Rules of Engagement for Successful Vendor-CISO Partnerships Part I: The Do’s
Share with Your Network
This first installment of a two-part series addresses what vendors should do to create strong CISO partnerships.
No two CISOs are alike, even if they hail from the same industry or similar-sized companies. So, figuring out how to keep up with the evolving demands of today’s cyber-focused decision-maker is a must for solution providers to adeptly demonstrate how their tech fits a company’s security needs now and in the future.
Understanding individual CISO challenges helps vendors point to the right solution with a value-based approach and a vulnerability management platform that upholds a company’s goals, compliance needs, and unique processes. This tactic is key to supporting a security leader’s aim to maintain cyber health, create a security culture, and prioritize risk across their organization’s business.
With this in mind, we had in-depth conversations with cross-industry CISO’s, coming away with some advice and tips for vendors highlighting what’s important to them and how best to engage (and not) CISOs on the road to a successful, long-term vendor-CISO partnership.
Determine a CISO’s type or persona. CISOs are not the same from company to company. As a vendor, you have to serve a bespoke value-based approach to educating the leader about your product. This starts with assessing a CISO’s style and how it fits into the strategic focus of their business, allowing a vendor to gear product education specifically to what resonates with them.
It can be as simple as determining what ‘tribe’ a CISO hails from to shed light on their distinct approach to their role—whether they lead from a business or tech focus — including the unknowns that keep them up at night. According to this study, the four CISO tribes are summarized as:
- Security as Enabler – has a deep technical past and acts as a senior business leader who gets in front of problems to find a solution.
- Security as Technology – a former alpha geek who approaches security problems not bound by compliance yet often learns the business ropes the hard way.
- Security as Compliance – a non-technologist with solid leadership and managerial skills aptly leveraging compliance requirements to make security progress.
- Security as Cost Center – an overwhelmed and under-resourced leader who does not have a seat at the executive table and is often left treating security as a cost center versus a budget driver.
Whatever flavor of CISO you’re dealing with, getting at who they are and where they lead from is essential to aid in their establishment of a culture built around risk.
Employ active listening. Vendors must conduct their due diligence upfront to show they understand a CISO’s organizational needs. Active listening helps a solution provider best reflect a CISO’s security challenges and offer a remediation strategy that pinpoints which vulnerabilities pose the most significant risk to the company and how business goals are impacted.
One way to go about this is to pregame an initial conversation with a series of listening questions before the product speil is delivered. Information to glean should be about their environment’s security tools and what milestones they’re looking to reach. Vendors should also be prepared to field CISO questions.
Embrace a CISO’s unique business pains. Knowing what security challenges a CISO is solving and mapping your solution to their needs gives the CISO vendor confidence. It also better positions them as an internal product champion who can convince their buying committee that adding a remediation prioritization solution will better arm their security posture and support the business. Digging into how a CISO measures success (ROI, risk reduction, or cost avoidance), then offering an actionable implementation roadmap will show how a team can save time and resources while reducing their attack surfaces.
Provide in-depth research and education. A common theme from our CISO sample was the desire for vendors to be over-prepared with the correct data to help them view the threat landscape and the potential effects on their organizations. Getting a CISO to care about your offering starts by showing you understand the nuances of highly regulated industry standards and how to overcome remediation challenges best. Providing industry research elevates vendors as thought-leading problem solvers who empower customers (and potential customers) to do their job effectively.
Here at Kenna, our ongoing relationship with the Cyentia Institute has resulted in a Prioritization to Prediction (P2P) report series, published twice a year. This industry-leading research on vulnerability management is just one way we work to guide companies to transform AI-trained security data into confident strategic decisions that readily reduce operational risk. Our commitment to ongoing education and demonstrated customer success comes with our in-person and on-demand Kenna Katalyst series created for security leaders looking to move them away from relying on inflated CVSS scores.
Emphasize relationship building. We all know relationship-based and word-of-mouth accolades are more effective at convincing a CISO to learn more about your product than cold calling or blind emailing. In almost every CISO conversation, we heard time and again that introductions through peers, current customers, or venture capitalists were underscored as the most reliable ways for a vendor to stand out from the crowd. Being known and recognized by a peer is a clear advantage.
One Kenna customer told us they learned about our risk-based vulnerability management platform from another CISO, which helped our team move quickly through the RFP and POC processes. Today the customer is realizing the benefits of our data-based threat intel and how it can prioritize risk across their enterprise.
Accommodate internal processes. Navigating a security champion’s internal operations, including the hierarchy of purchasing power, insight into the buying committee, and RFP requirements is another CISO recommendation. Building a relationship with a company’s purchasing agent early on will better guarantee a solid working relationship long-term. Initiating this step early eases a vendor’s move through public or private sector organizations more easily.
Aligning as a partner early on prompts the need for empathy—walking a mile in the CISO’s shoes—to best demonstrate how a company’s security challenges and goals can be met with your solution, ultimately resulting in better business outcomes.
Stay tuned for Part 2 of this blog series, which will focus on “The Don’ts” — what vendors should avoid on the way to building a collaborative CISO relationship.