One CISO’s Grand Experiment to Engage with Security Vendors

Allan Alford, CISO, Mitel

Last week, Allan Alford, CISO of Mitel, announced on LinkedIn that he was going to set aside two hours each week to have meetings with vendors. He expects that will result in about 3-4 meetings each week.

“I expect that by Q1 of next year I will have made purchases based on this experiment,” said Alford confidently even though this public announcement unleashed a potentially untenable flurry of public and private responses.

Regardless, he knows he needs a means to learn essentially what’s out there.

“It all started with my most viral post on LinkedIn,” said Alford, where he asked fellow CISOs, “How do you learn about new technology and learn about the disruptors in the absence of all these vendor communications?”

The post got a lot of attention (51,000 views) from both vendors and practitioners.

Share your feedback by joining the conversation on LinkedIn.

“All of us in the CISO space tend to have the same approach when we receive vendor pitches,” said Alford, “Treat it all as spam and ignore it all. We get flooded with so many vendor requests, cold call emails, cold call phone calls, cold call LinkedIn reach outs. It becomes very easy to shut it all out which is previously what I’ve been doing.”

Alford and I discussed this very topic on the CISO/Security Vendor Relationship Podcast with my co-host Mike Johnson, CISO of Lyft. (Listen to “How CISOs Stay Current When They’re Ignoring Vendor Pitches”)

CISOs are not happy with the current flurry of vendor communications. Not only are they ignoring the pitches, but they’re also avoiding walking on the trade show floor at events like RSA and Black Hat.

Obviously vendors are frustrated and are trying to figure out how CISOs are going to learn about their product if they’re not allowed in the door some way.

One option discussed in Alford’s original post was talking to the VC community, but not all CISOs have access to VCs, and even if they did, they’re only going to tell you what they’re investing in, said Alford.

CISOs aren’t necessarily only concerned with learning what’s cutting edge. They need to understand what categories of solutions solve certain problems. For example, said Alford, say you were a CISO worried about data going out the door. DLP solves this problem, but in this example, the CISO doesn’t know this, so how is he/she going to figure that out?

“There is some aspect of the CISO world where I don’t even know what the tool is,” admitted Alford who realized he needed some way to learn from vendors, so he’s testing his theory.

The Response: good and bad

After announcing to vendors, “Here’s your shot,” Alford got inundated with pitches. While he’s still filtering and not taking all requests, he’s still kind of amazed at how poor some of the pitches are even when he’s explicitly said, “I’m willing to listen.”

“I’m learning very quickly that the elevator pitch is the key,” said Alford.

All he wants to hear from vendors is “Here’s what we do. Are you interested?”

Many of those pitches veered far away from that basic formula.

For example, one pitch just said, “Would driving consistency and evolution of your security program while enhancing the value of security be of interest?”

And that’s it! There was no explanation of what the vendor actually did.

“It’s like saying, ‘Do you enjoy breathing? I just happen to be a vendor of oxygen,’ but he didn’t even mention that point,” said Alford.

This pitch echoed a previous discussion I’ve had on one podcast episode entitled, “Stop Asking CISOs If They Care about Security.”

Here are two more pitches that were devoid of information of what the company actually did

  • “Hey Allan, I saw your post this morning and I’d like to see if we can eliminate the time you spend on vendors.”
  • “If it makes sense to connect, our website is ___________.”

That’s it!

Not all the pitches were bad. Some actually said what the company did, but they didn’t actually explain how they were unique.

Alford simply advises that pitches to him should just be two short paragraphs that state the following:

  • Here’s what we do.
  • Here’s why we’re the good choice in this space.

Leave it at that.

As an extra added incentive, it’s not a bad idea to compliment Allan while you’re at it. A few people acknowledged they heard Allan on our podcast episode but didn’t reference anything he said. If they noticed he expressed a concern about a certain issue on the show and you happen to have a solution for that issue, mention that!

Don’t worry if you’re not the right fit today

One point Alford and I discussed is the importance of getting your quick pitch heard and understood, even if that CISO is not currently a qualified prospect. Since CISOs talk to other CISOs and trust the advice and opinions of other CISOs, it is always in a vendor’s best interest to just make a solid connection that simply expresses what the company does and how they’re different. Once that information reaches the CISO it can be retrieved in the future whether that product is on their roadmap, or which usually happens earlier, a CISO actually asks if they can recommend a company in a specific space.

“This is the time for vendors to be talking to me,” said Alford who at this point is just looking for a relationship and a contact.

After our conversation, Alford and I agreed to follow up in one month to see how his vendor outreach program is going. Stay tuned for the update.

Share your feedback by joining the conversation on LinkedIn.

This article originally appeared on Security Boulevard.

David Spark
David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.