The CISO Series launced because of a frustration between the relationships of security practitioners and vendors. But practitioners DO have good relationships with vendors. What makes a good CISO-vendor relationship and what can a vendor do to be loved by a CISO?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn, and our guest
Andy Ellis (@csoandy), operating partner, YL Ventures.

NOTE: Here’s Andy Ellis’ sales rebuff email.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our podcast sponsor, Varonis

What is your ransomware blast radius? The average user can access 17 million files. Varonis reduces your blast radius in days, not years. Combined with advanced detection that monitors every file touch, ransomware doesn’t stand a chance. Get a free risk assessment.

Full transcript

David Spark

The CISO Series launched because of a frustration between the relationships of security practitioners and vendors. But practitioners do have good relationships with vendors. What makes a good CISO/vendor relationship and what can a vendor do to be loved by a CISO?

Voiceover

You are listening to Defense in Depth.

David Spark

Welcome to Defense in Depth. My name is David Spark, I am the producer of the CISO series. Joining me for this episode is Geoff Belknap, who is the CISO of LinkedIn.

Geoff Belknap

Hello, and welcome.

David Spark

Our sponsor for today’s episode is Varonis and, once again, they have been a phenomenal sponsor of the CISO series, so we are thrilled they are sponsoring this episode. More from Varonis later in the show. This topic is literally the entire theme of the CISO series, which was originally the CISO Security Vendor Relationship podcast. Helen Patton, who is the advisory CISO of Cisco, asked this question on LinkedIn. “When you think about your positive vendor engagements, the vendors you want to work with, what characteristics do you see/experience?” Some great responses from CISOs and from vendors. Geoff, this comes up again and again. I’m assuming you have good vendor experiences, yes?

Geoff Belknap

Yes, and it’s the $64 million question. How do we get to a point where we have great relations? CISOs and vendors: can’t live with them, can’t crush them into a cube and make them do what you want. So you have to figure out, how do we have a strong relationship? Because in most cases, vendors need CISOs, and CISOs need vendors, and we can’t do it all on our own. We have yet to come to an amicable decision as to how to engage this.

David Spark

I would say we have yet to come to a universal decision. There are one-by-one cases that do work.

Geoff Belknap

Absolutely. Our guest today is perfect for this, because they’ve been on both sides of this.

David Spark

Yes. He is also one of my co-hosts for the other podcast we do, the CISO Security Vendor Relationship podcast, which is essentially the theme of this topic so he would be perfect for this, it is Andy Ellis, the operating partner of YL Ventures. Andy, thanks for joining us.

Andy Ellis

Thanks for having me. It’s fun to move over one virtual room, and be here.

Does it play nicely with others?

0d0:03:10:05

David Spark

Simon Goldsmith of OVO said, “Good vendors are self aware. They know how to quickly get an accurate understanding of their part of your solution. And are honest with themselves and clients where their solution sits on the custom/product/utility evolutionary scale.” And Neil Saltman of Anomali, who also wrote a book about cyber security sales, said “good vendors tell you what they can do, and share their limitations.” I want to stress that last thing. I hear this again and again from CISOs, that one of the things that they like from vendors is, tell them yes, I want to know what your product can do, but please be clear to me what your product can’t do.

Geoff Belknap

Yeah. I think this is perfect framing for this. Good vendors, good partners in any relationship, are self-aware, and they know that they have things that they’re good at, and things that they are not so good at. I think in this case Simon and Neil are basically saying the same thing, which is “no good CISO is investing in a vendor and expecting that they will completely solve whatever problem that they have to solve. And that all they need to do is spray money at it to make it go away.” But a good relationship is based on that trust, that consistency over time, that they can understand what it is that you’re going to be able to provide, and what you’re not. Some things are just bolt-ons, or nice features to have and some things are that core thing that that vendor is really good at, that’s adding value to your environment. That’s where we want to focus: what’s my problem? What’s the value you can add to it? And is that worth the time and investment that we’re both going to put into the relationship?

David Spark

What is the danger of not being immediately up-front as to what you’re not good at?

