Secrets to building a healthy CISO-vendor partnership

Effective partnerships between CISOs and their cybersecurity vendors are integral to security success. A well-oiled relationship built on trust, communication and mutual understanding can reap significant benefits for a business’s cybersecurity posture. Conversely, one that is problematic and incohesive can have the opposite effect, negatively impacting a company’s security practices and leaving them vulnerable to risks and wasted investment.

“For CISOs, maintaining a positive relationship with their security vendors is an important element in staying informed on industry related trends, providing competitive analysis on alternative solutions and building trust in order to take on large partner-enabled initiatives,” John Hellickson, executive advisor at cybersecurity consultancy Coalfire, tells CSO. He notes that CISOs often have a select group of key security vendors that have become trusted partners where the relationship is mutually beneficial. “When CISOs fail to maintain positive working relationships with their security vendors they will often see their vendor provide less of a priority on their needs and overall responsiveness can be delayed, and in worst cases they may be flagged as a toxic account that no sales representative wants to be assigned,” he says.

It is important that CISOs build and maintain the best possible partnerships with their vendors, particularly given the increasing number of vendors modern organizations work with. However, doing so requires time and effort, with various factors to consider.

What is a great CISO-vendor partnership?

Before exploring the deeper mechanics involved in building and maintaining an effective CISO-vendor partnership, let’s first assess how both parties define such a relationship. Dominic Grunden, CISO at UnionDigital Bank, says that integrity and authenticity are a make-or-break recipe for a solid partnership. “Cybersecurity is complex; partnering with a vendor should not be. Providing a value-focused methodology to help companies make data-driven remediation decisions faster is the foremost goal, and this is accomplished by putting the CISO’s challenges and goals front and center.”

For MongoDB CISO Lena Smart, trust and necessity are key. “I can trust these folks until the cows come home, but if I don’t need what they’re selling, there’s no point. In some of the best partnerships I have, the personal factor is also very important,” she adds.

Trust is also fundamental from a vendor’s perspective, Fabien Rech, EMEA vice president at cybersecurity firm Trellix, tells CSO. “Our customers need to trust not only our ability to deliver what we promise, but to be by their side working as an extension of their team – particularly when an attack occurs. It’s about creating a partnership where you’re their first phone call when an attack occurs, and you answer that call.”

There’s a new threat every minute, so the focus needs to be on helping CISOs turn an attack to their advantage by learning from it and adapting so their organization can bounce back in an even stronger position than before, Rech says.

What CISOs want from a security vendor

With the basics covered, let’s tackle the more intricate factors of successful CISO-vendor relations. Clear understanding of what you want (and need) from a security vendor is the most important first step towards establishing a good working relationship for any CISO. While this can differ from one to the next regarding specific criteria, CISOs cite several universally appropriate pre-requisites.

For Cyjax CISO Ian Thornton-Trump, a defined scope of the engagement with tangible KPIs and measurable deliverables and/or reporting is critical for compliance purposes and for assurance that money is being well spent. “The scope of the engagement for security services or a security product/solution is critical for the organization’s CISO to understand the responsibilities and accountability that vendor has to the organization. If there is a lack of clarity a silo or gap maybe created.”

Grunden looks for clear, simple details on what a vendor’s solutions solve (and what they don’t) and how they complement the other solutions he has. “In other words, what are the integration points and what work will my engineers and architects need to perform to get the solution up and running, who will be the technical advocate from their side to work with my team, and what ongoing operational and technology engagement will they bring to the table along with how their technology will evolve?” he says.

Grunden is also keen to learn about the algorithms that power any artificial intelligence within solutions. “There’s a lot of hype around artificial intelligence and machine learning in security solutions, so I want to be able to actually look under the hood.”

Smart wants to see that vendors have done their homework and researched what her company does. “The vendors that talk about how they can relate to MongoDB in terms of field-level encryption or protecting boundaries are more interesting to me as it shows they have taken the time to understand what we do, which goes a long way to building trust in a relationship, which is paramount.”

What security vendors want from a CISO

Any partnership is a two-way street, so as well as knowing what they are looking for themselves, it’s also important for CISOs to understand what a security vendor needs from them in return. “To build a strong relationship and deliver the best experience possible, we need our customers to be open and honest with us,” Rech says. “This honesty should extend to being clear on which other vendors are in the mix as they’re increasingly relying on flexible, cloud-native, open solutions.”

The reality is that no one vendor can guarantee protection against every threat, Rech adds, but vendors are uniquely positioned to adapt to a business’s needs when they have full clarity of what those needs are. For example, constantly sharing information on threat groups, attack techniques or sector-specific threat trends can be overwhelming for some CISOs. “When we know more about their business and their priorities, we can direct the most relevant, need-to-know information to them.”

