rick just said. We - we're solving a problem every day. And so I need help solving that problem. And that's where I can be - my focus can be generated. 

Michele Perry: That's awesome. 

Jaclyn Miller: Yeah, I agree. I also tend to read daily more just tech-specific, you know, newsletters or feeds or podcasts. And I really like to pick up the ones - the ones that stay with me are the ones that cross over into cybersecurity. So "TLDR" is a great one that I've been really hot on lately. The "Daily Brief" in CyberWire is something I check and scan through and go what's going on in the news 'cause it's super concise and I can double-click into anything that's really popping. But the things that I look for from, like, sponsors in those briefs of where I will click in is when they are solving a problem that is industry-specific. So for me, it's health care right now. And if there is a vendor doing something really interesting in health care, then I will double-click on that, and then that may turn into a reach out for - you know, to establish a relationship. 

Rick Howard: Do you know what I really like about cybersecurity, the reason I'm in this field? It changes all the time. OK? It's... 

Ted Wagner: Yeah. 

Rick Howard: ...Fantastic. You're never looking at the same thing every day. It's always new. I love that about the job. You know what I hate about cybersecurity? It changes... 

Ted Wagner: Changes all the time. 

Rick Howard: ...All the time. OK? You can never keep up with it, right? And so all of us are consuming sources... 

Ted Wagner: Oh, yeah. 

Rick Howard: ...Of information that we can use in our job, right? And I was an early podcast listener long before we even had names for podcasts 'cause it was an easy way to inject information into my daily life while I'm doing other things. You know, I'm doing the dishes, or I'm walking the dogs or doing the laundry. I can learn the new thing about whatever cybersecurity widget is going on by just - as it comes into my ear. So podcasts are a huge way to get your information out to the crowd you're trying to get to. But also, like you guys were saying, reading, right? I'm a giant advocate for just reading books in general, especially for your marketing people and your salespeople who are trying to get on the same page with highly technical cybersecurity people, right? Reading a book or two might be the way to get that done. So those are my two big sources of information. 

Ted Wagner: I mean, I'll just add one more example. So zero-trust architecture is really a great buzzword right now. 

Michele Perry: Oh (laughter). 

Ted Wagner: And so my company offers cloud services - software as a service. And one of the meetings we had with a customer, they said, we need to make sure you have zero trust. I said, well... 

Rick Howard: (Laughter). 

Ted Wagner: ...What aspect of zero trust? And they said, I don't know. The CISO said it has to be zero trust, and I don't know what that is, but it has to have it. And so if you have it and I can say yes, then we're good. 

Michele Perry: (Laughter). 

Ted Wagner: So, listen, I'll turn my geek meter up a little bit. I went to NIST. NIST published a document that said these are the characteristics of a zero-trust architecture, and that's my roadmap. So if you want to know what my road - where's my water hole, where am I drinking water, is where do I have that connection between, you know, a concept and the discrete elements of it, the characteristics of that I have to actually implement. 

Rick Howard: So I think that's how marketing people can help people like us - right? - 'cause we have to explain it to people, too, right? We have to go in to the CEO and say, here's what zero trust means for us. 

Ted Wagner: Right. 

Rick Howard: So you can help us tell that story, right? That would be exceedingly helpful, right? And then maybe along - later on, I'll buy your product, right? But if you can help me solve problems, that's how I might use you all. 

Michele Perry: Yeah, I would say one of the commonalities that CISOs have with marketers is we've all been in a room where somebody is, like, completely glazed over. You see their mind go elsewhere. That happens all the time. And, like, keeping our audiences, our business partners, our customers engaged with what's really important - like, we are trying to help them - sometimes from themselves - and how do we tell that story in a way that actually relates with them? So you have to relate to us, and you have to relate through us to, really, our customers and our users that we're supporting. 

Rick Howard: Part of the CISO's job is marketing internally... 

Ted Wagner: Yeah. 

Rick Howard: ...Right? - because we are a cost center. We don't bring revenue into the company, right? 

Ted Wagner: Yeah. 

Rick Howard: And so we have to convince business leaders that what they spend money on is worthwhile. So we have to tell compelling stories to them. If you can help us do that, that would be fantastic. 

Jaclyn Miller: That's awesome. 

Ted Wagner: Yeah. I would - the one other thing is integration. Like, so we have pillars of elements in our infrastructure architecture. How can we connect those things together? And typically, those integrations don't exist, or there's a conflict, and if we could break those down, if there's something that can, you know, solve a problem, which is, all of our toys don't work together. 

Michele Perry: Yeah. That was actually my next question, is that, you know, security has had a reputation for having platform vendors that have a lot of suites of products and then having these point products. And typically, the thought is that the innovation's coming from these point products versus the big suites. And how do you think about balancing those two? You want to start, Jaclyn? 

Rick Howard: I have a huge opinion on this, but go ahead. 

Michele Perry: OK. I was going to start with Jaclyn on this one. 

Jaclyn Miller: I think integration is the future of cybersecurity. Like, the - it's basically table stakes for me. I'm not buying product unless it integrates with other products that are going to be in my field of vision. So the more that you play nice with other things, the happier I am to talk to you. And I am skeptical of the one-platform-to-rule-them-all approach because I think those vendors end up, you know, being too focused. They're trying to please too many people. They don't get good at any one thing and when the pace of the industry changes that they're going to miss the boat, and they're going to be the next SolarWinds or whatever, you know, negative happens in the news. 

Ted Wagner: Yeah. 

Jaclyn Miller: So I really try to identify, with the vendors I do want to work with, what are they really good at and focus on their core capabilities and look at how well they focus on the integrations into other things. So that's my approach. 

Ted Wagner: So I was going to say that we love innovation in our area. I have, like, a collection of Snort pigs - not just one or two, like, a connection. I'm eyeing that one. 

