I have always considered it an honor to be part of a variety of Cyber Security Venture Capitalist (VC) communities throughout a client-side career history. As with “Customer Advisory Boards”, these approaches benefit both the client and provider.
Having a seat at the table to influence product roadmap decisions, features and functions that provide value to the business is the primary objective. The altruistic overarching objective in operating a complex cyber solution set is to have the best product mix at the lowest cost.
The secondary benefit from being part of these consortiums is the privilege of being part of a peer community that shares similar problems. Often we have the same problems and being able to understand how other organizations have solved those similar dilemmas improves time to market targets because learning from mistakes helps accelerate the decision cycle - even if the mistakes are not your own.
As being a representative/leader of an organization; making decisions regarding the security apparatus of your employer must be done in a way that does not expose you to liability – any purchasing decision should be made with the highest level of objectivity.
I can’t recall ever working for a CISO in my career that has told me to implement a solution because he/she “said so”, without any context or logic behind how the decision was made. Pretty sure they know what the response would be 😉
Ensuring impartiality (regardless if it’s a VC, or an influential sales rep, or customer board) as a representative of your organization is critical to the integrity of our profession. As a CISO leader; here are some risk mitigation measures you can put in place to ensure you are supporting a fair market (see below).
Being Strategic About Shopping
(Please Mr/Mrs. C-Suite; don’t buy that shiny object)
Your organization probably has a mix of technologies and services already which are providing value; with people and processes intertwined to operate these capabilities in production.
- Understanding the biggest threats to your organization and the level of maturity of defences in place to mitigate those threats will help prioritize what investments need to be made on a tactical vs. strategic merit (What are the biggest fires we need to put out now? What are our priorities?)
- Understanding the technology roadmap of your existing vendors/partners/providers; when contracts are up for renewal and does the vendor roadmap have offerings which would negate the need to purchase a net new solution? What are the economic impacts of bringing in a new solution; When is the best time to switch solutions; How much analysis runway is there before a decision needs to be made? etc.
- Is there a gap in the control structure that is not solved by an existing solution in your organization, or on an existing vendors roadmap? Or native vs. third party? If so, this is great feedback for VC CISO communities and either A: solution exists that was not known to your before; or B: you are not alone, and many people have the same problem and a solution needs to be created (the perfect situation for a startup!!).
One method to determine solution coverage is Sonil Yu’s Defence Control Matrix: https://cyberdefensematrix.com/ .
Summary: New solutions should be brought into an organization because there is a defined need, at the right time, which counters the emotion to “bring a shiny object in and have the organization fit to it”.
Being Objective from the Start - Vendor In-take Process
Imagine the day, when a vendor cold calls you and you simply reply “Reach out to XX find him/her via Linkedin”.
Establishing an in-take process to systematically, consistently and fairly review new solutions and vendors has a myriad of benefits:
- Great opportunity for an entry-level employee to learn about new technology, how it fits in the market and the fit with your organization’s technology ecosystem. The heavy lifting of “what is this?” and figuring out the category, who else is in the market, is there a solution already in place etc. is a great research experience that really opens the junior employee’s mindset to the offerings of the holistic market. Level 1 research.
- One best practice I have seen is what we used to call “FRISCII Fridays” (not sure if HR would let that monicker fly anymore) but it stood for “Forum for Research Information Security Controls and Innovative Ideas” – which was, in a sense, a vendor fight club; whereas a new vendor would come in (every Friday at 3pm) and pitch their solution to anyone in the organization who wanted to attend. A schedule of vendor pitches was communicated in advance, and for those that wanted CPE credits and to learn tech outside of their usual area of focus – had the opportunity. The discussions were often no-holds barred; the vendors got great feedback on their solution. If the solution had merit; it would be a group decision.
- A team of practitioners that are closer to the problem space will usually have greater insight regarding the new solution being evaluated; ideally new solution recommendations should be coming from the bottom up. Being asked to comment on a product or provide technology insight in terms of go-to-market and how the tool is positioned is one thing; the day-to-day use of tool (UX design, technical functions/interoperability) is different, it would be unwise to purchase a solution without the future operators of said solution seal of approval.
Summary: Establishing a process for new vendors and solution evaluation creates objectivity which reduces the legal exposure of CISO’s who are assisting vendors in the market (in whatever capacity, CISO advisor, paid or unpaid).
Key message:
Working with key stakeholders across the organization (strategic sourcing/procurement, legal department, CIO/CTO office) and ensuring alignment of stakeholder agreement before making a purchasing decision is critical not only for enterprise adoption, but also to ensure your own objectivity. Regardless of how the solution originated; having a transparent evaluation process and communicating any potential conflict of interest will be in all parties’ best interests.
Good luck!
