How to Uncover Security Concerns When Customers Won’t Tell You

CISOs have lots and lots of security concerns

“What are your security concerns?”

It’s the one question all security vendors want to know from potential customers. It’s also the one question potential customers don’t want to divulge for obvious security, privacy, and “I don’t have the time” reasons.

All is not lost! There is still a way, in fact multiple ways, security vendors can sleuth out a company’s security needs.

I asked a few security professionals how they go about figuring out the answer to the “what keeps you up at night” concern. Here’s their advice (plus one tip from me!):

Join the conversation on LinkedIn

1: Fundamentals, fundamentals, fundamentals

“While everyone likes to say their problems are unique and challenging in a way no one has ever seen before, it’s really not true,” said Michael Farnum (@m1a1vet), SA manager, Set Solutions.

You may not even need to dig that deep, or at all. If your product solves a rudimentary security need you will probably already be in sync with a company’s security concerns. Farnum believes many organizations are still struggling just dealing with the basics of security.

2: Investigate industry-specific issues

There are some security concerns that are universal, but every industry, such as healthcare, has its own unique regulations, data protection needs, and attack vectors.

To better understand what they are, and how companies in that industry are handling those issues, “get to know other security professionals in that market through your network and conferences,” said Daniel Riedel (@riedelinc), CEO, New Context, “and research the threat reports that have been published facing that industry.”

3: Open Source Intelligence (OSINT)

“Stalk the shit out of them,” advised Adrian Sanabria (@sawaba), director of research, Savage Security. “Read their social media posts. Read their press releases. Read the Glassdoor reviews (if you’ve never done that, you would NOT BELIEVE the inside info that gets leaked in reviews there). Read their 10-Ks and 8-Ks. See what they’re getting sued on.”

A lot of that information, suggests Sanabria, can be found by subscribing to Sqoop, which will aggregate a company’s information, such as SEC filings, patents, court cases, and announcements for you, and send you alerts as they happen.

In a post on LinkedIn, Mike Johnson, CISO at Lyft, recommends services such as “Is it on AWS?” which will tell you if something on the web is on AWS. He also recommends MX Lookup Tool which will tell you if a certain domain is on hosted email, such as Gmail, Office 365, or Rackspace, and also provides some other diagnostic information.

4: CISOs like to eat too

“[Open source] information will not provide sufficient insight for an acceptable relationship with a CISO, as those sources only get part of a story,” argued Peter H. Gregory (@peterhgregory), executive director – CISO advisory services, Optiv. “It is critical to establish a trusted relationship first.”

Unlike the “15 minutes of your time” request, an offer to buy lunch or dinner is something that will actually entice CISOs. CISOs are like most humans in that they enjoy and need food. Even better, they like it when it’s free, and with great company.

“Offer to take them out to coffee or lunch, and just get to know them,” added Gregory. “Ask non-threatening, open-ended questions and listen. Above all, be interested in what they have to say rather than think about how this can lead to a successful sales strategy. If the CISO is feeling that the vendor is trustworthy, the CISO may begin to reveal security projects, concerns, and issues.”

5: Offer a free security assessment

Sanabria’s former company, Threatcare, offers free “breach assessments.”

“We can simulate most of the key bits of a breach and tell you where you’d fail if you got hit with a breach today,” said Sanabria. “It generally gives companies a better starting point and roadmap than what they had before, it accelerates the sales cycle, and because it’s free, it gets your foot in the door. It’s a classic door-to-door vacuum cleaner sales technique… It’s easier to buy from someone who’s been in your house.”

6: If possible, use the potential customer’s product

Lyft’s Johnson recommends that security vendors “sign up for our service… go through our sign-up flow to get a feeling for how we handle authentication and launch the app to see the end user experience.” (From LinkedIn)

If you simply use the product you could possibly see where security is and isn’t implemented.

“This gives you the opportunity to target your message based on your prospect’s environment,” added Johnson.

7: Hire a journalist to ask the question for you

When a salesman asks a personal question you know they’re going to use that information to later sell to you. But when a journalist asks the same question they want to quote you, which will hopefully make you and your company Internet famous.

That’s exactly what my company does. For Microsoft, we’ve asked “What are the greatest myths of cloud security?” For HPE we’ve asked “How do you respond once you’ve been breached?” and “What are the most misguided beliefs of infosec?”

At the RSA Conference in San Francisco, on behalf of Tripwire, we asked attendees on camera, “What’s your security nightmare?”

When there is no prior relationship, people are far more willing to open up to a journalist, than a salesperson, even when it’s clearly disclosed that the interview will be used in content marketing.

Like in the above example, you’ll be surprised at the success of turning a sales interview into a piece of content. Even on camera, I have found an interviewee willingly tell me extremely personal information. Here’s another video we shot for Tripwire at RSA where I asked people to tell me their password and surprisingly, a few might have done just that.

CONCLUSION: You often won’t get the right answer even if they tell you

Even if you are lucky enough to get a CISO to sit down with you and tell you their concerns, they may not be telling you the full story. You still need to do the above research because there will be plenty left unsaid you’ll still need to know to be able to solve their security problems.

Given that the security landscape is so vast, it’s difficult for anyone to know all their security loopholes.

“It’s worth mentioning that their security concerns are usually either wrong, or they’re going the wrong way about fixing them,” added Sanabria.

Join the conversation on LinkedIn

David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.