Michele Perry: I'll leave it with you. 

Rick Howard: I have some of the calendars. 

Michele Perry: OK. 

Ted Wagner: And so when - you know, we all kind of cry when they get bought by a larger company, and then that company has an idea about combining all these products into one big, integrated product, and that innovation is lost. That's what we lose. So those innovators that come and disrupt our environment but they bring great capabilities - we love to adopt them if they can integrate with the rest of our platform. 

Jaclyn Miller: Yeah. 

Rick Howard: I have a completely different take than these two. These two are completely wrong, all right? 

(LAUGHTER) 

Rick Howard: And I used to be that person, you know, that - we wanted the shiny tool, the - we wanted the best-of-breed thing that did the thing that we needed to do. And that was great 30 years ago when we only had three tools, right? But now most organizations have upwards of 15 to 300, depending on how big the organization is. I don't have the resources, and I'm too old to manage all that stuff. So I am willing to take a compromise. I want good enough tools that talk to each other and integrate seamlessly for me. I want to set a policy once and have it dispersed all through the tools that I have to use. And I don't care if it's best-of-breed. If it works, it's probably good enough. So, you guys, take that. 

Ted Wagner: I feel strongly both ways. 

(LAUGHTER) 

Ted Wagner: I mean, I see your point. And there are - I think there are some synergies that can exist. So, you know, a simple example is Splunk, which is really log analysis in enterprise security. It's kind of managing that workflow. You know, you could have your own enterprise security as a separate product, but it does seem to work within the Splunk world. So there is a case in point where, hey, it works. 

Rick Howard: But to bring this back to the marketing angle, what you were saying is absolutely true. When you're coming to me to solve my problem, you have to tell me that it integrates with all the tools that I already have 'cause if it doesn't, I'm not buying it. I don't have the resources to put a new tool in and then make me fix it to talk to all the other things. I just don't have that. 

Jaclyn Miller: Yeah, I would agree with that regardless if you are platform-centric or not. 

Rick Howard: Yeah, yeah, yeah. 

Jaclyn Miller: You know, that integration skill - and it can't be, well, we can do that for a cost. It's a custom integration. Like, if I hear that word, it's like, yeah, just hang up. 

Michele Perry: How many different vendors do you work with in your capacity? 

Jaclyn Miller: Oh, my goodness. I have a slightly different role than these two 'cause I am in a startup world, so we're in the world of multiple hats. I am both IT and InfoSec. So in terms of vendors, I'm in the - like, 65 to 70 on a weekly basis that I'm working with. Yeah. 

Ted Wagner: Mind blown. I mean, I think there's probably half a dozen that I have good working relationships with, close working relationships with where we might meet once a month or once a quarter. But to the IT aspect of it - so cyber doesn't work in isolation. You have to work with your IT brethren. And so that is another universe of IT - of products that have to be - exist in your ecosystem and be secure. 

Jaclyn Miller: Yeah. 

Ted Wagner: So I get invited to the IT meetings, which is, you know, dozens. 

Rick Howard: At the CyberWire, we're a startup also, and so we run the entire business on 100 SaaS applications, right? And because we're small, we don't have the budget for big zero-trust programs or big intrusion kill chain prevention programs. Because we're small, we need - we focus on resilience. We need to survive the thing that's going to cause damage to the company, cause material damage to the company. That's where we put our resources. 

Michele Perry: So let's take a second to talk about some of these influences, like the industry analysts. You know, I like to call them the intellectual mafia. You know, you got to pay to play a little bit there and everything. 

Ted Wagner: Oh, yeah. 

Michele Perry: And I see Mark Bouchard, who used to be a Gartner analyst, in the (laughter)... 

Rick Howard: It's his fault. It's your fault. 

Mark Bouchard: META. 

Michele Perry: Oh, META, before it was Gartner, OK. But, you know, how much do these things like the Gartner Cool Vendors, MarketScopes, hype cycles, Magic Quadrants or the Forrester Waves or the 451's preview reports, how much do those matter to you? 

Jaclyn Miller: I hate to say it. They matter. Like, I feel a little bit of resentment every time that I look at a Gartner Magic Quadrant or the hype cycle. But frankly, I need to go there for a consolidated view of what tools should I - what vendor should I start with? It doesn't mean that I'm, you know, going to land on those top vendors. That's the only thing I'm going to look at. But if I can look at who the competitors are to the top ones, maybe I'll find a better fit. So unfortunately - fortunately, unfortunately, Gartner, for me, is here to stay. And they're a necessary evil in my world. I think the pay-to-play aspect is probably the thing that rubs me the wrong way the most about their model. 

Ted Wagner: I think - and I think it's a great starting point. Like, if you want to explore SASE or zero-trust architecture, it's a great, yeah, basis of knowledge. And the Magic Quadrant is, at least the analysis, a data point in terms of who are the real competitors, which unfortunately - like, if you're in the upper-right quadrant, I might reach out to you. And that's a - I get rubbed the wrong way with the pay-to-play aspect of it. But keep in mind - Rick mentioned it - we have to explain these concepts to our executive team, and they've all heard these buzzwords, and then - but they don't understand them. So I have to be able to translate what zero-trust architecture actually is, but then I have to do the technical research to understand how I can actually implement it with my existing infrastructure. So I have to go many levels deeper, and many times, Gartner won't help me there. 

Michele Perry: Yeah. 

