This is a bonus episode of the CISO/Security Vendor Relationship Podcast with former guest, Allan Alford, CISO of Mitel, who was also the subject of a story I wrote in September entitled “One CISO’s Grand Experiment to to Engage with Security Vendors.” At that end of that discussion, Alford and I agreed that I would follow up with him in a month to see how the experiment went. This conversation is that story.
Got feedback? Join the conversation on LinkedIn
When a CISO loses the security knowledge pipeline
Prior to joining Mitel, Alford was the CISO at Forcepoint, a security company. Working for a security company afforded him the luxury of an entire company of security professionals to educate him. If he wanted to know the latest and greatest, he didn’t need to go too far. His office mates would tell him.
When Alford made the move to Mitel, that easy stream of security information dried up. He needed to find a new way to stay educated about new solutions.
“If the vendors were the ones who knew what was going on, then maybe these vendors I’ve shunned my whole career and chased away, maybe they are the secret of learning more about what’s going on in the industry and who the disruptors are,” admitted Alford.
Alford had just joined the company as CISO two months prior. It was a position that hadn’t existed at Mitel. Budget season was coming up and that meant purchase and planning decisions were going to be critical. While he knows he could have gone with the same players as he had in the past, he wanted to make a true difference to the business. That required him to find new and innovative solutions, and that meant getting his education up to snuff as quickly as possible.
Dictating how you’d like to find the disruptors
Thus began Alford’s experiment which began with a post on LinkedIn announcing that he was reserving two hours a week to engage with vendors. The response from the vendor community was overwhelming. He got a flood of requests for his time, but not in the format he wanted.
To correct his loose instructions, Alford followed up with another post dictating how vendors should pitch him should they want his time. He asked for a three-point pitch only via LinkedIn. The pitch should include the following:
- Who you are and what you do.
- How you’re differentiated from the rest of the pack.
- Why Alford should contact you.
Security vendors are eager to educate. Let them.
Alford needed a new solution to the education he lost when he stopped working for a full-time security vendor. This pitch-based engagement technique where he dictated the rules worked out for his needs.
“I wanted to shake up my own paradigm and see what was new,” said Alford.
Because Alford was operating around a budget cycle, his original plan of two hours a week was optimistic. It took him ten hours a week over the past month to get the information he needed. But that’s OK because it was necessary for that time. When he’s not in budget season, Alford feels comfortable that two hours a week in perpetuity talking with vendors is a comfortable ongoing education cycle.
If he didn’t reach out to security vendors, he would have turned to his CISO colleagues and asked what solutions they were using. But as Alford points out, “Talking with other CISOs is a closed loop system… At some point a CISO has to let the new guys in.”
And if Alford wasn’t the guy who did that, what were the chances he was going to happen to talk to the right CISO at the right time who had opened the door to let those people in? He needed to do the outreach himself.
One CISO’s guide to vendor outreach
If you’re a CISO or security professional eager to follow Alford’s lead of engaging with security vendors, here’s his advice:
- Don’t define your problems in public. That’s obvious.
- Clearly define how you would like to be pitched. This is critical.
- Be prepared for the wave. Don’t be overwhelmed.
- Be prepared to think outside your own box. This exercise is to find the disruptors.
Got feedback? Join the conversation on LinkedIn
Creative Commons photo attribution to Johann Schwarz.