Andy Ellis

There are so many hazards involved on that one. I took the time to go buy Neil’s book. Anybody who can condense this down to that one phrase, has obviously got some good knowledge here. “If you’re not honest about what your technology can do and won’t do, you are setting yourself up for a really bad encounter at some point when your customer was relying on the technology to do a thing that you said it would do, or implied it would do, and it didn’t do it.” I had a vendor many years ago in threat detection, when that was the start of the space, that watched network traffic and to say “You have things calling out to command and control.” Two years after we’d put them in, and the IT team had bought it, I realized I’d not had a report in a while and asked what it was seeing. They told me “we have done such a great job in remediating everything in our network that we’ve had zero reports out of it. I’ve not seen anything call out to command and control.” I said, “really?”. It turned out they had basically end-of-lifed it, they’d come up with a new technology, and as soon as we pointed out we’d had no reports, they admitted “that’s our old technology, this is our new tech.” I said, “Great, you’re done. I’m going to boycott you.” We told the team they weren’t allowed to buy the next tech from the vendor because they hadn’t told us that they’d stopped issuing meaningful updates to this technology. And we were paying a maintenance contract.

David Spark

To liken it to what I do, I have to sell sponsorships to these shows. One of the things I do is I make clear what the limitations are of sponsorships of one show over another. And I make it really clear, everything’s got a pro and a con to it. There is no one thing that’s going to solve all of your marketing needs, each one solves a different slice of the pie. What I realize is, by not saying that, vendors make a lot of assumptions about what things can and can’t do. So there’s a need to get ahead of this, and to be, as Simon says, self-aware of “don’t let them assume this”.

Geoff Belknap

Oh yes. One of the best relationships I had with a sales team was a guy named Josh, who I used to work with many start-ups ago, and has always been my mental model of a great sales person because he would spend the time to get into this. What are they going to be good at? What’s each version of the product going to be good at? What is it not going to be good at? It’s that discussion of, here are the patterns, and the anti-patterns. Here are the things we’re focused on solving, here are the things we’re not focused on solving. Josh was that guy who always built fantastic relationships with his customers, but was not always the guy that the company loved. Let’s be honest for a second, sales teams do not necessarily want you, or are not going to incentivize you to have that frank of a conversation with your customers. And I think that’s backwards. I think you need to do that, and I’m glad to see people like Neil call that out, and see more Joshes out in the world doing that, because it makes a huge difference in how I’m going to run my program.

How are the vendors handling this?

0d0:08:15:22

David Spark

Mitch Parker, CISO of Indiana University Health, said “They (the vendors) are concerned about your long-term viability and the relationship, more than quarterly numbers. Better to have a series of continual relationships to build business than a series of last-minute deals that destroy shared value.” Brian Markham, CISO of EAB, said “They (the vendors) don’t try to up-sell before the initial sale is made. They treat my team as an extension of me rather than second class citizens.” And Larry Rosen of Avanade, said “The good ones genuinely want to understand your problems before they tell you they can solve them.” So we hear this all the time. How do you start, when you have nothing?

Andy Ellis

That is absolutely the hardest. But when you have nothing, this advice still holds. Solve a problem quickly. That’s how you get to something. Even if you’re, “I solve 1000 problems.” Great, which is the one that you can solve for me tomorrow? Show me that you can solve a problem, and then let’s work on the next problem. What the vendor needs to realize is that the CISO is investing time. This is my biggest feedback to all vendors out there. You all have great solutions, although a few have snake oil. Security teams would be well off if they used your solution, but it takes time and energy to do so, and that’s why you get a “No”. It’s not the money. It’s the time and energy on the security team’s side that is, I think, the single biggest blocker. So you need to spend the least time on the security team to get some value, and once you’ve done that, now you can move up the value chain.

David Spark

What they would all love to know is, “could you just tell me your pain points, can you tell me specifically the solutions you’re looking for, could you tell me what keeps you up at night?” And the answer is, “No, you have to do that research yourself, and there’s a lot of sensitive reasons why. Because I don’t know you, I’m not going to have this discussion with you.”

Geoff Belknap

I think that’s true. But the reality is, I could tell you the things that I’m worried about, but those don’t immediately translate to a thing I can buy. If they did, I would have reached out to you. You wouldn’t have to be cold calling me, or five minutes before this meeting sending me a blind message asking me to meet you for coffee. Don’t do that; that’s never going to work. We can have that discussion, we can figure that out. But all of that is based on the premise that we’re going to be able to have a real relationship. Mitch’s perspective on this is exactly like with my friend, Josh. Build that relationship. Even if you can’t offer me something right now, or I need your product but maybe I need it three or four quarters from now, invest in that relationship. If I see it’s worthwhile, and I see that you’re someone I can build a relationship with, that’s built on trust, and I feel like you understand my problems, I’m going to come back to you. Even better, I’m going to tell other people to come back to you, and that’s really what it’s all about. If you think about the CISO vendor relationship podcast, it’s right there. The secret is right in front of you. Build a good relationship, and we’ll figure all the rest out.