Rick Howard: Well, I'm with you. I think Gartner's - it's a big racket, right? But you have to use it. The tools that we keep mentioning here - the Magic Quadrant, that's an amazing tool - all right? - that, if you can get in there, then you'll at least be noticed from somebody like us looking to explore whatever that service is. And the hype cycle, which is a fabulous thing, by the way, invented in the '90s, that says - because what happens in the security industry - we were talking about how people are - kind of roll their eyes when we say zero trust because every vendor says they have a zero-trust component. And we all know that's not true, all right? So - but what happens is someone has a great idea, and then it gets inflated to this is going to solve all the world's problems. And then we start to realize that, oh, there are some problems implementing that idea. So it goes into this thing they call the trough of disillusionment, right? And that's where zero trust is right now, right? And then over time, though, it starts to climb back out of that and eventually become something we all accept as a best practice, right? That model is fantastic, right? And so if your thing, your business is on that cycle somewhere - right? - that puts you in the realm that - of things that we take a look at. 

Ted Wagner: Yeah. 

Jaclyn Miller: Yeah. 

Jaclyn Miller: It's in our zeitgeist for sure. 

Rick Howard: Yeah. It's in our zeitgeist. I love that. Yeah. 

Michele Perry: So if it's not on the hype cycle, do you not waste time on it? 

Rick Howard: Well, the hype cycle is technology. It's not a product, right? So - but if your technology is not on the hype cycle, then yeah, we're not even looking at you, right? So... 

Ted Wagner: I mean, the one framework that I - and this, again, goes back to my regulated industries. I have NIST 800-171 and CMMC. That's a road map. Those are all - I have to have multifactor authentication. I have to have identity access control. I mean, there is a list of what I need. 

Michele Perry: Yeah. 

Ted Wagner: And so I'm going to go out and buy that stuff because I have to. 

Jaclyn Miller: Yep. Health care is the same. HIPAA, HITRUST... 

Ted Wagner: Right. 

Jaclyn Miller: ...If you can map to those two things, then I'm going to sit up and listen because you just made - you saved my team hours of time having to map your product to some control framework that we have to meet no matter what. 

Ted Wagner: Right. 

Jaclyn Miller: And I'm always thinking beyond that, right? We're not in it for security - check-box security, right? It's not just for the compliance. So what I'm also looking for is vendors that take it beyond that. How are you being novel and innovative? How do you go beyond just what HITRUST mandates you have to do, from, you know, access control or, you know, two-minute timeout on your authentication, which makes all of your providers mad. How have you solved that problem, that user experience, better than anybody else? Tell me that story, and tell me it in the words of the people experiencing that product. I love hearing those types of examples. 

Rick Howard: I want to double-click on what you said and just reemphasize. The NIST cybersecurity framework, if you can take that little document and map your product to those things - OK? - if I'm looking to buy those things... 

Ted Wagner: Yeah. 

Rick Howard: ...Like Ted is doing - all right? - and you can come and explain how you solve that for us, that's a win, OK? That's a huge win. 

Ted Wagner: And the - and here's where you get gravy or whipped cream or the cherry on the sundae is - like, if it's a, you know, like, some sort of infrastructure tool, like identity or a VPN service, if you give me data analytics on top of that, meaning I can collect some logs and run data analysis against those logs for that function, I love it, right? 

Michele Perry: You love it. 

Ted Wagner: So it's more than just, hey, I have a function that does identity for you. If I can now do analysis on the folks that logged into my system because the logging is right, and it integrates to my SIM, perfect. 

Michele Perry: Yeah. OK. What are the things you find useful from vendors? Are there - you know, free trial - how important are free trials and evals, vendor created research, explainer videos - what of those things do you like? 

Ted Wagner: I don't need AirPods. 

(LAUGHTER) 

Rick Howard: You sure? AirPods? 

Jaclyn Miller: Don't try to bribe security professionals with fancy tech devices. That's been a recent one lately, coming out of the other conferences this year. I think it rubs - it rubbed me the wrong way as well, where I felt like I was being bribed into having a meeting. I'm not doing it. And my team won't do it either. And you might even get blacklisted for a year on our list of vendors that we'll talk to. 

Jaclyn Miller: What I do like to see is where - I think we already talked about how hungry we are for information. So if you're sponsoring an event where my peers are going to get together and talk about a really important problem and we're going to share some really interesting information regardless of your product is involved in that space or not, then I will pay attention. I'll sign up for your webinar. I will go in person to have that discussion and create that space. I don't have time to set up that environment in my day. I'm working for my company. So looking to the vendors to provide that efficiency actually helps me out a lot. 

Ted Wagner: Another great example is the Verizon data breach report. I mean, that's kind of a standard we all read every year. You know, it kind of ebbs and flows in quality, but I read it every year. That - I'm going to go to that page. I'm going to give them my contact information, and I'm going to go read that report. So that kind of - if you sponsor research that's important to me, absolutely. I'm going to go and find it. 

Rick Howard: So - two things there, right? I was just telling you before we had this panel. A company called Expel put out a one-pager about how adversaries traverse the intrusion kill chain in their cloud environments. They talked about all the APIs they use. They talk about the services the cloud - that they leverage in those cloud attacks, right? And they just gave that to us. Talk about helping me explain the story to my senior leadership and to my own personnel. They made it easy to tell that story. So - marketing people, you have all these great graphics people. They know how to tell stories. Well, help me tell those stories. 

Rick Howard: The second one - I want to double down on what you said - is on the bribing part. If you invite me to a dinner or a lunch or a breakfast, and there's about 15 of these people in there - OK? - and we - and you allow us to talk about stuff and not hear a product pitch, I'm coming to that. Because I don't know anything until I suck the brains of all these people over here who are way smarter than I am. All right? So. 

Ted Wagner: I will say, spending time with other CISOs is time well spent. I've never been disappointed. 

Rick Howard: Yeah. Yeah. 

Michele Perry: Yeah. Yeah. So one of the things on our prep call - a word that kept coming up that I haven't heard as much today was trust. And you guys all kept talking about having to trust the vendor and some of the ways you develop trust. Any thoughts on that? 

