CyberWire Daily - Cyber Marketing Con 2022: From the horse’s mouth: CISO Q&A on solving the cyber marketer’s dilemma. [Special Editions]
Episode Date: January 25, 2023At the 2022 Cyber Marketing Con, the CyberWire presented a CISO Q&A panel session on how to help cyber marketers reach CISOs and other security executives in the industry. The panel included Rick Howa...rd, CSO of N2K Networks, Jaclyn Miller, Head of InfoSec and IT at DispatchHealth, Ted Wagner, CISO of SAP NS2, and was moderated by board director & and operating partner, Michelle Perry. Listen in as the panel discusses: What works and doesn’t work in getting a security executive’s attention. Message trust, message fatigue, and what you can do about it. Trusted information sources and how security executives use them. Positioning and messaging that is actually meaningful to decision makers. The security executive’s purchasing behavior and why skepticism is the driving force. Stay tuned until the end to hear us answer some additional bonus questions submitted by attendees. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing
the world what AI was meant to be.
Let's create the agent-first
future together. Head to
salesforce.com slash careers
to learn more. Hey, CyberWire listeners.
At the 2022 Cyber Marketing Con, the CyberWire presented a CISO Q&A panel
on how to help cyber marketers reach CISOs and other security executives in the industry.
The panel included
myself, the CSO of N2K, Jacqueline Miller, the CSO of Dispatch Health, and Ted Wagner, the CISO of
SAP NS2, and was moderated by board director and operating partner, Michelle Perry. Stay tuned
until the end to hear us answer some additional bonus questions submitted by the attendees.
Enjoy.
All right, friends, get excited about this next session.
Our panelists are here to bring a security buyer perspective on how, why, and where they buy security products. So I want you to welcome to the stage, Michelle Perry, board director, operating partner,
and investor in multiple companies.
Rick Howard, the chief analyst, chief security officer,
and senior fellow at Cyber Wire.
Jacqueline Miller, head of IT and info security,
chief security officer at Dispatch Health.
And Ted Wagner, CISO at SAP NS2.
A round of applause for all of them, folks.
Enjoy.
Am I on here?
Okay.
Well, first of all, thank you, everyone, for joining us here today to educate all these
cyber marketing folks here on the best way to reach you and ultimately sell you, because
they don't want to just reach you, they want to sell you.
You don't want your time wasted and the sales and marketing folks here don't want their time wasted as well if their methods don't work. So a quick little background. I originally was, it's been a while since I was in the marketing trenches in the security space specifically,
trying to break through all the security noise.
I was the CMO at Sourcefire and came up with Pink Pigs as a way to break through the noise.
So that's what we did.
We built a whole brand around some Pink Pigs.
But there was a lot more to it than that.
But that's how long ago it was at.
But since then I've been working. That's all I remember about the pink pigs.
Can you
hear me now? Yeah.
Okay. I will work on that.
Yeah. Got it.
Thank you. So since then
I've been an investor, a board member
in a bunch of security companies such as
Threat Connect, Backbox, and Great Matter
IO.
So, as you know, we have three very talented CISOs here with us today.
We did a prep call, and, you know, sometimes you do the prep calls,
and you're, like, pulling things out of people, trying to get them to want to talk.
And they opened up on the prep talk, like, all these different ideas.
So I couldn't wait for the panel to come so that we could really share these ideas.
So, again, just a couple little things. According to CyberDB, there's over 3,500 cyber companies in the U.S. right now. And globally, there's 5,685. So that's your competition on getting through to
these folks. So you've got to be very precise in understanding what works and what doesn't work
because your budget's never going to be big enough.
And again, as we do some recession and cutbacks
and everything, what's one of the first places
that lots of times gets cuts?
Marketing?
Yep.
So we've got to be precise and really make sure
we're not wasting money on the wrong things.
So what I thought I'd do is my very first question down the panel here,
we'll start with you, Rick, is
what things should companies not
be doing, and what should they
not be wasting their time and money on?
Besides stalking you.
What are those things?
How many companies did you say, or
security companies, 56 bazillion?
5685 globally on the
cyber DB. Yeah, because i know that because i get email
from all the salespeople every day okay from that right and so so the one thing i would say is you're
never going to get the attention of somebody like me probably these two also uh by sending me cold
emails or trying to call me on the phone all right i I don't have enough time to address all of them,
all right? So that's one thing that will never work for most of our peers. I don't know,
do you guys believe the same thing? Yeah, so I mean, I mentioned to you earlier,
I came off the elevator and I got a cold call. And the only reason I answered the phone was
because I'm arriving at a conference, maybe they're looking for me.
And as soon as the guys started talking, I just hung up on them.
I mean, it's just reality.
Yeah, I agree.
I try not to be rude either.
I know everybody's got a job to do, but at the same time, there's such a flood of cold calls, cold LinkedIn reach outs.
LinkedIn, let's talk about LinkedIn for a minute.
I have had to just plain stop accepting anybody that has business development, marketing, sales in their title.
I check your title, and if it's that, then I just ignore or decline your invite because I don't have the time to interact with you on LinkedIn.
You might have something great to say, but at this point I've gotten flooded
with requests on LinkedIn and it's just untenable.
So unfortunately, LinkedIn is not your best friend.
I mean, my standard is I have to physically meet you.
I will not accept a LinkedIn request
unless we have physically met.
Yeah.
Well, I'll give you a part two to the no cold call thing.
If I don't answer you and then your next move is to send me a note
and you're mad at me because I didn't respond to you,
you're never going to get in the door, ever.
It's just not.
I have a different standard for LinkedIn, though.
When people reach out to me,
if they are actually talking about something that I've been talking about on LinkedIn, they have an idea about it or they have a way they think, hey, I heard your thing.