David Spark

One of the things is, what is fighting against building relationship, is the need to make numbers by certain dates. And I think this just fights against it so much. Andy, is there a better measurement model that doesn’t fight against it so much?

Andy Ellis

I wish I had one. I’ve talked to a lot of sales reps. And the best sales reps I know, lie into the CRM system because they’re terrified of their relationships being sabotaged because somebody finds out that they’ve got a relationship and they’re close to a deal, “We need you to close that deal this quarter.” That’s the pressure they don’t want to have. So if Geoff has said, “in the next two or three quarters I might be interested in buying your solution,” some of them don’t want to tell the company that that possibility is there because they’re afraid of sabotaging their relationship. I think sales reps see the problem.

Geoff Belknap

There’s also that bad thing where they’re told, “Call Geoff and tell him the regional VP wants to meet with him.” No, don’t do that. I don’t wanna meet with your boss, or your boss’s boss. That’s not going to help.

Sponsor – Varonis

0d0:12:57:17

Steve Prentice

Varonis monitors every single time any human or application or system account touches any file, whether on a laptop, on active directory, even through a VPN. Why do they do this? Brian Vecci, field CTO at Varonis, explains.

Brian Vecci

The company was founded very specifically because enterprises struggled with protecting and managing access to file systems. Organizations really, really struggled with ensuring that the right people have access to just what they’re supposed to have access to.

Steve Prentice

They monitor the blast radius, maintain compliance controls, track if an insider or outside attacker is causing trouble, and protect against ransomware attacks.

Brian Vecci

We’ll alert you when something goes wrong, and we make it very easy to answer the first, and often last, question that gets asked in any kind of security incident; “was any of our data touched?” I like to say, maybe somewhat flippantly sometimes, “Nobody breaks into a bank to steal the pens.” When somebody breaks into a bank, they’re after money. And when someone breaks into a network, these days they’re after data. What Varonis does is we help protect the data and we watch it, so we tell you when something goes wrong. The reason that we’ve become synonymous with ransomware is that ransomware attacks files. If you want to protect against ransomware, you need to monitor files and you need to make sure that people don’t have access to files that they don’t need to have access to. You minimize the blast radius, and that’s exactly what Varonis does, and we do it in a way that nobody else does.

Steve Prentice

What else is required?

To find out more, visit Varonis.com.

0d0:14:42:07

David Spark

Simon Goldsmith of OVO had a number of good tips for vendors and here a couple of suggestions. One: using common terms accurately, not their own invented terms, or applying terms because they sounded good in the sales training (I would mention zero trust here.). Two: balancing questions which explore the limits of my current affordance with the trust needed to ask more revealing questions. Andy, what do you think of Simon’s two tips here?

Andy Ellis

I think Simon’s tips are amazing. I was just offended, as one of the people who built an actual zero trust solution that made it to the market, you had to call me out on that. But I agree with you. I was at Cyber Week a couple of years ago, before the pandemic, and literally every vendor I met said that theirs was a zero trust solution. Really? You have a solution that’s doing key management, and you’re calling it zero trust. What’s up with that? I totally agree, I just felt called out.

Geoff Belknap

I think a better way of phrasing it though, is “if you’re building a zero trust security model, we are a solution that can fit in to that.”

Andy Ellis

Right, absolutely. We see this, we make fun of this all the time. As you’re headed towards RSA each year, all the CISOs start asking, “What is going to be the buzzword this year?” Sometimes you predict it; sometimes you don’t. Every vendor is using one of three terms. My advice is a little away from Simon’s: don’t use those. If your marketing team has to use it, great, but if you’re a zero trust solution, and you’re really a zero trust solution, you don’t have to say zero trust, because it will be really obvious when you explain your technology that that’s what you do. I love this advice, but I think the common terms are so over-used that you’re better off avoiding them.

Geoff Belknap

I think people glaze over. It doesn’t even register.

Andy Ellis

Or they get confrontational. There are security architects who are going to be like, “Oh, you’re AI. Let me prove that you’re not really AI, that you’re merely machine learning.” Do you really want to get into that conversation?

Geoff Belknap

I took this a different way. I took it to be, “Understand the common terms, not the marketing terms,” right. Most people are not buying a zero trust solution, turnkey, expecting that that’s going to solve all their problems. They’re like, “Okay, I’m deploying a zero trust strategy in my environment. I need some off components, I need some end point components, I need the proxy,” whatever it is. Where do you fit in to that? What are the parts that you’re providing there? And if you have a holistic zero trust solution, which parts do I really want to integrate with, that you’re going to be good at? Talk to me in those terms. Don’t come at me with Gartner quadrants and marketing buzzwords, because then it’s going to take so long to get to what value you can actually add, that it might not be worth it for me or my team.