Jaclyn Miller: Yeah. I think, you know, when you're starting a relationship with a vendor, that POC process, I've had vendors that have said, you know, OK, you've got to put some skin in the game. And I know when you're a startup and you need - money's tight, or - especially going into a market where dollars are going to be tight. But that POC, that ability to see your product, see how it works for real, touch it, feel it, get it up and running fast without having to spend a dime actually builds a ton of trust with the team. If you can get my team to advocate for you, then you've pretty much won 80% of the battle in terms of me getting to sign on the dotted line to spend the dollars. 

Ted Wagner: I would say we recently did a POC, which at the end did not - was not successful for a number of reasons. But now I have that trust of that vendor. And the next procurement - they have other products - I'm definitely going to give them a call and give them an opportunity because I have that trust. They - you know, they exposed their engineers with our engineers. Huge. 

Rick Howard: So - and turn that around to the marketing department is, where do you spend your money? Do you throw money towards that kind of a POC or that kind of a demo, right? That will - that builds trust. And like Ted says, I may not buy you this time, but you're - now you're in my back pocket, says, oh, look what those folks did for me. All right? So, yeah. Look for that. 

Jaclyn Miller: I also get frustrated by vendors that talk about what their product does but don't show any of it. So having that kind of gatekeep-y approach to, oh, like, we'll open up the kimono as you, like, are willing to have - spend more time with us really breaks down that trust experience for me. So show me right out of the gate. Like, show me videos. Show me demos. Show me something that's in industry solving problems. Customer case studies I'm a big fan of personally. But that definitely gets me interested and in the door. 

Michele Perry: Let me ask a question on case studies. So - we all want them. A lot of customers don't want them published, even if they love you, your company and all that kind of stuff. How do you feel if it's a masked case study? So it says, you know, this is a financial institution or health care. So they didn't get permission to sign off on using their logo and specifics, but it's a real-life case. Is that still useful? 

Jaclyn Miller: Yeah. I think so. I mean, it's harder. It doesn't jump off the page as quickly, you know, when it's a name, you know, somebody in my industry that I recognize, the health care system, et cetera. But it's still useful information. I'm looking for the story inside of it and how that relates to my business more so than I am looking for the specific customer that it's about. 

Ted Wagner: Yeah. I always look at the data that's presented. So my background's economics, as I mentioned. So data - you know, looking at data - and there's different qualities of data. Like, if you can get transactional data and then make - do analysis against it and make conclusions out of it, then that's great data. Some of us know that survey data is less helpful. 

Rick Howard: Yeah. I don't read survey data, OK? 

Ted Wagner: Four out of five dentists recommend it. 

(LAUGHTER) 

Rick Howard: We've surveyed a hundred CISOs, and they think, you know, zero-trust is great. OK. Yeah. 

(LAUGHTER) 

Rick Howard: I'm not doing that. Also, I'm not going to participate in the case study. I don't have time, all right? I'm not - I don't care about your marketing problem, right? 

Ted Wagner: (Laughter). 

Rick Howard: So the... 

Michele Perry: Yeah. So everyone wants them, but nobody wants to do them... 

Rick Howard: Nobody wants to do them. 

Jaclyn Miller: ...Is the challenge. 

Rick Howard: I - and you see those - you see the ones that do do them, and you go, how did their legal department approve that? 

Ted Wagner: Yeah. I was going to say, there's some disclosures. You know... 

Rick Howard: Yeah. 

Ted Wagner: ...Listen. I don't sleep well at night because I know where all the risks are. 

Rick Howard: (Laughter). 

Ted Wagner: You know, and I might confide in a fellow CISO about some risks. I'm not just going to share it with the world. 

Michele Perry: Yeah. Years ago, when we were selling to a hotel chain, not at Sourcefire, a different company, we actually ran an ad and it had one of the hotels in there featured as our case study. And literally - this was when they still got magazines. I'm dating myself on this, but I - literally... 

Rick Howard: Magazine? What are those? I've read about them. 

(LAUGHTER) 

Michele Perry: And they were, like, this thick for a while. So literally the magazine came out, and within a week, we had had Marriott, Hyatt - there were five of them had inbound called us from that ad. And it was a very light feature, but the power of that brand, that all these other CEOs said, hey, go find out what our competitor's doing and get us ahead. So that whole thing of keeping up with the Jones. 

Ted Wagner: I will say - maybe this is - not to compliment me, but when I do call - reach out to a company and say, hey, I'm Ted Wagner. I'm the CISO for my organization. I would like to talk to someone about your technology. If it takes more - if it doesn't get routed to the right place or I don't get a call back, or if I've exposed myself with my phone number and my email and said, please call me... 

Michele Perry: And they don't call. 

Ted Wagner: ...And they don't or the wrong person calls or they're confused, I feel like... 

Michele Perry: What's an acceptable time for that call back? 

Ted Wagner: You know, definitely within a week, but 48 hours is probably optimum. 

Michele Perry: OK. 

Rick Howard: I have one data point for the case study. Take it for what it's worth. At my last job, I worked for a security vendor, and if there was a success story with our product with that customer, the marketing folks would go in and say, we'll give you a discount on the price on your next version of this if you do the case study for us and allow us to put the logo on, right? So there was some success with that. I don't know if that works every time, but I have seen that work. 

Michele Perry: Yeah. 

Jaclyn Miller: It can work in the startup space... 

Rick Howard: Yeah. Yeah. 

Jaclyn Miller: ...Especially. You know, when we're looking for budget, we're looking for - we like the publicity, the partnership. Balancing that with risk and making sure I'm not exposing to the world, you know, all of our... 

Rick Howard: Well, that's a really good point because if you're a startup and you can associate with some big security vendor - OK. Oh, I must be good enough to be their, you know, good customer. So I didn't think of that. 

Jaclyn Miller: Yeah. 

