30 Security Vendor Behaviors That Set Off a CISO’s BS Detector

I had never seen such disdain and aggravation from a CISO.

Richard Rushing (@SecRich), CISO of Motorola Mobility, sent me an email with a litany of vendor pitches. Each one punctuated with vitriolic commentary and frustration.

It appears a lot of companies will fully protect his network and automatically detect threats.

Rushing’s diatribe was so vicious that any security vendor would be horrified to know their marketing emails were eliciting this reaction.

Now I’m telling you.

‘Tried and true’ marketing and sales techniques can often be irritants to very wise security buyers. They’re not fooled. Worse, they’re turned off.

Read on for sales techniques and claims you should avoid when communicating to a security professional. For each item to avoid, I asked security professionals how they’d prefer to be engaged. This is a long article, but it’s jammed with gems. Take it slowly.

This video was shot at Security BsidesSF 2019 in San Francisco after this article was published. The video was released on 03-27-19.

1: The InfoSec cure-all

“Panaceas always trip the [BS] alarm,” said John Prokap (@jprokap), CISO, HarperCollins Publishers. “No solution has ever solved every risk. The vendor is obviously overselling.”

Examples include claims of having a ‘silver bullet’ or their product ‘finally solves problem X once and for all,’ said Erik Bloch (@ejbloch) director, security product and program management, Salesforce.

CISOs are wary of vendors claiming that their product will ‘solve all your problems.’

“The vendor doesn’t know your infrastructure, your business, or what other controls you have,” said Randall Frietzsche (@rfrietzsche), CISO, Denver Health, “Even if it was a very good solution, it can’t fit perfectly in every infrastructure.”

Instead, said Prokap, CISOs want straight talk about the problem, its solution, and how it’s done. The next conversation should be about costs to implement and maintain the solution.

2: Claiming absolutes

“I don’t believe anyone who claims 0 or 100 percent anything,” said Allan Alford (@allanalfordinTX), CISO, Mitel.

“Any use of undeserved hyperbole immediately raises concerns,” said Claude Mandy, owner, Five Consulting.

“I hate it and find it very disingenuous when they pass off that they can completely do everything,” said Gary Hayslip (@ghayslip), CISO, Webroot. “As an IT/security executive with over 20 years of experience, there is nothing on this planet that is 100 percent except death and taxes.”

Hayslip recommends staying away from absolutes and even percentages. Instead, just give honest numbers and explain coverage. A CISO will be able to parse how much work your system is doing.

Got feedback? Join the conversation on LinkedIn.

3: We stop all threats

Falling under ‘claiming absolutes’ is the commonly heard ‘stops all known and unknown threats.’

“There will always be a threat that bypasses protections,” said Mitch Parker (@mitchparkerciso), executive director, information security and compliance, Indiana University Health.

Parker suggests vendors just explain what they’re doing to improve (e.g., constant updating) their algorithm to enhance threat detection.

4: Automatically detects threats

A slight variation of stopping all threats is touting the ability to automatically detect all threats.

‘Just put it on the network and have it automatically detect threats.’

“How do you detect an unknown threat?” asked IU Health’s Parker.

If you answer with your ‘magical AI’ it isn’t going to win any trust points. Instead, explain the research your company is doing to improve the product’s quality.

“Rather than claiming to have solved all our problems,” said Five Consulting’s Mandy, “demonstrate an understanding of the challenges that face the industry as well as an ongoing commitment to tackle these challenges.”

5: Eliminates risk

Another absolute claim that needs to be called out is the belief that your product ‘eliminates risk.’

“The only way to eliminate risk is to eliminate the business process or technology associated with the risk,” said Gene Libov, founder, Planet 9 Security. “Instead, they should be talking about how their solution helps reduce the risk.” 

6: Confusing elevator pitch

“If I have to read the elevator pitch more than twice and still don’t understand what precisely they are selling, then it really is BS,” said Thom Langford (@ThomLangford), founder, (TL)2 Security.

Market test your elevator pitch before you release it to the CISO community.

7: Complicated explanation for something very simple

‘Our tool has machine learning capabilities to automatically comb the dark web and find out all the exposures your organization may have.’