I think there's a new way to think about that.
I will talk to those people, right?
So I'm looking to solve problems, not hear a product pitch.
Okay.
Great.
Well, if those are the things not to do, no LinkedIn, no cold calling, no emails, what are the things to do?
So, you know, we talked about what's a day in a life.
What are the things that you guys are, you know, reading, listening to, going to?
Who are the industry, you know, what are the webinars you like?
What are the podcasts you like?
So let's start with Ted on this one.
So I was thinking about it a little bit.
Obviously, CyberWire is first and foremost. Absolutely. You should all be listening to the CyberWire. a podcast like so let's start with ted on this one so i was thinking about a little bit obviously
cyber wires first and foremost absolutely you should all be listening to the cyber wire
but a variety of different uh threat-based uh sources of information uh i'm um i am a subscriber
to gartner i do a lot of research on gartner i know foresters is another source of that kind of information. I work in regulated
industries. So I spend time on like DFAR websites and procurement websites and regulations because
I have to be current on how do we do our business, which draws back to what Rick just said. We're
solving a problem every day. And so I need help solving that problem. And that's where I can be, my focus can
be generated. That's awesome. Yeah, I agree. I also tend to read daily more just tech specific,
you know, newsletters or feeds or podcasts. And I really like to pick up the ones, the ones that
stay with me are the ones that cross over into cybersecurity.
So TLDR is a great one that I've been really hot on lately.
The daily brief in CyberWire is something I check and scan through and go, what's going on in the news?
Because it's super concise
and I can double click into anything that's really popping.
But the things that I look for from like sponsors
in those briefs of where I will click in
is when they are solving a problem
that is industry specific. So for me, it's healthcare right now. And if there is a vendor
doing something really interesting in healthcare, then I will double click on that. And then that
may turn into reach out for, you know, to establish a relationship. Do you know what I really like
about cybersecurity reason I'm in this field, it changes all the time.
Okay. It's fantastic. You're never looking at the same thing every day. It's always new.
I love that about the job. You know what I hate about cybersecurity? It changes all the time. Okay. You can never keep up with it. Right. And so all of us are consuming sources
of information that we can use in our job.
And I was an early podcast listener long before we even had names for podcasts because it was an easy way to inject information into my daily life while I'm doing other things.
I'm doing the dishes or I'm walking the dogs or doing the laundry.
I can learn the new thing about whatever cybersecurity widget's going on by just as it comes into my ear. So podcasts are a huge way to get your information out to the crowd
you're trying to get to.
But also, like you guys were saying, reading, right?
I'm a giant advocate for just reading books in general,
especially for your marketing people and your salespeople
who are trying to get on the same page
with highly technical cybersecurity people, right?
Reading a book or two might be the way to get that done.
So those are my two big sources of information.
I mean, I'll just add one more example.
So zero trust architecture
is really a great buzzword right now.
And so my company offers cloud services,
software as a service.
And one of the meetings we had with the customer,
they said, we need to make sure you have zero trust.
I said, well, what aspect of zero trust?
And they said, I don't know.
The CISO said it has to be zero trust.
And I don't know what that is, but it has to have it.
And so if you have it and I can say yes, then we're good.
So I'll turn my geek meter up a little bit. I went to NIST. NIST published a document that said,
these are the characteristics of a zero-trust architecture, and that's my roadmap. So if you
want to know what my roadmap, where is my water hole? Where am I drinking water? Where do I have that connection between
a concept
and the discrete
elements of it, the characteristics of it
that I have to actually implement?
I think that's how marketing people can help people like us.
We have to explain
it to people too.
We have to go into the CEO and say
here's what zero trust means for us.
You can help us tell that story, that would be exceedingly helpful.
And then maybe later on I'll buy your product.
But if you can help me solve problems, that's how I might use you all.
I would say one of the commonalities that CISOs have with marketers is we've all been in a room where somebody is completely glazed over.
You just see their mind go elsewhere that happens all the time and like keeping our audiences our business partners our customers engaged with what's really important like we are trying to
help them sometimes from themselves um and and how do we tell that story in a way that actually
relates with them so you have to relate to us and you have to relate through us to really our
customers and our users that we're supporting.
Part of the CISO's job is marketing internally.
Yeah.
Right?
Because we are a cost center.
We don't bring revenue in to the company.
Right?
And so we have to convince business leaders that what they spend money on is
worthwhile.
So we have to tell compelling stories to them.
If you can help us do that, that would be
fantastic.
The one other thing is integration.
So we have pillars
of elements in our infrastructure
architecture. How can we connect
those things together?
Typically those integrations don't exist
or there's a conflict. If we
could break those down, if there's something that can
solve a problem,
which is all of our tours don't work together.
Yeah.
That was actually my next question,
is that security has had a reputation
for having platform vendors
that have a lot of suites of products
and then having these point products.
And typically the thought is that the innovation
is coming from these point products versus the big suites. And how do you think about balancing those two?
I have a huge opinion on this one. Go ahead.
I think integration is the future of cyber security.
It's basically table stakes for me. I'm not buying a product
unless it integrates with other products that are going to be in my field of vision.
So the more that you play nice with other things, the happier I am to talk to you.
And I am skeptical of the one platform to rule them all approach
because I think those vendors end up being too focused.
They're trying to please too many people.
They don't get good at any one thing.
And with the pace that the industry changes, that they're going to miss the boat and they're going to be the next solar winds or whatever, you know,
negative happens in the news. So I really try to identify with the vendors I do want to work with,
what are they really good at and focus on their core capabilities and look at how well they focus
on the integrations into other things. So that's my, my approach. So I was going to say that we love innovation in our area.