Michele Perry: So as we continue on the trust, let's talk a little bit about evangelists and everything. You know, again, with the (inaudible) wasn't as well-known 18 years ago when we were doing this thing with the pig, and, you know, is quite the evangelist today. Rick can - he is now a huge evangelist here. 

Rick Howard: Yeah. 

Michele Perry: How - who are some of the other evangelists that you listen to, and can a company create their own evangelists? 

Ted Wagner: I think in the case of - I have one vendor, one of my half-dozen that I trust. They will have a lunch with me, and they'll bring someone that has been in the community that has real security creds and just sit and talk, and they can elicit a lot more of me explaining, well, these are my problems because they've established some trust with someone who speaks my language. Not everyone speaks our geek, but if someone is credible and is an evangelist and know - can articulate, they can break - they can open some doors and get - elicit some conversations they wouldn't normally get. 

Michele Perry: Yeah. 

Jaclyn Miller: I would agree with that. I actually really enjoy those types of conversations with leaders in the cyber field. And obviously, I'm a little bit younger than those on the stage (laughter). 

Ted Wagner: Wait. 

Rick Howard: What are you saying exactly? Come on. 

(LAUGHTER) 

Jaclyn Miller: I really appreciate you all as (inaudible)... 

(LAUGHTER) 

Jaclyn Miller: ...Is really what I'm saying. I'm trying... 

Rick Howard: Whippersnapper. 

(LAUGHTER) 

Michele Perry: There's one in every crowd. 

Jaclyn Miller: No, but that's - really, building those relationships with people that have been in the industry longer than me, where I'm at in kind of the midpoint in my career, is incredibly valuable. And those are the people, too, where I will explore new companies, the ones that are emerging and - that I wouldn't normally look for when running my business because if those people have a relationship with those startups and they're advocating for it and someone I deeply respect, then I am going to go look and see what they're doing. It may not be the right time for my company to buy. I'm not willing to take that risk yet, but I will watch that company because they've advocated for them. 

Rick Howard: I've had previous experience with this. In my last job, I worked for the CEO and he - my first day in the job, he immediately started sending me out to events that he didn't want to do or couldn't do, all right? So after I was there for, like, six years, and at the end of that run, we had, like, 15 of these evangelists around the world going in and talking to customers, but there are some very specific requirements. They had to be former CISOs - right? - who were in - had been in the trenches, right? They can't be marketing people. They can't be salespeople. They need to have the experience, the marks on their back from doing the job, all right? So they can go in and have a little rapport, OK, with the CISO that they're talking to, right? And so - oh, and they needed to be high up in the company. They couldn't be a manager. They couldn't be a director. They needed to be a VP or somebody higher than that, that could speak for the company, all right? 

Rick Howard: So that means they had to understand the product as well as any of the product managers. They needed to understand the finances of the company as well as the CEO. They needed to be the stand-in for the senior leadership team, all right? So when those folks walk in to a CISO and have a conversation with them, they have instant gravitas, right? And so when they say, yeah, I think what you're doing is not going to work, that CISO would say, all right, I need to consider that opinion. He may not agree with them, but at least they need to consider it. That had a lot of - that worked a lot in many occasions. 

Ted Wagner: I will say - so my company, we offer software as a service to customers. And we have security posture around our products. When the sales team talks to the customer about how good our security is, they may not have the same gravitas as Rick is referring to. So I get called to meetings to talk to the respective security team to articulate what exactly our security posture is and how we do our security, so they can go back to establishing trust. Because we're going to be - we're going to process their data that's as sensitive as it gets. So we have to - there has to be this mutual trust. 

Jaclyn Miller: Yeah. It's the same within my company, too. We have partners and we are sharing patient data, and there's a lot of regulatory risk if we get this wrong on both sides, you know, in terms of financial penalties and reputation. And so the growth team will have the conversation with the partner. But ultimately, they aren't going to send us any patient information or refer any patients to us until they've had a conversation with me and my senior team, to ensure that we're doing all the right things, and that we're going to take care of that patient data the same way they would or better. 

Rick Howard: So I'll double down on that, just to make a point. If you're a security vendor bringing in your CISO to talk to the customer's CISO, so it's a really useful thing. 'Cause what the customer is going to do is, are you using your own product? And how is it working? And what problems do you have with it? 

Ted Wagner: (Laughter) Yeah. 

Rick Howard: You know, that's a really useful conversation. 

Ted Wagner: Yeah. 

Rick Howard: OK, so keep that in mind. 

Ted Wagner: Great. 

Michele Perry: Good. How about COVID? Has that changed your buying habits at all? 

Jaclyn Miller: I would say it's definitely put the focus on the digital experience. So InfoSec and cyber has been notorious, and is still breaking out of the reputation of being the office of no, the thing that makes my job... 

(LAUGHTER) 

Jaclyn Miller: ...Harder, all the negative things. And so with COVID and the focus on remote work, I think we're still in the phase where cybersecurity - the idea of frictionless cybersecurity, is huge, and it's still pushing to the top three of my list when I'm looking at products. So, yes, I think COVID has changed our buying habits and our willingness to - what we're going to introduce into our users. 

Ted Wagner: I think it's accelerated cloud. I think a lot of organizations really have to be cloud-native, cloud-centric. But the other aspect of it is you have to figure out the - one of the problems we had is, all right, we're going to have someone who can't access the network at their home and they can't walk into the helpdesk. And so that may mean shipping a computer, which is the last thing we want to do. So we have to create workflows that enable you to solve that problem over the phone or remotely. So it is about breaking down, you know, those problems that involve remote access. 

Rick Howard: Well, here's a good thing about COVID, all right. Before COVID, remote work was, for many organizations, that was in the too hard to do pile, right? This is too much money. We can't get it done. I don't know how to secure, blah, blah - lists hundred things why you can't do it. COVID happened, says, oh, we know how to do that now, OK? 'Cause we have to do it, right? And so that's not even a problem anymore. I mean, it's hard to manage and all that, but we're allowing remote work now. And so that's the one good thing we can say that happened. 