David Spark

It’s interesting you mention that. So often the sales is not describing what we did but how popular we are.

Andy Ellis

Yes. In a sense this throws back to your comment earlier about selling ad spots and being clear about what you do. If the Gartner has just said, “Oh now you’re not CSPM, now you’re CNAPP. And so it’s important for you to do marketing that explains what CNAPP is, because nobody knows what CNAPP is. Or, if they know what CNAPP is, why you fit into that. That is absolutely fine marketing. But when you walk into a CISO who is not somebody who religiously reads the Gartner reports, they don’t know what CNAPP is, and they don’t care. So spinning your sales energy, trying to educate them about Gartner magic quadrants, is not the thing you want to be doing. Talk about your technology, using those basic languages. “Why are you cool?” “We’re cool because we do these five things well.” Not, “We’re cool because we’re CNAPP.”

David Spark

A good sales technique is also the yes chain. “Do you have this in your environment?” Yes. “Are you having problems with this?” Yes. And so if you can get a series of yeses, the idea being “I heard you say yes to all of this, by the way we have a solution that solves XYZ, given all the concerns you have.”

Geoff Belknap

That works. And the yes chain is not merely a psychological trick. If I’m giving you yeses successively in a row, we are understanding each other and understanding the problem space. And that is really what it is all about. I can’t stress enough Andy’s point. I don’t know what CNAPP is. I literally don’t know if Andy’s making that up, or if that’s a thing. That’s a perfect example. I get emails from people, and they’re like “oh this is the CNAPP blah blah thing”, and I have to re-read the email, “oh, this is a transparent proxy, okay, great. We just call it that.” Let’s just have a conversation, and if you can quickly get to what my problem is, even if maybe I don’t understand it, which is entirely possible, and then you can pivot to helping me understand how your value adds to the problem space that I’m trying to solve. Then we’re going to have a great basis to start a conversation. But if you just come at me with Gartner, it’s not going to go anywhere.

Why does this still happen?

0d0:20:16:23

David Spark

Jules Okafor of RevolutionCyber brought up an issue that I mentioned earlier in the show. “The challenge is that the qualities that make a great vendor to CISOs and security teams (not pushy, custom, trustworthy, partner-model). This doesn’t make for the most profitable firms worthy of investment.” And Greg Souza of Concurrency said, “I’m seeing a common answer of “Understand our problem” or “identify our needs first”. As someone in charge of the initial cold outreach, it can be difficult to get people to admit they have any problems.” I want to start with Jules’ comment. All our advice sounds great, but it doesn’t make an attractive cyber company, does it?

Andy Ellis

I disagree actually. I’m looking at the portfolio we have at YL Ventures. It’s almost the opposite. Our goal is, how do you build technologies that are trustworthy, partner-centric. All the things you want here are actually about the technology, not about the sales process. The problem is when you try to take a commodity-based sales process and push it. Imagine if people tried to sell cars by calling you up. We would be talking about used car sales reps and how awful they are, and I get this. I get the pushy emails from everybody I’ve ever taken my car to for a service, they’re like “oh, we will buy your car back and give you a new one”. Just please go away, my car’s been sitting in a garage for 18 months, I don’t think I need to replace it. I think this is a challenge of the way the companies get built, and then a mismatch between how they’re going to go to market and how they’re going to get their first deals. That’s the challenge that I see here. I look at our investments and our best investments have been companies that absolutely are trustworthy, ready to work with people to provide a real solution.

Geoff Belknap

I feel that in my bones, and especially with the startup exposure that I’ve had. The incentives can be tricky. Once you’ve raised a round or two, the incentives are for you to grow the business quickly, to demonstrate that you have product-market fit. Some people interpret that as just drive revenue, no matter what. We can lose sight of the fact that sustainable revenue, those relationships, that’s what’s really going to lead to a sustainable company, not just quarter over quarter growth. That sounds an anathema to what people really believe, but quarter over quarter growth is fantastic. Every CEO I’ve talked to would rather have than than a perfect product. But the reality is that you want to build a company that lasts. You want to build a company that will entitle you to an engaging relationship with somebody like Andy or myself. And that takes time. I think Jules is spot on in that the short-term incentives are not necessarily there to build long term relationships. But I think that’s about the leadership of the company. They should be incentivizing that, because that is the thing that’s going to position them better for the long run than all of their peers.