I have like a collection of snort pigs,
not just one or two, like a connection.
I'm eyeing that one.
I'll leave it with you.
I have some of the calendars.
Okay.
And so when, you know, we all kind of cry
when they get bought by a larger company
and then that company has an idea about combining all these products into one big integrated product,
and that innovation's lost.
That's what we lose.
So those innovators that come and disrupt our environment, but they bring great capabilities,
we'd love to adopt them if they can integrate with the rest of our platform.
I have a completely different take than these two. These two are completely wrong.
And I used to be that person, you know, that we wanted the shiny tool, that we wanted the best
of breed thing that did the thing that we needed to do. And that was great 30 years ago when we
only had three tools, right? But now most organizations have upward of 15
to 300, depending on how big the organization is. I don't have the resources and I'm too old to
manage all that stuff. So I am willing to take a compromise. I want good enough tools that talk to
each other and integrate seamlessly for me. I want to set a policy once and have it dispersed
all through the tools that
I have to use. And I don't care if it's best of breed. If it works, it's probably good enough.
So you guys take that. I feel strongly both ways.
I mean, I see your point. And I think there are some synergies that can exist.
there are some synergies that can exist. So, you know, a simple example is Splunk, which is
really log analysis and enterprise security that's kind of managing that work flow. You could have your own enterprise security as a separate product, but it does seem to work
within the Splunk world. So there is a case in point where, hey, it works. To bring us back to
the marketing angle, what you were saying is absolutely true. When you're coming to me to
solve my problem, you have to tell me that it integrates with all the tools I already have.
Because if it doesn't, I'm not buying it. I don't have the resources to put a new tool in and
make me fix it to talk to all the other things. I don't have that. I would agree with that regardless if
you are platform centric or not. That integration skill. And it can't be well we can do that for
a cost. It's a custom integration. If I hear that word, it's just hang up. How many
different vendors do you work with in your capacity? Oh my goodness. I have a slightly
different role than these two because I'm in a startup world. So we're in the world of multiple hats. I am both IT and InfoSec. So in terms of vendors, I'm in the like 65 to 70 on a dozen that I have good working relationships with,
close working relationships with, where we might meet once a month or once a quarter.
But to the IT aspect of it, so cyber doesn't work in isolation.
You have to work with your IT brethren.
And so that is another universe of IT products that have to exist in your ecosystem
and be secure. So I get invited to the IT meetings, which is dozens.
At the Sabra, we're a startup also. And so we run the entire business on 100 SaaS applications.
And because we're small, we don't have the budget for big zero trust programs
or big intrusion kill chain prevention programs. Because we're small, we focus on resilience.
We need to survive the thing that's going to cause damage to the company, cause material damage to
the company. That's where we put our resources. So let's take a second and talk about some of these influences, like the
industry analysts. I like to call them the intellectual mafia.
You've got to pay to play a little bit there and everything.
I see Mark Bouchard, who used to be a Gartner analyst.
It's his fault. It's your fault.
Oh, better before it was Gartner. Okay. your fault. Oh, it mattered before it was gotten. Okay.
But, you know, how much do these things like the Gartner cool vendors, market scopes, hype cycles, magic quadrants, or the Forrester waves, or the 451's preview reports, how much do those matter to you?
I hate to say it, they matter.
matter. I feel a little bit of resentment every time that I look at a Gartner Magic Quadrant or the hype cycle, but frankly, I need to go there for a consolidated view of what vendors should
I start with. It doesn't mean that I'm going to land on those top vendors. That's the only thing
I'm going to look at, but if I can look at who the competitors are to the top ones, maybe I'll
find a better fit. So unfortunately, fortunately, unfortunately,
Gartner, for me, is here to stay in their necessary evil in my world.
I think the pay-to-play aspect
is probably the thing that rubs me the wrong way
the most about their model.
I think it's a great starting point.
Like, if you want to explore SASE
or zero-trust architecture,
it's a great basis of knowledge. And the magic quadrant
is at least an analysis of data point in terms of who are the real competitors, which unfortunately,
if you're in the upper right quadrant, I might reach out to you. And I get robbed the wrong way
with the pay to play aspect of it. But keep in mind, Rick mentioned it, we have to explain these concepts to our executive team.
And they've all heard these buzzwords, but they don't understand them.
So I have to be able to translate what zero-trust architecture actually is.
But then I have to do the technical research to understand how I can actually implement it with my existing infrastructure.
So I have to go many levels deeper, and many times Gartner won't help me there.
Well, I'm with you. I think Gartner is a big racket, right? But you have to use it. The
tools that we keep mentioning here, the Magic Quadrant, that's an amazing tool, all right,
that you can get in there that you'll at least be noticed from somebody like us looking
to explore whatever that service is. And the hype cycle, which is a fabulous thing, by the way,
invented in the 90s. Because what happens in the security issue, we were talking about how people
are going to roll their eyes when we say zero trust, because every vendor says they have a
zero trust component. And we all know that's not true all right so what happens is
someone has a great idea and then it gets inflated to this is going to solve all the world's problems
and then we start to realize that oh there's some problems implementing that idea so it goes into
this thing they call the trough of disillusionment right and that's where zero trust is right now
right and then over time though it starts to climb back out of that and eventually become
something we all accept as a best practice, right?
That model is fantastic, right?
And so if your thing, your business is on that cycle somewhere, right, that puts you in the realm of things that we take a look at.
Yeah.
It's in our zeitgeist for sure.
Yeah, it's in our zeitgeist.
I love that.
So if it's not on the hype cycle, do you not waste time on it?
Well, the hype cycle is technology.
It's not a product, right?
But if your technology is not on the hype cycle, then, yeah, we're not even looking at you.