Ted Wagner: And I would say there's great benefits to remote work. 

Rick Howard: Yeah. 

Ted Wagner: You can attract nationwide... 

Rick Howard: Yeah. 

Ted Wagner: ...Employee base. We have gotten much better collaborating online. 

Rick Howard: Yeah. 

Ted Wagner: But it is difficult to onboard someone and ingrate them to the team. 

Rick Howard: It's so weird, though. Like, the only time I get to talk to these two usually has been through that little zoom window, right? 

(LAUGHTER) 

Rick Howard: First time I saw them was when they showed up today. 

(LAUGHTER) 

Rick Howard: All right. So... 

Michele Perry: Yeah. 

Rick Howard: It's a scary thought. OK. 

Michele Perry: So a couple of things I remember you guys said that you did like was some of these kind of good steak dinners... 

Rick Howard: (Laughter). 

Michele Perry: ...For lunches. Get out of the way. You know, helping grow the network was one of the things that - help you grow, you know, your knowledge and helping you grow your network. And whatever means to do that was a very important thing on that. 

Ted Wagner: Our networks are, I mean, it's like brother and sisters, where we've we walk hard lines, been through late nights. Every great data breach happens on a Friday afternoon. 

(LAUGHTER) 

Ted Wagner: And so you have a kinship to all the folks that work in your industry because you share main pains. So to build that out, an introduction, or to expand that network is our bread and butter. 

Rick Howard: Yeah. 

Jaclyn Miller: Yeah, definitely. And I think the talent shortage, too, is you know, continues to plague us. 

Ted Wagner: Yeah. 

Jaclyn Miller: We're constantly looking at ways to grow our teams, our staff, not just by headcount, but by their skill sets, as well. So that network is critical to us finding those creative paths to build better teams. And it's - you know, I'm not trying to steal from either of them. 

Ted Wagner: Yeah. 

Jaclyn Miller: I want to see everyone succeed in our industry. And it takes a village in order for us to succeed at dealing with this issue. 

Rick Howard: From a marketing angle, CISOs are trying to, you know, get better in their craft and, you know, get promoted to be the big-time folks. And there's a couple of ways they think, right? They want to - one way they get the word out is they present. And they may be a little tentative about getting accepted at conferences and things. So at your conference, if you invite a couple of CISOs to speak - right? - that gives them a chance to get some experience. That's a way you can get to know them. You're not trying to sell them anything. You're just - you're interested in their ideas. That's a way to get them in the door. And the other thing that CISOs think they want is they think, somewhere in their career, they want to be on boards. So if you can have these dinners or breakfast and things and bring in a board member to say, hey, here's what you need to know to be a board, you're going to get people to show up at that. OK? So that's another way you could do it. 

Michele Perry: Great. Anything else you guys want to add before I open it up for some questions? Questions from the audience? Well, you're all going to get back to work, and someone's going to say, what did you learn? So come on. Have a question. I got somebody back here? He's getting the mic? 

Unidentified Person: All right. 

Rick Howard: But not him. OK? 

Unidentified Person: You mean you don't like me? 

Rick Howard: Anybody but him. 

Michele Perry: Oh, I'm sorry - and then we'll come to you. 

Unidentified Person: Go ahead. 

Unidentified Person: All right, I'll do it. So you mentioned downloading the Verizon DBIR. Thank you. I started that and led the team for a long time - don't do it anymore. When I was there, I was absolutely adamant about not requiring registration in order to download. I guess that's changed. And I'm wondering how big of a disincentive that is for you to download research. Obviously, you'll do it for the DBIR, maybe, because you were reading it beforehand, but you see some new report. Is that, like, a just not going to do it; I'm going to work around it; or, OK, if it's good enough? 

Ted Wagner: For me, it's definitely a question. I mean, it - I may only - you know, I might pull the trigger maybe half the time. I'll see something I'm interested in, and I'll question how willing am I to give up my personal information? 

Jaclyn Miller: Yeah, it's really the - I'm always trading off of the cold call, the cold email, the cold LinkedIn reach-out that's it's going to happen immediately after - just the noise that comes... 

Ted Wagner: Yeah. 

Jaclyn Miller: ...At me by submitting my information. I've tried the, like, having a separate email address. It doesn't work. Once they've got your name, they can figure everything else out. So I think it really does depend on the quality of the research paper that I'm going after. If it's something that is - has a reputation or it's from a bigger research firm that's partnered with the vendor, then... 

Ted Wagner: Yeah. 

Jaclyn Miller: ...I'm willing to do it. If it's a white paper that is self-published and it's not something that is - it's interesting to me, but it's not burning, don't put the gate... 

Michele Perry: Don't. 

Jaclyn Miller: ...On it. Like, just don't. 

Michele Perry: No gate. 

Jaclyn Miller: You'll have more interaction and more likely that I will engage with that white paper and then reach out because of it by not having to register. 

Rick Howard: I have a slightly different take on that. If I have something I want to read, I'm going to give you the credentials because on the back end, it's so easy to automate dumping that to a spam folder, right? So I don't really - I give my credentials out all the time 'cause that stuff works, right? So I don't really care that much about it. Yeah. 

Unidentified Person: Thank you. Cool. So I'll give a little bit of context on this, but not really a question. I'll phrase it in a question. Any advice you have for vendor websites? And so the context there is, as a marketer who creates content, there's the obvious analytics of, if it looks too verbose, if it looks too heavy, no one watches it. On the cybersecurity side, if it doesn't have the detail that folks want - integrations, details like what are you actually doing? - it's useless. So there's this really tough battle between too high level, too low level and the right information at the right time. And it all goes to a website. 