“What the vendor is really saying is they have a crawler that can search through the dark web and find matches for keywords you provide,” said Suchit Mishra, head of InfoSec, Grab.

Be specific as to what exposures and threats your product finds that would be of value to a CISO. Mishra said he doesn’t really need machine learning capabilities just as long as it finds what he needs to be found.

8: Out of the gate with hot new buzz terms

If you’re trying to dazzle a security buyer by using the latest and greatest buzz terms, chances are it’s having the opposite effect.

“We know production-ready use cases in these new technologies are extremely limited,” said Mark Eggleston (@meggleston), CISO, Health Partner Plans.

You’ll have a lot more success if you can successfully explain your product with no buzz terms.

9: Spicing up product description with marketing adjectives

“When a vendor focuses on using marketing adjectives, such as ‘innovative,’ ‘one of a kind,’ ‘revolutionary,’ ‘visionary,’ or ‘best in class,’ to augment the features of their product, my spider sense emanates ‘danger,’” said Erwin Lopez, CISO, SLAC National Accelerator Laboratory.

“It may simply be an overzealous sales tactic, but at its worst it signifies an attempt to knowingly confuse the customer,” said Five Consulting’s Mandy.

“I will usually follow up my questioning by asking what is unique about their product,” said Lopez. “Most of the time they will find it difficult to articulate a good response… I would rather have the vendor be upfront and concentrate on what the product can do including its features and let me decide whether it’s ‘innovative,’ ‘best in class,’ or even ‘visionary.’”

10: Assuming the potential buyer has drunk your corporate KoolAid

Don’t ever assume your prospect understands the business case for your product.

“I need to sell it to my boss in terms she can understand within the context of our business,” said Kip Boyle (@KipBoyle), CEO, Cyber Risk Opportunities. “Instead, the salesperson should say, ‘If you think we’re a good fit, how can I help you make your business case?’”

11: Educating on basic cybersecurity

“I am very skeptical of anyone trying to sell me something and assuming I am clueless,” said Steve Luczynski (@cyberpilot22), CISO, T-Rex Solutions.

It’s insulting, and that’s not a good start when you’re trying to build a trust-based relationship. If you’re unclear as to whether your prospect understands a certain issue, ask first.

“Allow me to say ‘yes or no’ that I want them to go into a specific topic,” said Webroot’s Hayslip.

12: Asking if you care about security

While it’s OK to ask a CISO if they want you to elaborate on a certain topic in security, don’t ask if they care about the security of their business, their endpoint protection, their organization’s data, or anything else related to their job.

Caring about security is their job.

“Guilting me doesn’t help your cause,” said (TL)2 Security’s Langford.

13: Offer a ‘free’ white paper

“Unsolicited white papers are at worst garbage,” said Health Partners Plans’ Eggleston. “At best, they are a well-known ruse for a vendor to sell to me. [The CISO accepts] the white paper and what do you know a vendor calls three days later to see if they can answer the CISO’s questions from the white paper.”

Avoid the whitepaper, said Eggleston, and seek out on or off the record validation from CISO peers.

14: It uses artificial intelligence (AI)/machine learning (ML)

“AI now seems to be in every new cyber security product hitting the market,” said Rich Malewicz, CIO, Livingston County.

If you’re going to claim, “We are ML and AI driven,” you better have immediate detail as to how, said Joey Johnson, CISO, Premise Health.

“Simply stating ‘AI’ to me is like trying to sell me a ‘car,’ as opposed to selling me a ‘Ford Mustang,’” added Malewicz, “without telling what type of engine or transmission it has.”

No security buyer is going to budge without an understanding of the AI and ML you’re using.

15: Unsolicited attachments

Most CISOs train employees to be wary about clicking and opening unsolicited attachments and links.

They assume your company is doing the same until you send them an unsolicited attachment. Maybe they shouldn’t spend money with a security vendor that needs security training.

Better to just explain what you have to offer. Let them find the information on your site.

16: The five-page marketing PDF

No introduction requires five pages of explanation.

“I’m a fan of the one-page data sheet,” said Health Plans Partners’ Eggleston. “It contains hi-level specs, VM or physical offering, memory, drive space needed, agent needed, and whatever else. Plus, it includes a couple of paragraphs on what they do.”