I mean, the one framework that goes back to my regulated industries, I have NIST 800-171 and CMMC.
That's a roadmap.
Those are all I have to have multi-factor authentication.
I have to have identity access control.
There is a list of what I need. And so I'm going to go out and buy that stuff because I have to. Yep. Healthcare is the same. HIPAA,
HITRUST, if you can map to those two things, then I'm going to sit up and listen
because you just made, you saved my team hours of time having to map your product
to some control framework that we have to meet no matter what.
And I'm always thinking beyond that, right?
We're not in it for security, checkbox security, right?
It's not just for the compliance.
So what I'm also looking for is vendors that take it beyond that.
How are you being novel and innovative?
How do you go beyond just what high trust mandates you have to do from
access control or two-minute timeout on your authentication, which makes all of your
providers mad? How have you solved that problem, that user experience, better than anybody else?
Tell me that story and tell me it in the words of the people experiencing that product. I love
hearing those types of examples.
I want to double-click on what you said and just reemphasize.
The NIST cybersecurity framework,
if you can take that little document
and map your product to those things,
if I'm looking to buy those things
like Ted is doing,
and you can come and explain
how you solved that for us,
that's a win.
That's a huge win.
And here's where you get gravy or whipped cream or
the cherry on the sundae is like if it's a, you know, like some sort of infrastructure tool
like identity or a VPN service, if you give me data analytics on top of that, meaning I can
collect some logs and run data analysis against those logs for that
function. I love it. It's more than just, hey, I have a function that does identity for you. If I
can now do analysis on the folks that logged into my system because the logging is right and it
integrates to my SIM, perfect. Okay. What other things do you find useful from vendors?
Are there, you know, how important are free trials and evals, vendor-created research, explainer videos?
What are those things do you like?
I don't need AirPods.
No.
Sure.
AirPods.
Don't try to bribe security professionals with fancy tech devices. That's been a recent one
lately coming out of the other conferences this year. I think it rubs me the wrong way as well,
where I felt like I was being bribed into having a meeting. I'm not doing it. And my team won't do
it either. And you might even get blacklisted for a year on our list of vendors that we'll talk to.
And you might even get blacklisted for a year on our list of vendors that we'll talk to.
What I do like to see is, I think we already talked about how hungry we are for information. So if you're sponsoring an event where my peers are going to get together and talk about a really important problem and we're going to share some really interesting information, regardless of your product is involved in that space or not, then I will pay attention.
I'll sign up for your webinar.
I will go in person to have that discussion and create that space.
I don't have time to set up that environment in my day.
I'm working for my company.
So looking to the vendors to provide that efficiency actually helps me out a lot.
Another great example is the Verizon data breach report.
I mean, that's kind of a standard we all read every year.
You know, kind of ebbs and flows in quality, but I read it every year.
I'm going to go to that page, I'm going to give them my contact information, and I'm going to go read that report.
So that kind of, if you sponsor research that is important to me, absolutely, I'm going to go find it.
So two things there. I was telling you before we had
this panel, a company called Expel put out a one pager about how adversaries traverse the
intrusion kill chain in their cloud environments. They talk about all the APIs they use. They talk
about the services, those cloud, the leverage in those cloud attacks. And they just gave that to
us. Talk about helping me explain the story
to my senior leadership and to my own personnel.
They made it easy to tell that story.
So marketing people,
you have all these great graphics people.
They know how to tell stories well.
Help me tell those stories.
The second one I want to double down on what you said
is on the bribing part.
If you invite me to a dinner or a lunch or a breakfast and there's
about 15 of these people in there, okay, and you allow us to talk about stuff and not hear a product
pitch, I'm coming to that. Because I don't know anything until I suck the brains of all these
people over here who are smart. I will say spending time with other CISOs is time well spent. I've
never been disappointed. Yeah.
So one of the things in our prep call, a word that kept coming up that I haven't heard as much
today was trust.
And you guys all kept
talking about having to trust the vendor
and some of the ways you develop trust.
Any thoughts on that?
Yeah, I think, you know,
when you're starting a relationship
with a vendor, that POC process, I think, you know, when you're starting a relationship with a vendor,
that POC process, I've had vendors that have said, you know, okay, you got to put some skin in the game. And I know when you're a startup and you need money's tight, or especially going into
a market where dollars are going to be tight, but that POC, that ability to see your product,
see how it works for real, touch it, feel it, get it up and running fast without having to spend a dime actually builds a ton of trust with the team. If you can
get my team to advocate for you, then you've pretty much won 80% of the battle in terms of
me getting to sign on the dotted line to spend the dollars. I would say we recently did a POC,
which at the end was not successful for a number of reasons.
But now I have that trust of that
vendor. And
the next procurement, they have
other products. I'm definitely
going to give them a call and give them an opportunity.
Because I have that trust. They exposed
their engineers with our engineers.
Huge.
So turn that around to
marketing departments. Where do you spend your money?
You throw money towards that kind of a
POC or that kind of a demo,
that builds trust
and like Ted says, I may not buy you this time
but now you're in my back pocket
and says, oh look what those folks did for me.
So yeah, look for that.
I also get frustrated by
vendors that talk about what their product
does but don't show any of it.
So having that kind of gatekeepy approach to, oh, we'll open up the kimono as you are willing to spend more time with us, really breaks down that trust experience for me.
So show me right out of the gate.
Show me videos.
Show me demos.
Show me something that's in industry solving problems.
Customer case studies I'm a big fan of personally.
But that definitely gets me interested in the door.
Let me ask a question on case studies.
So we all want them.
A lot of customers don't want them published.
Even if they love you, your company, and all that kind of stuff.
How do you feel if it's a masked case study?
So it says, you know, this is a financial institution of health care.