Unidentified Person: So there's some things that some folks are doing. So Axonius says here - I know they're one of the few that actually prioritize, like, persona. This is the CIO. This is the CISO. They know where to go. There's a home page. So open-ended, but I'd love to know from you all what you think about, like, the most hated aspects of websites. What's the most useless page you've seen that you see everywhere? Like, what's the best thing, like, how you consume content, how much time you're willing to give a website, that sort of thing? 

Ted Wagner: I think if I get confused as to what the products are - like, product naming. Like, if I can't figure it out, I'm going to just give up and walk away. 

Rick Howard: That is a good point. That's a really good point. 

Ted Wagner: Like, I know some companies that I - and I've used them in the past, but I got so confused by the naming, I didn't know what the products were. I couldn't figure it out. And I don't - I really don't have time to, like, decipher it. The other thing is, if it can be - if the context - back to the cybersecurity framework or something that gives me context - do I know what this product actually does? That's really helpful. 

Jaclyn Miller: Yeah, I would agree on that and probably double-click into that. If you have similar products, you know, or levels of products, but you don't compare them, then I'm... 

Ted Wagner: Right. 

Jaclyn Miller: ...Going to be super confused and walked away - walk away. I actually see that a ton, where, you know, like, especially in the XDR, extended detection - if it responds... 

Ted Wagner: What is that? 

Jaclyn Miller: Yeah. What is XDR? What is NDR? 

Ted Wagner: Yeah. 

Jaclyn Miller: What is EDR? Can you compare the seven flavors of it on your website together, please, for me, so I know? That's the type of information that I'm generally - or the level of detail that I'm generally looking for. 

Rick Howard: So I think, yeah, what you said is right. And there's two kinds of content - is what your product does and then explainers about here's what zero trust is. Here's what XDR is. And they need to be obvious and separate. OK. So just keep that in mind. The second thing I would say is I always look at the about page on the leadership team. 

Ted Wagner: Yup. 

Rick Howard: If you don't have the CISO on the leadership team and you're a security vendor, I'm not talking to you, OK? You don't think security is important, all right? So - and that person doesn't even have to be on the leadership team. It just - you just have to think that at least he's important enough to be on the webpage on your leadership team. 

Michele Perry: Yeah, true. Funny story - I did a naming project for a company many years ago. And 20 people in a room were fighting over what product was actually that - no, that's not our product that does this. I'm like, how the heck are your customers going to know if you can't, as the management team here, even decide which product is which on the names? 

Rick Howard: Yeah, yeah. 

Ted Wagner: And I will confess. SAP - we change the names of our products so often, I don't even know half of what the things do. 

(LAUGHTER) 

Michele Perry: So guilty, you know, right? 

Ted Wagner: Guilty as charged. 

Michele Perry: OK. 

Ted Wagner: Got it. 

Michele Perry: OK - another question coming over here. 

Kayla Rice: Hi. I'm Kayla Rice. I'm with SpyCloud. And my question is about the layers of engagement that you guys talked about from kind of the case study and being with your peers and the dinners. How involved would you be or are in maybe a customer advisory board or some sort of executive retreat where it's less about just kind of a quick hour or two hours but really a full engagement experience? 

Jaclyn Miller: I think you catch every CISO at a certain point in their career, in their lives, their season in their companies, and it's really going to depend on their availability. My availability to step away from my job for long enough to engage in something like that is going to be the biggest blocker. But, yeah, I would be interested in that if life aligns, essentially. You have to realize that we are whole people. And we're doing seven-day-a-week jobs. So that's your biggest challenge. 

Ted Wagner: Yeah, I would concur. Like, a day away is a high watermark to overcome. I mean, it sounds attractive. But the reality of - like, I mean, I just came off of vacation. I flew in last night (laughter) to do this thing. 

Rick Howard: It's 'cause I've known Ted forever. He did this for me. 

Ted Wagner: I owe him a couple of favors. 

Rick Howard: (Laughter). 

Michele Perry: He came in from Italy so we won't feel too badly... 

(LAUGHTER) 

Michele Perry: ...That he has jet lag. 

Ted Wagner: So if I say grazie or prego, you're... 

Michele Perry: Yeah. 

Ted Wagner: It's all good. 

Michele Perry: Another question. Oh. 

Rick Howard: Can I add to... 

Michele Perry: You want to add? Yeah. 

Rick Howard: I would say those customer advisory boards are very specific niche environments. You're not trying to get new customers there. You're trying to reach out to the customers that love you... 

Ted Wagner: Yeah. 

Rick Howard: ...And are deeply invested in you. So those are the ones you're looking for. And the reason you bring them is because you want their ideas about how to make it better. And if that is just pro forma that you're never going to listen to them and they think that, then it's not going to be a useful exercise. 

Ted Wagner: So, you know, those half-dozen products that we use that I trust - if they want me to be on an advisory board to contribute back to the development of those products, that's attractive. 

Rick Howard: And they'll invest more money in you because of that - right... 

Ted Wagner: Right. 

Rick Howard: ...Because they believe that you are - the road map is being developed because of some of the ideas that you had and how you used it in the real world. Sorry. 

Michele Perry: OK. 

Megan Garza: Hi. I'm Megan Garza with Varonis. Rick, you had mentioned that you don't give much merit to survey data. And I would have thought it'd be the opposite because you're actually speaking directly to the people that you're serving and getting their feedback. So why is it that you wouldn't typically give that much merit? 

Rick Howard: I'm a naysayer on the - you guys probably like it more than I do, right? But if you ask any CISO those level of questions, you're going to get a different answer all the time, all right? So you ask 250 CISOs, do you use zero trust, you're going to get 250 answers, different ones. If you got another 250, you're going to get 250 different ones, all right? So that doesn't really help me that much. It doesn't matter that 30% said this or 40% said that. That's not useful to me. I don't know what you guys... 