Hellickson thinks vendors also benefit from reasonable, respectful feedback during a sales process that can become somewhat frustrating for CISOs. “I see a lot of security leaders post complaints about how they are inundated with poor sales tactics trying to get their attention. My advice here is to recognize that a respectful response with some coachable advice to someone who clearly is just getting started out in sales might go a longer way to reducing the nuisance than just ignoring their emails or being disrespectful in your reply. I’d also recommend CISOs to be truthful and honest about the likelihood of winning the business they are proposing for. Just as you don’t want your time wasted, recognize there are a lot of efforts behind the scenes to respond to RFPs, build unique proposals, and bring the appropriate SMEs to a sales discussion. The vendor salesperson’s credibility is as equally on the line as yours when you decide to move forward on large initiatives.”

Communication vital to strong CISO-vendor relationships

With wants and needs understood, communication becomes the most vital element of any CISO-vendor partnership, says Hellickson. “This is where expectations are openly shared as to what it will take to be a trusted partner and what boundaries may be in place as both parties “learn to dance,” per se. Being as clear as possible, from the requirements to the exact deliverables, is critical in building and maintaining long-term CISO and security vendor relationships.”

Thornton-Trump agrees, adding that a foundation of regular communication is critical. “Clearly, openness and transparency top the list as well,” he says.

Despite its importance though, Hellickson thinks communication is one of the biggest challenges CISOs and vendors typically face when building relationships, with poor communication and a failure to be clear about the outcomes of engagements or solution implementations a common problem.

This takes on greater significance when it involves critical vendors and suppliers, says deputy CISO at Netskope, James Robinson, suggesting that CISOs should carefully consider the frequency of their communications with vendors. “Only meeting at the point of sale or renewal may not be acceptable, and if there is a change on either side of the relationship, this also requires sufficient communication. However, the time and frequency of meetings often conflict with competing priorities.”

Robinson advises leaving enough time for other stakeholder syncs, business projects, or team meetings when CISOs meet with all key vendors and customers. “Finding the right balance to make time for connecting with vendors and ensuring all other priorities are constantly met is the ultimate challenge,” he says.

Risk management, change preparedness, team engagement also key

Along with open and effective communication are other factors key to maintaining successful CISO-vendor partnerships. Mutual understanding of business-related risks is one such issue, and something that can become more complex as risks develop, Robinson says. “Simply put, more risk/exposure requires more partnership between a CISO and its vendors. It is important for both parties to understand the larger business value associated with risk and exposure, and how it may impact joint ventures, suppliers, and other partners.”

Smart agrees, adding that CISOs should also consider whether any vendor introduces a potential new threat or attack vector that needs to be addressed.

Vendors going through major changes such as M&A, sudden shifts in ownership, or even injections of venture capital can also have significant impact on a partnership, so this is something that CISOs must be prepared for, says Thornton-Trump. “Those high-level events often manifest with a change in the account representative or the customer service manager. I don’t think vendors understand how impactful a change like this is and, if not handled carefully and with sensitivity, the vendor is putting the account at extraordinarily serious risk.”

Smart also advises CISOs to engage with and consult their security team about all vendor partners. “Even if you’ve picked a vendor and think they’re the best thing since sliced bread, listen to your team. I have seen instances where people have forced through what they think are good solutions and they are not, and it causes hostility among all involved parties.”

CISOs’ biggest vendor turn-offs

Along with the things that CISOs look and prepare for are several red flags and undesirables that can quickly put them off doing business with a vendor. For Grunden, a vendor that forces a product demo or employs scare tactics is a particular bugbear. “Scheduling a product demo off the bat without taking the time for thorough, upfront discovery to understand a company’s security maturity is a no-go,” he says. “Also, bombarding a CISO with too much threat and fear, rather than how you can easily make their problems go away or help align IT and security teams, will make them less open to learning about a product.”

Thornton-Trump cites unrealistic vendor roadmaps, having to degrade or disable existing security controls to make a new solution work, and surprise changes in the vendor organization without any sort of heads-up or notice period as notable turn-offs. “The single most destructive vendor-to-CISO response of “We have never seen that before!” [is a no-no] and should always be replaced with, “We will try and replicate the issue or work directly with your team to resolve this problem,” he says, adding that services that lack tracking or ticketing systems that ensure issues are followed up in a timely manner are also a red flag.

Smart says she quickly takes a dislike to vendors that try to play CISOs off each other as customers, as they are often part of a close community that talks amongst themselves. “If a vendor has managed to get an introduction, another big put off is when they claim to be able to solve all our security problems and catch every zero day with a single box, which can’t be done. Sell me one thing, let me go away for a couple of weeks and play with it. If I have any questions, be available to answer them quickly, but don’t follow-up with endless emails and fill up my inbox.”