So they didn't get permission to sign off on using their logo and specifics,
but it's a real-life case.
Is that still useful?
Yeah, I think so.
I mean, it's harder.
It doesn't jump off the page as quickly, you know, when it's a name,
you know, somebody in my industry that I recognize, the healthcare system, et cetera.
But it's still useful information.
I'm looking for the story inside of it and how that relates to my business more so than I am looking for the specific customer that it's about.
Yeah, I always look at the data that's presented.
So my background is economics, I mentioned.
So data, you know, looking at data, there's different qualities of data.
Like if you can get transactional data and then do analysis against it and make conclusions of it, then that's great data.
Some of us know that survey data is less helpful.
Oh, yeah.
I don't read survey data, okay?
Four out of five dentists recommend it.
We've surveyed 100 CISOs, and they think zero trust is great.
I'm not doing that.
Also, I'm not going to participate in the case study.
I don't have time.
I don't care about your marketing problem.
Does that help?
So everyone wants them, but nobody wants to do them.
Nobody wants to do them.
It's the challenge.
And you see the ones that do do them, and you go, how did their legal department approve that?
Yeah, I was going to say there's some disclosures.
Listen, I don't sleep well at night because I know where all the risks are.
And I might confide in a fellow CISO about some risks.
I'm not just going to share with the world.
With my logo. about some risks i'm not just going to share with the world yeah years years ago when we were selling
to a hotel chain not sourced by a different company we actually ran an ad and it had one
of the hotels in there featured as our case study and literally that this was when they still got
magazines i'm dating myself with this but literally the the magazine. What are those? I've read about those.
And they were like this thick for a while.
So literally the magazine came out, and within a week we had had Marriott, Hyatt.
There were five of them had inbound called us from that ad, and it was a very light feature,
but the power of that brand that all these other CEOs said, hey, go find out what our competitor is doing and get us ahead. So that whole thing of keeping up with the Jones.
I will say, maybe this is not a compliment to me, but when I do call, reach out to a company
and say, hey, I'm Ted Wagner. I'm the CISO for my organization, I would like to talk to someone about your technology.
If it takes more, if it doesn't get routed to the right place
or I don't get a call back or if I've exposed myself
with my phone number, my email and said, please call me
and they don't or the wrong person calls or they're confused,
I feel like...
What's an acceptable time for that call back?
You know, definitely within a week,
but 48 hours is probably optimum.
Okay.
I have one data point for the case study, take it for what it's worth.
In my last job, I worked for a security vendor.
And if there was a success story with our product with that customer, the marketing folks would go in and say, we'll give you a discount on the price on your next version of this if you do the case study for us and allow us to put the logo on right so there was some success of that i don't know that worked every
time but i have seen that work yeah it can work in the startup space especially you know when we're
looking for budget we're looking for we like the publicity um the partnership balancing that with
risk and making sure i'm not exposing to the world you know all of our well that's a really good
point because if you're
a startup and you can associate with some big
security vendor, oh,
I must be good enough to be their good
customer or something. I didn't think of that.
So as we continue
on the trust, let's talk a little bit about
evangelists and everything.
Again, with the pig here, Marty
Rush wasn't as well known 18 years ago
when we were doing this thing with the pig. It's quite the evangelist day. Rick, over the pig here, Marty Resch wasn't as well-known 18 years ago when we were doing this thing with the pig.
And, you know, it was quite the evangelist day.
Rick, over the years now, a huge evangelist here.
Who are some of the other evangelists that you listen to?
And can a company create their own evangelists?
I think in the case of, I have one vendor, one of my half dozen that I trust.
They will have a lunch with me and they'll bring someone that has been in the community that has real security creds and just sit and talk.
And they can elicit a lot more of me explaining, well, these are my problems.
Because they've established some trust with someone who speaks my language.
Not everyone speaks our geek.
But if someone is credible
and is an evangelist and can articulate,
they can open some doors
and elicit some conversations
they wouldn't normally get.
I would agree with that.
I actually really enjoy
those types of conversations
with leaders in the cyber
field.
Obviously, I'm a little bit younger
than those on the stage.
What are you saying exactly?
I really appreciate
all the cameras. That's really what I'm saying.
Whip or snapper.
It's one in every crowd. No, but that's really what I'm saying. Whip or snapper. It's one in every crowd.
No, but that's really building those relationships with people that have been in the industry longer than me, where I'm at normally look for when running my business, because if those people have a relationship with those startups, and they're
advocating for it, and someone I deeply respect, then I am going to go look and see what they're
doing. It may not be the right time for my company to buy. I'm not willing to take that risk yet,
but I will watch that company because they've advocated for them.
I've had previous experience with this. In My last job, I worked for the CEO.
My first day on the job, he immediately started sending me out to events that he didn't want to
do or couldn't do. So after I was there for like six years, and at the end of that run, we had
like 15 of these evangelists around the world going in and talking to customers. But there are some very specific requirements. They had to be former CISOs, right, who had been in the trenches, right? They can't
be marketing people. They can't be salespeople. They need to have the experience, the marks on
their back from doing the job, right? So they can go in and have a little rapport, okay, with the
CISO that they're talking to, right? And so, oh, and they
needed to be high up in the company. They couldn't be a manager. They couldn't be a director. They
needed to be a VP or somebody higher than that that could speak for the company, all right? So
that means they had to understand the product as well as any of the product managers. They needed
to understand the finances of the company as well as the CEO. They needed to be the stand in for the senior leadership team. So
when those folks walk into a CISO and have a conversation with them, they have instant
gravitas. So when they say, yeah, I think what you're doing is not going to work, that
CISO will say, oh, I need to consider that opinion. You may not agree with them, but
at least they need to consider it. That had a lot in many occasions. I will say, so my company, we offer software service to customers.