Ted Wagner: I think what people don't - always aren't honest. Or they might be pulled to one side of a question or the other - one, how it's asked. There's all these influencers to the responses, whereas when I refer to transactional data, that means, what are your actions? I mean, there's a comment I make internally, which is, I don't trust my users. I trust my logs because users lie to me. It's kind of harsh. But the reality is people aren't forthcoming in, did you click on that link? No, I didn't click on that link. Oh, the log said you did. 

(LAUGHTER) 

Ted Wagner: Don't know. 

Jaclyn Miller: Yeah. 

Megan Garza: Thank you. 

Jaclyn Miller: I would agree with that. I think my biggest issue with survey data and why I, you know, kind of casually throw it out - I'll review it if it's part of something I'm already looking at. But it lacks context of the problem I'm trying to solve. So surveys tend to be too general. And, again, you're getting the biases maybe playing in. But frankly, it's just not getting down to the level of detail that I need about solving of the specific problem that I'm trying to solve or in the environment I'm trying to solve in. My environment is very different than your environment (laughter). 

Ted Wagner: Yeah. 

Rick Howard: I would also just say that the spectrum of talent in the CISO world is vast. There's - the pool on the left side that doesn't have that much talent is vast, and there is a handful that are really good. In the survey that you got, I don't - I'm pretty sure you don't have the top 10, you know, is all I'm saying. OK. 

Michele Perry: Any other questions? No? Oh, we got one here. 

Unidentified Person: I have one. Just with the - you know, knowing with the pandemic, everybody met virtually, and you said you've met these people for the first time. But you also said there's a lot of value from getting together with other CISOs. Going forward, knowing that live events are back, do you have a preference? Is virtual better because it's easier, or regional events, local travel? Sounds like national is somewhat out of the question because it's hard. 

Ted Wagner: Go ahead. 

Jaclyn Miller: I would say I think it's got to be a mix now, right? I'm looking for the right blend. I want to get out of the house. I'm tired of looking at my husband, who works at home, you know, in the office next door, i.e., my kitchen. So I do appreciate those. And if they're regional, it's easier for me to access. If they're events that are tied to some of the bigger conferences, then I may do national travel, you know, and willing to attend or bolt onto that experience or that schedule. I really like - what's become more common through COVID is ones that are linked to a community that I get added into, so a Slack group, a WhatsApp group, where there's chat afterwards or a reoccurring kind of virtual events that we join on a quarterly, monthly basis that I can engage with more often. From a virtual standpoint, I appreciate that more than just the one-time event. 

Ted Wagner: I will say that we have an ad hoc CISO Breakfast Club, we call it. And because of our schedules, we don't physically meet as often, but we - post-COVID, we've started to do more of that. But we may inject, like, a Zoom meeting, a Zoom happy hour, just to kind of connect and make sure we're still connecting. 

Rick Howard: I find that I have the same habits for CISO interactions as I do for my meetings at work, which, you know, I get distracted. I'm looking at Twitter. I'm doing LinkedIn and trying to pay attention. They're not as effective to me. So I'll probably - I'm probably not going to go to the Zoom meetings. 

Michele Perry: Any others there? OK. Well, thank you all for participating in this. I know I learned a lot here, and I am assuming that everybody else out there did. If you didn't learn anything, you're either kind of cocky or... 

(LAUGHTER) 

Michele Perry: ...Or I need your resume because - fast (ph) for companies that I know that are hiring. So one or the other there. But again, thank you all for doing this. I think you're all super busy. And thank CyberWire for putting together this panel and everything. So thanks... 

Rick Howard: Thanks everybody. 

(APPLAUSE) 

Rick Howard: Hey, guys. Rick here. We got some additional questions from the audience that we weren't able to answer at the actual event. So we're going to try to do two or three of them here. The first one is from Hunter Talpas. He or she is the demand generation marketing manager at Cobalt - asks, how do you utilize LinkedIn? And do you have any experience with LinkedIn live stream events? Well, for me personally, I use LinkedIn all the time, mostly to stay in touch with my network. But all three of us - Ted, Jaclyn and myself - we had no experience with live stream events. Still, we would consider watching one if the subject was something we were interested in. For me, the kinds of content I'm looking for in 2023 is anything to deal with implementing zero trust, intrusion kill chain prevention, resilience and risk forecasting. Both Ted and Jaclyn said that if they were going to listen, the content would have to be very high quality. 

Rick Howard: So we got a question from Karen Walsh, the founder and CEO of Allegro Solutions. During the session, the CISOs mentioned that mapping a vendor's technology-to-compliance framework is important to them. So what types of assets can help them, and do they prefer a direct mapping or a more general capability based on categories of controls? And then the last one she asked is, where in their decision-making journey would they use one of these tools? For Ted, he says, for example, NIST 800-171 Revision 2. His organization is required to meet those 110 security controls. So if a technology can assist him in meeting one of those controls, it's helpful. Jaclyn said that she needs the same thing for high trust and PCI DSS. 

Rick Howard: And one last question from an anonymous listener - how willing are you to provide feedback on products and services that you use? And do you prefer longer, drawn-out sales process where you get to know the company and build a relationship with them, or do you prefer a sale to be straight to the point? Ted says that in his procurement process, he tries to employ diligence. He starts with the requirements for their procurement, and then he does a formal RFP process. He establishes evaluation criteria to compare the proposals, and it can take about three months to complete. Jaclyn says that in a few cases where we need to move quickly with procurement, we always have a business proposal, evaluation criteria assessment and a minimum 30-day POC as applicable. 

Rick Howard: And so those are three questions we didn't get a chance to answer at the session itself. On behalf of my colleagues, Jaclyn Miller and Ted Wagner, thanks for coming. I hope it was beneficial to you. And we'll see you at the next one.

Special Editions
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Creator: CyberWire, Inc.