With over 2,500 security technology companies as of January 2018, and 2017 marking the largest influx of VC money into the cyber security market, the clutter of security products is even greater than before. Vendor messaging has become convoluted with similar pitches touting the next greatest ‘silver bullet’ and the top industry publications provide limited guidance. CISOs tells me the rise in number of booths at large industry conferences has become inconceivable and overwhelming.
Through over 100 CISO interviews in this magazine, I have learned a tremendous amount from the candid, insightful conversations with these leaders. I have asked almost all 100 CISOs similar questions and consistently receive a multitude of varying answers, yet there’s one question I ask that constantly receives the same answer. ‘Do you believe the marketspace is cluttered?’. 95% of the time the answer is vehemently, ‘YES!’.
I follow-up with asking, ‘what are you doing to clear the clutter and make new technology purchases?’ Almost 100% say they chiefly rely on their CISO peers to learn more about product capabilities, use cases and comparative benefits. They typically combine the recommendations of peers using the product, with independent research and conversations with the infosec community at conferences or events. Not one CISO I’ve spoken with trusts industry publications or vendor messaging as the lone source for purchase justification.
The CISO community is powerful – these leaders often put unwavering trust and reliance on their peers for advice, mentorship and recommendations. One large component of these connections is helping clear the clutter in the security product marketspace to protect and enable their organizations. I am happy many use this magazine as an opportunity to connect with CISOs whose profiles they read, to learn more from their experiences and grow their networks even larger.
I selected a few key, thoughtful answers CISOs provided to questions surrounding clearing the clutter. As a reader, please don’t hesitate to reach out if you are interested in connecting with these CISOs, or any others we have featured in the magazine.
What do CISOs look for when purchasing new products?
“Back in 2006 you could name all the mainstream security companies in a breath, but now every company that has something interesting gets VC funding. It makes things hard. For us today, I will only look at tools that I know can address a looming risk. Does the tool manage a looming risk? Can I implement this tool completely and optimize it in my environment? Is the company sound and does it have good references? Only after these three criteria are met can we move on to bake-offs and POCs,” says Angelo Longo, CISO of Casino Hotel Resort.
He continues, “The reality is that a lot of security products are purchased on a whim and then implementation is difficult. Sometimes results do not meet expectations. These are the systems that add little value, waste budget and create inefficiencies. I am looking for plus, plus, plus. I want to expand my ability to see and understand my architecture and understand the threats involved. If a solution cannot address that issue then it is just more noise. I want to reduce noise but add value.”
What questions should CISOs ask security product vendors?
Dan Bowden, CISO of Sentara Healthcare says, “All the major product spaces are cluttered. As we become more mature in dealing with threats, vendors are introducing niche products that can do one specific thing really well. I told a vendor today, ‘what you are showing me is better than what I have, but not better enough to justify going through the trouble of converting. Your product is an A+, but I have an A- product right now, and that is doing the job just fine.’”
Who should CISOs rely on to understand product differentiators?
“No one tells you where they are terrible. So, to get the truth, I talk to peers and I do as much reading as I can. I ask hard questions in the sourcing environment. Tell me what you do not do well and show me your roadmap to address it. I look for independent research. Lots of times it comes from universities. PhD students write great papers and they have no skin in the game at all. They are not funded by vendor marketing,” says Tom Meehan, CISO of ControlTEK.
For more information on how to develop a strategic cybersecurity program, please reference our Comprehensive Guide.