And we have security posture around our products. When the sales team talks to the customer about
how good our security is, they may not have the same gravitas as Rick is referring to. So I get
called to meetings to talk to the respective security team to articulate what exactly our
security posture is and how we do our security so they can go back to establishing trust.
Because we're going to process their data that's as sensitive as it gets. So we have to, there has to be this mutual trust.
Yeah, it's the same within my company too. We have partners and we are sharing patient data
and there's a lot of regulatory risk if we get this wrong on both sides, you know, in terms of
financial penalties and reputation. And so the growth team will have the conversation with the
partner, but ultimately they aren't going to send us any patient information or refer any patients to us until they've had a conversation with me and my senior team to ensure that we're doing all the right things and that we're going to take care of that patient data the same way they would or better.
So I'll double down on that just to make a point.
So I'll double down on that just to make a point.
If you're a security vendor, bringing in your CISO to talk to the customer CISO is a really useful thing because what the customer CISO is going to do is, are you using your own product?
And how is it working and what problems do you have with it?
That's a really useful conversation.
So keep that in mind.
How about COVID? Has that changed your buying habits at all? I would say it's definitely put the focus on the digital experience.
So InfoSec and cyber has been notorious and is still breaking out of the reputation of being the office of no, the thing that makes my job harder, all the negative things. And so with COVID and the focus
on remote work, I think we're still in the phase where cybersecurity, the idea of frictionless
cybersecurity is huge and it's still pushing to the top three of my list when I'm looking at
products. So yes, I think COVID has changed our buying habits
and our willingness to what we're going to introduce
into our users.
I think it's accelerated cloud.
I think a lot of organizations really have to be cloud native,
cloud centric.
But the other aspect of it is you have to figure out,
one of the problems we had is, all right,
we're going to have someone who can't access the network at their home and they can't walk into the help desk.
And so that may mean shipping a computer, which is the last thing we want to do. So you have to
create workflows that enable you to solve that problem over the phone or remotely. So it is about breaking down, you know,
those problems that involve remote access.
Well, here's a good thing about COVID, all right?
Before COVID, remote work was, for many organizations,
that was in the too hard to do pile, right?
It's too much money, we can't get it done,
I don't know how to secure it, blah, blah.
Lists of hundred things why we can't do it.
COVID happened and says, oh, we know how to do that now, okay, because we have to do it, right?
And so that's not even a problem anymore.
I mean, it's hard to manage and all that, but we're allowing remote work now.
And so that's the one good thing we can say that COVID happened.
I would say there's great benefits to remote work.
You can attract a nationwide employee base.
We have gotten much better collaborating online. Yeah. But it is difficult to onboard someone and integrate them to the team.
It's so weird. The only time I get to talk to these two usually has been through that little
Zoom window. First time I saw them was when they showed up today. Scary thought.
they showed up today all right so yeah it's a scary thought okay so a couple of things i remember you guys said that you did like was some of these kind of good steak dinners set up for lunches get
out of the way you know helping grow the network was one of the things that help you grow you know
your knowledge and helping you grow your network and whatever means to do that um wasn't a very
important thing on that um our networks are i I mean, it's like brother and sisters.
We've walked hard lines, been through late nights.
Every great data breach happens on a Friday afternoon.
And so you have a kinship to all the folks that work in your industry because you share many pains.
So to build that out, an introduction or to expand that network is our bread and butter.
Yeah, definitely.
I think the talent shortage, too, continues to plague us.
shortage too is you know continues to plague us um we're constantly looking at ways to grow our our teams our staff not just by headcount but by their skill sets as well so that network
is critical to us finding those creative paths um to to build better teams and it's you know
i'm not trying to steal from either of them i want to see everyone succeed in our industry. And it takes a village
in order for us to succeed at dealing with this issue. From a marketing angle, CISOs are trying
to get better in their craft and get promoted to be the big time folks. And there's a couple
ways they think. One way they get their word out is they present. And they may be a little tentative about
getting accepted at conferences and things. So at your conference, if you invite a couple of CISOs
to speak, that gives them a chance to get some experience. That's a way you can get to know them.
You're not trying to sell them anything. You're interested in their ideas. That's a way to get
them in the door. And the other thing that CISOs think they want is they think somewhere in their career, they want to be on boards. So if you can have these dinners or breakfasts and things
and bring in a board member to say, hey, here's what you need to know to be a board,
you're going to get people to show up at that. Okay. So that's another way you could do it.
Great. Anything else you guys want to add before I open it up for some questions?
Yes. Questions from the audience? Anything else you guys want to add before I open it up for some questions?
Questions from the audience?
Well, you're all going to get back to work and someone's going to say what you learned.
So come on, have a question.
We've got somebody back here who's getting the mic.
But not him.
Anybody but him.
Go ahead.
All right.
I'll do it. So you mentioned downloading the Verizon
DBIR. Thank you. I started that and led the team for a long time. Don't do it anymore. When I was
there, I was absolutely adamant about not requiring registration in order to download. I guess that's changed.
And I'm wondering how big of a disincentive that is for you to download research. Obviously,
you'll do it for the DBIR maybe because you were reading it beforehand, but you see some new
report. Is that like a just not going to do it, I'm going to work around it, or okay if it's good
enough? For me, it's definitely a question. I mean, I may only, you know,
I might pull the trigger maybe half the time.
I'll see something I'm interested in,
and I'll question how willing am I
to give up my personal information.