17: We deploy in minutes

If a vendor claims their product is ‘set it and forget it’ or ‘setup is easy,’ expect to hear CISOs’ eyes begin to roll.

“In reality, none of the security products are easy to set up in an enterprise and any security product requires some degree monitoring,” said Planet 9 Security’s Libov. “Instead, they should be providing realistic estimates based on existing customers.” 

Premise Health’s Johnson suggests being upfront with the challenges their customers have had with deploying their product.

“This lets me know that you understand what you’re actually proposing, and you understand the real world challenges,” said Johnson. “Any new tech has challenges to deploy, and you’re not afraid to confront that to protect a sale.”

18: Our product will make you compliant

“Not a single product can make you compliant,” said Planet 9 Security’s Libov. “These regulations require a managed program and controls that involve the entire organization.”

“Regulations have technical, administrative and management components and it is almost certain your product or service only meets one of those components,” said Eric Cowperthwaite, director of InfoSec, Esterline.

“What they should be talking about is how their product or solution helps address certain compliance requirements,” added Libov. 

Cowperthwaite provides this example, “If you address the three line items in DFARS that call for continuous monitoring, and you do so in a way that will be effective and useful, that’s great.”

19: Our product is compliant

Warning lights start flashing when a vendor makes a claim like ‘our product is HIPAA certified.’

“No such thing exists,” said Health Plans Partners’ Eggleston. 

“Most products require some degree of configuration. And those configuration options may be sufficient to support regulatory requirements. However, it doesn’t usually happen out of the box,” said Planet 9 Security’s Libov. “They should be clear on that and provide configuration guidelines to meet regulatory requirements.”

20: Our product seamlessly integrates

“I simply distrust any vendor that promises their products work in every environment and on every system,” said Five Consulting’s Mandy. “It is commercially impractical to have completed that much testing.”

“Nothing integrates seamlessly. Everything has seams. There is always some degree of pain when I need products and services from different vendors,” said Esterline’s Cowperthwaite.

But that’s perfectly OK.

Mandy would prefer the vendor provide a list of supported systems, backed up by testing.

21: Trashing the competition

“If vendors out of the blue in the middle of their pitch just start bashing other companies that turns me off,” said Webroot’s Hayslip. “I want them to keep the negative to a minimum unless I specifically ask questions about how they differ from a competitor.”

“I’m seeing [companies trash their competition] a lot lately as vendors in the endpoint space have been going at each other,” said Salesforce’s Bloch.

Not only is this negative behavior bad form, but there’s a good chance the prospect you’re talking to is actually using said competitor, noted Bloch, and they’ll be able to quickly ascertain if the claim is BS or not.

22: Claiming you’re stealing customers from the competition

“Winning a new client in a saturated market where they are also competing isn’t ‘taking a customer,’” argued Premise Health’s Johnson.

Instead of saying, “We’re taking Company X’s customers a lot lately,” Johnson suggests you say, “Those guys do some things really well. I think our differentiators and where you see us emerge is in the X niche.”

23: Creating a problem where there isn’t one

“My personal favorite is when a company writes their own narrative of the problem that differs from real life,” said Salesforce’s Bloch who cites an example of a vendor who was trying to convince him that the hackers have such smart AI that they’ll render all his tools useless. The only way to stop them is with their product. “At that point I know what they are selling is crap.”

Bloch finds the truth tellers are the entrepreneurs who have lived the pain point themselves. They saw the market problem and they created the solution.

“Security people know what our problems are. If you come in speaking our language about that problem, our ears perk up,” added Bloch.

24: Phone bank cold call

You pick up the phone and hear a three-second pause and then the unmistakable –click–.

You’re the next name in a phone bank operator’s cold calling operation.

“It is BS to use an automated phone dialer to reach me,” said Health Plans Partners’ Eggleston. “Nobody wants to be a fish in a barrel. Nothing good comes from a long pause… ever.”

While the ROI from auto dialer operations may be easy to calculate, there’s no simple equation to determine lost business. Most of us remember the names of companies that utilize phone bank cold calls. We never want to do business with them.

Eggleston suggests vendors “sponsor an event or session like the CISO/Security Vendor Relationship Series. (Editor’s Note: Thanks for the unprompted shout out.) Limited budget? Sponsor an ISC2 or other after hours event, dinner, or happy hour. Start with a relationship.”

