Rules of Engagement for Successful Vendor-CISO Partnerships Part 2: The Don’ts

Sep 22, 2021
Kenna Security

Share with Your Network

This is the second in our blog series detailing what vendors should avoid at all costs on the way to helping cyber leaders evolve their security maturity across their organizations with modern vulnerability management

If you didn’t see it, check out Part I, which details what vendors should embrace on the road to establishing a solid working relationship with CISOs and their teams.

The don’ts

Hard selling products. Perhaps this sounds counterintuitive, but according to the CISOs we spoke to, detailing the bells and whistles of your product in initial meetings pales in comparison to focusing on the business value your products bring forth. Selling your platform’s value over its features will translate into how a potential customer’s business can be optimized and made more efficient by cost avoidance, aligning IT and Security, and asset reallocation, not to mention data security. Demonstrating how a risk-based solution was implemented successfully in the other environments with similar compliance standards paves the way for a company to want to try you on at the POC phase.

Push scheduling a demo (at first). Scheduling a product demo off the bat without taking the time for thorough, upfront discovery to understand a company’s security maturity is a no-go. It also shines the focus on your product versus a CISO’s security challenges and misses the point. What works better is spending time to get underneath the hood of a company’s security challenges through an initial 30-minute call to determine what holes need to be filled in their environment. Only after this step will a demo offer the relevancy required to back up the “how” your solution will work for the prospect. Keep in mind that not answering technical questions during a demo is also a CISO’s pet peeve, so be prepared. 

Employ scare tactics. Undoubtedly, ransomware is a threat and a risk. But bombarding a CISO with too much threat and fear, rather than how you can easily make their ransomware problem go away, or help align IT and Security teams, will make them less open to learning about your product. Instead of scare tactics, taking on the role of a fixer will put a vendor further ahead in the mind of a CISO. 

Offering a range of forums to engage with your product—from customer reference calls to information-only events—provides CISOs multiple touchpoints to relate their security pains to your platform as a potential solution. Comprehensively showing proof of value in different forums affords security decision-makers the room to conclude on their own.  

Forgo comparing the competition. Vendors should be able to easily compare why their product is better suited to a CISO’s needs than a competitor’s. Speaking to the competitive landscape and how your product may fit a company’s specific security maturity and business goals is paramount to being a partner that leaders can count on. Managing cyber risk today requires the ability to effectively and efficiently wade through the ever-growing list of vulnerabilities with cutting-edge vulnerability management that provides data-driven threat intel, remediation prioritization, and risk scoring. 

But let’s face it, every solution is not the right fit for every industry or business challenge. A security leader would rather have a vendor show integrity by telling them a competitor is better suited to their organization than their own. CISOs will remember this show of honesty, potentially recommending your vulnerability management solution to peers or restart the conversation if they move to another company. Integrity is always a winner.  

Avoid prepping for a buy vs. build conversation. When considering making significant technology investments, large resourced enterprises often contemplate building a solution in-house, figuring their internal team is best positioned to meet their security needs. Sometimes a company will opt for a DIY solution to have a security strategy in place that differentiates their business against competitors. 

In other situations, choosing to buy is smarter when a company realizes ongoing maintenance will be challenging or the homegrown approach will result in data source limitations. Keeping all of this in mind, it is critical to prep for a potential buy versus build debate, highlighting the pros and cons of each strategy, leaving room for a vulnerability management program that includes both options. 

Forget to emphasize value. According to Gartner, by 2023, 30% of a CISO’s effectiveness will be directly measured on the ability to create value for the business—aptly foretold in the ongoing era of COVID and a costly year of increasing data insecurity. And understanding what value looks like to a CISO starts with knowing their company’s vulnerability maturity. For example, an organization that moves from a scanner or CVSS-reliant strategy to a risk-based program might want to establish risk scores for particular asset groups. Comparatively, an organization with more mature vulnerability management could lack the contextual insight needed to anticipate emerging threats. 

Wherever a company’s program stands, vulnerability management vendors who can demonstrate customers’ short- and long-term value will have the advantage. Working with vulnerability management customers, we’ve identified proven ways to accelerate time-to-value (TTV) for vulnerability management programs at all stages to achieve security and business goals. 

Risk a buy, then bye. Establishing a solid partnership that evolves with a CISO’s changing business needs starts and ends with a laser focus on customer-centricity. From POC check-ins and implementation timelines to having a go-to team and scheduling quarterly calls, post-deployment requires no skimping on the customer experience. 

If a vendor is worth its salt, proving out your collaboration chops happens when you show up for ongoing CISO’s success and when something is not going right. Without ongoing support at the executive, decision-maker, or user level, potential red flags could impede a renewal, putting a customer in the risk category for potential churn. 

Be human, and be a partner

Cybersecurity is complex; partnering with a vendor should not be. Providing a value-focused methodology to help companies make data-driven remediation decisions faster is the foremost goal. And this is easily accomplished by putting the CISO’s challenges and goals front and center.  

If there’s one point to remember from these findings, it is to be human and focus on selling yourself (not your technology) first. Integrity and authenticity are a make-or-break recipe to jointly achieve a solid customer partnership focused on risk prioritization and customer satisfaction.

Learn how Kenna’s risk-based vulnerability management solution uses machine learning and data science to provide customers with the most comprehensive view of risk.

Read the Latest Content

Vulnerability Management

11 Tips for Choosing a Vulnerability Management Solution

It can be daunting to choose between vulnerability management (VM) solutions when all vendors describe their offerings in very similar ways.
Vulnerability Management

Buy vs. Build? 5 Considerations for Vulnerability Management 

No matter your budget, org size, or culture, you need to weigh the pros and cons of the vlnerability management process. We can help.

Rules of Engagement for Successful Vendor-CISO Partnerships Part I: The Do’s 

Kenna Security had in-depth conversations with cross-industry CISO's to come up with tips for vendors on how best to engage CISOs

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.