Yeah, it's really the, I'm always trading off
the cold call, the cold email, the cold LinkedIn reach out
that it's going to happen immediately
after just the noise that comes at me by submitting my information. I've tried the like
having a separate email address. It doesn't work. Once they've got your name, they can figure
everything else out. So I think it really does depend on the quality of the research paper that
I'm going after. If it's something that has a reputation or it's from a bigger
research firm that's partnered with the vendor, then I'm willing to do it. If it's a white paper
that is self-published and it's not something that is, it's interesting to me, but it's not
burning, don't put the gate on it. Just don't. You'll have more interaction and more likely that
I will engage with that white paper and then reach out because of it by not having to register.
I have a slightly different take on that.
If it's something I want to read, I'm going to give you the credentials because on the back end, it's so easy to automate dumping that to a spam folder.
All right.
So I don't really I give my credentials out all the time because that stuff works.
All right.
So I don't really care that much about it.
Thank you.
Cool, so I'll give a little bit
of context on this, but not really a question.
I'll phrase it in a question.
Any advice you have
for vendor websites? And so
the context there is
as a marketer who creates content,
there's the obvious analytics
of if it looks too verbose,
if it looks too heavy,
no one watches it. On the cybersecurity side, if it doesn't have the detail that folks want,
integrations, details, like what are you actually doing? It's useless. So there's this really tough battle between too high level, too low level, and the right information at the right time.
And it all goes to a website. So there's some things that some folks are doing.
So Exonio says here, I know they're one of the few
that actually prioritize like persona.
This is the CIO, this is the CISO, they know where to go.
There's a homepage.
So open-ended, but I'd love to know from you all
what you think about like most hated aspects of websites.
What's the most useless page you've seen
that you see everywhere?
Like what's the best thing?
Like how you consume content, how much time you're willing to give a website? That sort of thing.
I think if I get confused as to what the products are, like product naming, if I can't
figure it out, I'm going to just give up and walk away. That's a good point. I know some
companies that I've used them in the past, but I got so confused by the naming, I didn't know what the products were.
I couldn't figure it out, and I really don't have time to decipher it.
The other thing is if the context back to the cybersecurity framework or something that gives me context to I know what this product actually does, that's really helpful.
Yeah, I would agree on that and probably double click into that. If you have similar products, you know, or levels of products,
but you don't compare them, then I'm going to be super confused and walk away. I actually see that
a ton where, you know, like, especially in the XDR, extended detection response.
What is that?
Yeah.
What is XDR?
What is MXDR?
What is MDR?
What is EDR?
Can you compare the seven flavors of it on your website together, please, for me, so I know?
That's the type of information that I'm generally, or the level of detail that I'm generally looking for.
So I think, yeah, what you said is right.
There's two kinds of content is what your product does and then explainers about here's what zero trust is, here's what XDR is. And they need to be obvious and separate. Okay. So just keep that in mind. The second thing I would say is I always look at the about page on the leadership team. If you don't have the CISO on the leadership team and you're a security vendor, I'm not talking to you. Okay. You don't think security is important. All right. So and that person doesn't even have to be on the leadership team and you're a security vendor well i'm not talking to you okay you don't think security is important all right so uh and that person doesn't even have to
be on the leadership team it just you just have to think that at least he's important enough to
be on the web page on your leadership true funny story i did a naming project for a company many
years ago and 20 people in a room were fighting over what product was actually that. No, that's not a product that does this.
I'm like, how the heck are your customers going to know if you can't, as the management team here, even decide which product is which on the names?
And I will confess, SAP, we change the names of our products so often, I don't even know half what the things do.
Guilty.
Guilty as charged.
Got it.
Another question coming over here.
Hi, I'm Kayla Rice.
I'm with SpyCloud.
And my question is about the layers of engagement that you guys talked about from kind of the case study and being with your peers in the dinners.
How involved would you be or are in maybe a customer advisory board or some sort of executive retreat where it's less about just kind of a quick hour or two hours,
but really a full engagement experience?
I think you catch every CISO at a certain point in their career, in their lives, or season, in their companies,
and it's really going to depend on their availability.
My availability to step away from my job for long enough to engage in something like that. It's going to be the biggest blocker.
But yeah, I would be interested in that if life aligns, essentially.
You have to realize that we are whole people and we're doing seven-day-a-week jobs.
So that's your biggest challenge.
Yeah, I would concur.
Like a day away is a high watermark to overcome.
I mean, it sounds attractive, but the reality of,
like, I mean, I just came off a vacation.
I flew in last night to do this thing.
It's because I know Ted forever.
I owe him a couple of favors.
He came in from Italy, so we won't feel too
badly that he is jet lag.
So if I say
grazie a prego, it's all
good.
Can I answer one?
I would say those customer advisory boards
are very specific niche environments.
You're not trying to get new customers there.
You're trying to
reach out to the customers that love you and are deeply invested in you.
So those are the ones you're looking for.
And the reason you bring them is because you want their ideas about how to make it better.
And if that is just pro forma, that you're never going to listen to them, and they think that, then it's not going to be a useful exercise.
think that, then it's not going to be a useful exercise. So, you know, those half dozen products that we use that I trust, if they want me to be on an advisory board to contribute back to the
development of those products, that's attractive. And they'll invest more money in you because of
that, all right? Because they believe that you are, the roadmap is being developed because of
some of the ideas you had and how you use it in the real world. Sorry. Okay. Hi, I'm Megan Garza with Bronis. Rick, you had mentioned that you
don't give much merit to survey data. And I would have thought it would be the opposite because
you're actually speaking directly to the people that you're surveying and getting their feedback.
So why is it that you wouldn't typically give that much merit? I'm a naysayer on that. You guys probably like it more than I do, right? But
if you ask any CISO those level of questions, you're going to get a different answer all the
time, all right? So you ask 250 CISOs, do you use zero trust? You're going to get 250 answers,
different ones. If you got another 250, you're going to get 250 different ones, all right?
