Recently, a good friend of mine and longtime CISO left the chair to become the chief security strategist at a well-known security technologies company. A few weeks after that transition, my buddy and I sat down for a long overdue dinner with some friends. During the meal we discussed the transition from responsible charge to vendor. My colleague was less than thrilled at all aspects of the transition.
"Overnight I went from being a respected colleague to 'just another vendor,'" my colleague complained. "I'm no longer allowed at CISO events; I am no longer eligible to sit in CISO-exclusive meetings; professional organizations that I have supported for years treat me like a second class citizen; and folks whom I interacted freely and openly with won't return my calls. Why is it that CISOs treat vendors like dirt?"
As I about to respond, another colleague of mine who had crossed over to the vendor side nodded her agreement. "You're an anomaly, Kim," she asserted. "You treat vendors as partners; most of your peers treat us like dirt."
I admit that I was taken aback by these comments...but only a little. Vendor opinions of me tend to be decidedly bipolar. My style of engagement tends to be direct and pointed; While many vendors enjoy this honest dialogue, many more have found me extremely "difficult" to engage with. I didn't pursue the conversation over dinner (I was the only non-vendor at the table and my colleagues were in full rant mode :) ), but I did spend some time mulling over the problem.
Like most relationship challenges, the problems with the vendor/CISO relationship are two sided. I would posit that the CISO portion of the relationship dysfunction centers around something I like to call
the egoism of motivation.
In an earlier blog post, I posed the question of why security professionals do what they do. While I left the question open ended, I would submit that the majority of us walk the path we do for semi-altruistic reasons. While our careers tend to be fairly lucrative these days, most of us end up fighting an uphill battle for resources and understanding with those who would quickly turn us into scapegoats should an adverse event occur. Yet despite this environment we keep going back into the fray with zeal, passion, and dedication. We are not cops or soldiers, priests or firemen...but at some visceral level we do share the same passion for service and making a difference as those in the aforementioned professions. In this context, it is at times difficult to engage with those whom purport to understand our concerns yet do not share our motivations. CISOs have no objection to money or profit motives -- hell, I have a kid in college and am all about not having my paycheck bounce :) That being said, it is at times vexing to engage in conversations about a tool or service with vendor personnel who don't share your motivations; who don't necessarily have similar experiences; and who seem more concerned about acquiring your (very) limited dollars versus resolving your near and long term challenges.
Even for those of us who manage to get past our own egoism, there still exists the challenge of vendor-CISO communication. Several years ago I came across a webinar by Paul Glen, author of the book Leading Geeks. In this webinar, Mr. Glen discussed seven "contaxioms" -- axiomatic ideas and/or concepts for which geeks and non-geeks have contrasting ideas. Glen's 6th contraxion -- one which I feel is especially relevant to the topic -- centers around the concept of lying. For the geek:
-Lying is evil; truth is sacred.
-Answering yes to a question when you don't absolutely know if something is true is a lie.
-Exaggeration and opinion stated as fact are lies.
For the non-geek:
-Lying is not good; it is bad manners.
-Answering yes to a question that you know is false is a lie.
-Exaggeration and opinion stated as fact are simply a part of normal speech.
With such a disconnect in terms and terminology, the CISO oftentimes finds it daunting to trust that which he hears from his vendor brethren. Our axiomatic differences leave us at an impasse whereby our vendor brethren are often perceived as disingenuous in their dialogue...and the time it takes to determine the proper questions to ask to get to the level of detailed, accurate data desired is time taken away from our daily missions of protection and enablement. Just yesterday one of my esteeemed colleagues said at a conference: "Every time a vendor speaks to someone in my organization I lose a week's worth of work getting to the truth behind the sales pitch."
With these types of cultural dynamics at play, it is easy to understand why CISOs and vendors operate at best under a gaurded truce...but it doesn't have to be that way. Indeed, both vendors and CISOs would benefit from an attitude of true partnership on both sides of the equation. As a CISO, I operate with certain guidelines when dealing with vendors:
-1. Be Plain Spoken. Understand what requirements you are trying to fulfill, and communicate them directly. As part of that communication, ensure your vendor understands whether your engagement is exploratory; whether you are trying to fulfill a short term spend; or whether this will be a long term process happening within the next fiscal year. Your vendors, like you, also have requirements they need to fulfill; it is disrespectful of their time and mission to have them spend months with you for a supposed potential sale when in reality you have no intention of making a purchase.
-2. No Loss Leaders. While I admit freely that I will always try to obtain services as cheaply as possible, I recognize the vendor must make a profit. I do not insist upon loss leaders or additional free services from a vendor in order to close a deal. If offered, I will accept them...but I do not make or break deals based upon the amount of free stuff I receive.
-3. Respect Vendor Budgets. This one plays in the realm of both ethics and mutual respect. Vendors will regularly offer up dinners, tickets, etc. to get your attention or your time. Notwithstanding appropriate legal and corporate guidelines for accepting such gifts, I make it a practice not to accept such offers if (a) I am not interested in the product or (b) I have no budget for such products.
The vendor reps with whom I operate best also understand my expectations of them:
-1. Be Plain Spoken. I would rather be told "No, I can't do that," than have someone tell me that their service or product meets a need of mine that they are not equipped to perform. Don't attempt to put a square peg into a round hole for the sake of a near term sale.
-2. Focus on the Long Term. While I respect your near-term quota, I am looking for vendor partners who understand my long term needs and constraints. Don't sacrifice a long term relationship for the sake of a sale.
-3. Deliver. Do what your say you are going to do...and ensure your products do what they say they will do, as well. I expect this level of discipline and results from staff; I should expect no less from my vendors.
I have met a handful of vendors (Anna, Ed, Gabi, J.R., Jason, Joel..and the late Ryan Richard) who understand and operate comfortably within these expectations. In return, I have developed strong partnerships with these individuals and the companies they represent. Indeed, as these individuals have moved from company to company they have opened doors to their new products to me; any company that would employ vendors of their caliber clearly has highly ethical business practices. These individuals get my most valued resource -- my time -- freely. Conversely, I have met a plethora of vendors who refuse to be straightforward; who don't deliver on promised functionality; and remain primarily concerned about making a quarterly quota. These vendors are either relegated as afterthoughts in my strategic planning...or are removed from my environment along with their products.
While I might be considered an anomaly to my vendor collagues, I have found the aforementioned vendors to be anomalies amongst their profession as well. Indeed, I reminded my CISO-turned-vendor that his new company (which had a reputation for arrogant, bullying marketing tactics) only hired him after the better part of a decade in the security space. Could it be that their incentive is due to having achieved a certain market saturation that they cannot move beyond without a long-overdue change in approach?
Vendors and CISOs do need to reevaluate their relationship if the collective profession is to improve. Both sides have work to do in strengthening our ties if we are to succeed.
My two cents...