David Spark

I agree. As we said earlier, the more you can find incentives to support this behavior, the better off you are. And that’s what I think the frustration is. There are incentives that fight this behavior, not support it. Andy, whenever you get a pitch from a company, you have this form letter that you send out, which contains the line, “How do I get your attention?” And your response is, “Just be awesome. I will hear about you.” What’s your answer to the young person who’s reading this, who doesn’t have the control over the actual product because they’re working in marketing? How can they be awesome?

Andy Ellis

If you’re an SDR, a sales development representative, doing that initial outreach, here’s the unpleasant reality of your world, which is the vast majority of your conversations will end in “no”. And your goal is to make them efficient and cheap. The biggest problem we have in the whole sales pipeline incentive model, is that people don’t want to accept a “no”. So they try not to let you say yes or no in that first call, because that would be awful. Accept that you’re going to get to a “no”, and part of your awesomeness is that you call and say, “I really appreciate your time. I wanted to let you know this is the company I work for. Here’s what we do, and I just want to be on your radar.” That’s the awesomeness you can do in that job, because you probably don’t control all of your upstream marketing.

Closing

0d0:25:16:06

David Spark

Good point. That brings us to the end of the conversation, obviously we could go on, and on. We built a three year network that launched on this very discussion. But I want to ask both of you, what was your favorite quote, and why?

Geoff Belknap

I love Jules Okafor’s quote. I think the challenge is that the qualities that make a great vendor to CISO relationship are not always the ones that are going to be short-term most profitable for that company. And that’s true, and that’s okay. We just have to look at it that almost nothing I’m doing today is short-term. It’s all about long-term gains, long-term success. That’s what I need my partners to be focused on as well.

David Spark

That’s a really good point. Andy, is there anything in cyber security that’s short-term, outside of dealing with an incident?

Andy Ellis

Unfortunately there’s a focus on the short-term in cyber security, and in the executive ranks of companies. They’re worried about, “can you protect me against the breach next month?” And the answer is, if there’s a breach that I’m worried about that could happen next month, or is likely to happen next month, I’ve already failed in my program, because my program should be about keeping those from happening when they’re three or four years out, so that we don’t have as many incidents. There’s very little beside incident that should be short-term. Unfortunately too much is currently short-term.

David Spark

Alright. Your favorite quote, and why?

Andy Ellis

My favorite quote was Neil Saltman’s. It convinced me to buy the book, so I think that’s a good why. But partly because it’s very clear, very straight and up front. And it’s the most important advice to a vendor, which is, “walk in and tell me what you can’t do.” That’s almost more important than telling me what you can do. Draw the boundaries, set the expectations, partly because it’s a great sales tactic. If you have a security architect in the room who enjoys feeding on vendors, and there are too many of them in the industry that want to tear you apart and tell you your product sucks, then walk in and tell them what your product is bad at, and you’ve just de-fanged that entire conversation. Then when you say “We’re great at this, we’re not so good at this thing over here,” that comment about being great is actually meaningful to everybody who listens, because you’ve demonstrated that you don’t lie.

David Spark

When I sell specifically our video chat that we do on Fridays, it sounds amazing when I sell it, when I explain it. I always warn them at the very beginning, “there’s one big negative to this, a huge negative, and I’ll tell you at the end.” So they know that there’s something bad going to come at the end. If you want to know what that is, and you’re in a company that wants to sponsor, you need to contact me at david@cisoseries.com. I won’t tell you on this show.

Geoff Belknap

What a teaser!

Andy Ellis

That is great sales right there. Leave them with a hook, that’s like ending your social media post with a question.

David Spark

I want to thank both Geoff Belknap and Andy Ellis for joining me here today. Andy, I’m assuming your portfolio companies are hiring?

Andy Ellis

Yes, the YL Ventures portfolio companies are all hiring. Go to jobs.ylventures.com.

David Spark

Geoff, LinkedIn is always hiring, and they also have other jobs on there. It’s just a good place to be.

Geoff Belknap

LinkedIn.com/jobs. You can find my jobs and zillions of others.

David Spark

Plus, if you work there, you can totally say “I got a job through LinkedIn.”

Geoff Belknap

That’s right. Good point.

David Spark

Thank you, gentlemen. Thank you, everybody, for purchasing and listening to Defense in Depth.

Voiceover

We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site: CISOSeries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@Cisoseries.com. Thank you for listening to Defense in Depth.