A great place to start is FreePizza.io, a simple site that matches small user groups with vendors willing to sponsor a small meetup event with a little food money.

25: Badgering via email

“I have seen an increase of messages with the following statements that just sets off my BS detector that are, in my opinion, meant to draw out a response even if it does not lead to any actual procurement or evaluation of their products,” said Emilio Escobar (@eaescob), head of InfoSec, Hulu

Examples include:

“I hate to be a bother”

“Can I talk to the person responsible for X. If that is not you then…”

“Last attempt to connect” (delivered 10X+ times)

“Do you not care or prioritize X? Can we chat at a later time?”

“I know you are busy and emails can be lost. Thought I’d float this on top of your Inbox” (Again, delivered 10X+ times)

Meeting invites out of nowhere.

This trend leads one to believe that account execs are being measured by engagement level and are desperately attempting tricks just to get a response.

With a little research and personal connections, Escobar recommends either of the following two formats for emails:

“We have done X for Company Y and their environment is similar to yours (according to our research). If this is a problem you and your team are looking to solve, please let us know.”

“We talked to person X about this and he/she mentioned that you may be in a similar situation.”

“As long as I am approached with a problem-solving statement, I will respond if the problem is relevant or the solution is innovative enough,” said Escobar.

26: We bring the A-Team

‘We’ve brought in the best, smartest people at X skillset.’

Of course you say that, and so do all your competitors, noted Premise Health’s Johnson.

“I’ve seen lots of smart techs who don’t know how to run a business,” said Johnson. “I’d rather have Mr. T.”

27: No simple pricing

“[Vendors] brief me on an amazing product that looks to solve a problem for me but when we start discussing pricing they have to break out a spreadsheet and start factoring in all kinds of one-off costs,” said Webroot’s Hayslip. “There is nothing worse than not understanding the cost of a product… Just as the salesperson works hard to get the CISO to approve and want to purchase their product, I have to make the case for the value it provides to get funding and I can’t do that when I don’t understand their pricing.”

28: Doesn’t answer direct questions

“Not answering my questions leads me to believe they cannot fulfill my requirements,” said T-Rex Solutions’ Luczynski.

In particular, Health Plans Partners’ Eggleston calls BS when a vendor won’t clearly explain how they’re different than a tool they already have in play.

“Many of our customers buy us and use us alongside”

“This is an attempt to get a CISO to ‘hang on’ so they can continue to talk from their script,” said Eggleston. “Be honest and say why leading customers are swapping out their incumbent technology or solutions for yours.”

29: Touting your clients as companies you ‘work with’

Dig a little deeper when a company claims they work extensively with certain companies, and you realize what they’re referring to is not a business relationship, but rather just some ongoing discussions or a proof of concept (PoC), said Premise Health’s Johnson.

If you try to BS a CISO, they will find out, because they have friends at said company and they’ll find out the real truth of the relationship.

“Reputation and associated trust matter,” said Johnson. “Don’t stretch the truth.”

30: Claiming a dedicated industry practice

If you’re a small company that can’t afford regional sales reps, chances are you don’t have a dedicated healthcare practice.

Feel free to say you’d like to get some more healthcare clients or even your first one, advised Premise Health’s Johnson.

But if you feel bold enough to make the dedicated industry practice claim, added Johnson, then explain how that specific industry practice differs.

CONCLUSION: Security people have long memories, and you’ll probably have multiple jobs

If you’re trying to reach out to a CISO or similar security buyer, keep in mind that they’re receiving many similar messages. CISOs are eager to hear from smart security vendors who understand their problems and can walk them through how their solution addresses their concerns. They simply don’t have the time for and are annoyed by cute sales ploys that are repeated over and over again by you and your competitors.

Keep in mind, said Premise Health’s Johnson, you’re not just selling your product, you’re selling yourself. “You have a personal reputation that will follow you when you leave X company.”  

Got feedback? Join the conversation on LinkedIn.

Creative Commons photo credits to Dustin and Jennifer Stacey, Michael Neel, John Benson, Bark, William Franklin, Antoine K, Robert Couse-Baker, dead cat, truepanther, and Jemaleddin Cole.