So that doesn't really help me that much.
It doesn't matter that 30% said this or 40% said that.
That's not useful to me.
I don't know what you guys think.
I think what people always aren't honest
or they might be pulled to one side of a question
or the other one, how it's asked.
There's all these influencers to the responses.
Whereas when I refer to transactional data,
that means what are your actions?
I mean, there's a comment I make internally,
which is I don't trust my users, I trust my logs.
Because users lie to me.
It's kind of harsh, but the reality is people aren't forthcoming and did you click on that link? No, I didn't click on that link. Oh,
the log said you did. Don't know. I would agree with that. I think my biggest issue with survey
data and why I kind of casually throw it out.
I'll review it if it's part of something I'm already looking at, but it lacks context of the problem I'm trying to solve. So surveys tend to be too general. And again, you're getting that
biases maybe playing in, but frankly, it's just not getting down to the level of detail I need
about solving the specific problem that I'm trying to solve or the environment I'm trying to solve in.
My environment is very different than your environment.
Yes.
I would also just say that the spectrum of talent in the CISO world is vast.
There's a pool on the left side that don't have that much talent is vast.
And there's a handful that are really good.
And the survey that you got, I'm pretty sure you don't have the top 10.
You know, that's all I'm saying.
Any other questions?
No?
Oh, we got one here.
Hi, Juan.
Just with the, you know, knowing with the pandemic, everybody met virtually, and you
said you've met these people for the first time, but you also said there's a lot of value
from getting together with other CISOs.
Going forward, knowing that live events are back,
do you have a preference?
Is virtual better because it's easier?
Or regional events, local travel?
Sounds like national is somewhat out of the question
because it's hard.
Good question.
Go ahead.
I would say, I think it's got to be a mix now, right?
I'm looking for the right blend.
I want to get out of the house.
I'm tired of looking at my husband who works at home, you know, in the office next door.
I need my kitchen.
So I do appreciate those.
And if they're regional, it's easier for me to access.
If they're events that are tied to some of the bigger conferences, then I may do national travel, you know, and willing to attend or bolt on to that experience or that schedule. I really like what's become more common through
COVID is ones that are linked to a community that I get added into. So a Slack group, a WhatsApp
group where there's chat afterwards or a reoccurring kind of virtual event that we join on a quarterly, monthly basis that I can engage with more often.
From a virtual standpoint, I appreciate that more than just the one-time event.
I will say that we have an ad hoc CISO breakfast club, we call it.
And because of our schedules, we don't physically meet as often.
But post-COVID, we've started to do more of that.
But we may inject like a Zoom meeting, a Zoom happy hour, just to kind of connect and make sure we're still connecting.
I find that I have the same habits for CISO interactions as I do for my meetings at work.
Which, you know, I get distracted.
I'm looking at Twitter.
I'm doing LinkedIn and trying to pay attention.
They're not as effective to me,
so I'm probably not going to go to the Zoom meetings.
Any others there?
Okay, well, thank you all for participating in this.
I know I learned a lot here.
And I'm assuming that everybody else out there did.
If you didn't learn anything, you're either kind of cocky or I need your resume because fast for companies that I know that are hiring.
So one or the other there.
But, again, thank you all for doing this.
I know you're all super busy.
And thank Cyber Wire for putting together this panel and everything. So thank you all for doing this. I know you're all super busy, and thank Cyber Wire for putting together
this panel and everything. So, thank you.
Thank you, everybody.
Thank you.
So hey guys, Rick here.
We got some additional questions from the audience that we weren't able to answer at the actual event.
So we're going to try to do two or three of them here.
The first one is from Hunter Talpas.
He or she is the demand generation marketing manager at Cobalt.
Asks, how do you utilize LinkedIn? And do you have any experience with LinkedIn live stream events?
Well, for me personally, I use LinkedIn all the time, mostly to stay in touch with my network.
But all three of us, Ted, Jackman, and myself, we have no experience with live stream events.
Still, we would consider watching one if the subject was something we were interested in.
For me, the kinds of content I'm looking for in 2023
is anything to deal with implementing zero trust,
intrusion kill chain prevention,
resilience, and risk forecasting.
Both Ted and Jacqueline said
that if they were going to listen,
the content would have to be very high quality.
So we got a question from Karen Walsh,
the founder and CEO of Allegro Solutions.
During the session, the CISOs mentioned that mapping a vendor's technology to compliance
frameworks is important to them. So what types of assets can help them and do they prefer a direct
mapping or more general capability based on categories of controls? And then the last one
she asked is where in their decision-making journey would they use one of these tools?
For Ted, he says, for example, NIST 800-171-Revision-2, his organization is required to meet those 110 security controls.
So if a technology can assist him in meeting one of those controls, it's helpful.
Jacqueline said that she needs the same thing for high trust and PCI DSS.
And one last question from an anonymous listener.
How willing are you to provide feedback on products and services that you use?
And do you prefer longer drawn out sales process where you get to know the company and build a relationship with them?
Or do you prefer a sale to be straight to the point?
Ted says that in his procurement process, he tries to employ
diligence. He starts with requirements for their procurement, and then he does a formal RFP process.
He establishes evaluation criteria to compare the proposals, and it can take about three months to
complete. Jacqueline says that in a few cases where we need to move quickly with procurement,
we always have a business proposal, evaluation criteria assessment, and a minimum 30-day POC as applicable. And so those are three questions we
didn't get a chance to answer at the session itself. On behalf of my colleagues, Jacqueline
Miller and Ted Wagner, thanks for coming. I hope it was beneficial to you, and we'll see you at the next one. Cyber threats are evolving every second and staying ahead is
more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.