The relationship between the chief information security officer (CISO) and vendors is a central engine of the cybersecurity ecosystem. It helps startups striving to meet the ever-evolving needs of CISOs, who are simultaneously seeking the elusive but paramount buy-in from business users and executives.
The CISO role has evolved dramatically in the past few years in response to changes driven by market fluctuations, COVID-19 ramifications, boards’ increased cybersecurity awareness, and technology’s evolution. As CISOs adjust to their fluid environment, it has become increasingly important to evaluate how these changes impact the relationship between CISOs and their vendors.
I discussed these and other trends with a formidable group of CISOs and security entrepreneurs: Mandy Andress, CISO, Elastic; Sounil Yu, (at the time) CISO and Head of Research, JupiterOne; Frank Kim, CISO-in-Residence, YL Ventures; Yoni Shohet, CEO and co-founder of Valence Security; and Meny Har, CEO and co-founder of Opus Security.
Change Is a Constant
Keeping up with emerging threats and their potential solutions is vital, and Mandy insists CISOs should hone their curiosity, focus on learning, and be ready to pivot at a moment’s notice. “I think it’s important to embrace the reality that things are going to continue to change in our industry,” she says. “Something that you worked really hard on and implemented could be completely useless the next day. It’s ever-changing configurations, issues, systems, so you have to make sure that you’re adaptable and open to change.”
Communication Is a Key Skill
New threats aren’t the only changes that CISOs must contend with. With organizational silos and barriers breaking down over the past few years, security has become a more collaborative effort requiring constant communication. This can be hard enough to do within the security team. But in today’s enterprise landscape, business needs must be addressed, executives expect to be briefed, and developers are integral in the process.
CISOs must be able to coherently communicate, and startups should help them do so. “Storytelling is a key skill for security personnel,” Frank says. “We need to think about how we tell the story of what we’re doing, how it’s aligned with and supporting the business… startups can help security leaders by translating tech into a picture that makes sense.”
Sounil expands on how these interactions can become more beneficial. “The language we use is important,” he says. “Startups should focus on that and address their solution to the exact problem CISOs want to solve. A tool like the Cyber Defense Matrix is a useful mechanism for engaging with vendors, creating a common baseline and fostering communication.”
Startups Play a Bigger Role
Startup founders see this evolution and must react accordingly. “The relationship has changed over the past 5–10 years,” Meny says. “There’s a lot more openness to innovation and the startup mentality. There are new, emerging threats and sectors that early-stage startups have specialized expertise in, which can bring value to CISOs. CISOs have their specific issues that larger vendors may not try as hard to resolve. Smaller startups are better poised to address emerging security threats and can provide solutions that are probably more cost-effective, which is crucial in the current market environment.”
Yoni adds, “With an ever-changing threat landscape, CISOs rightfully demand to be up to date about what they need to protect against now and in the future, and startups are at the forefront of this environment.” Frank also notes the human factor as a pivotal element in the relationship between startups and CISOs. “As a CISO, I can pick up the phone and buy whatever product I want, but the keyword in my eyes is collaboration. Certainly, the cost is important, and threat defense is important, but a strong partnership between the vendor and the security team and CISO is a critical factor in the success or failure of deployment.”
Cost Isn’t the Only Priority, but It’s a Big One
As budget pressures across the market have evolved from rumors to realities, startup founders are refining their focus to accommodate the new CISO mindset and priorities. “From a startup’s perspective, you just need to make it easy. Take that extra time and effort to figure out what the user needs and how you can provide it,” says Mandy. Frank adds, “It’s not only about the cost. CISOs assess the team’s ability to execute with the product and want to ensure that there’s stakeholder support and business value, so startups must keep these considerations in mind as well.”
Both Yoni and Meny mention return on investment (ROI) as a critical selling point for vendors and a strong priority for CISOs. “The CISO has to be able to easily measure the product’s ROI and communicate it internally to justify the investment,” Yoni says. “At Valence, we knew we had to focus on a broad enough landscape in order to achieve that, so we expanded beyond SaaS security to a more holistic cybersecurity platform, helping CISOs justify their choice by buying one platform with good coverage instead of five.” Meny sums it up nicely: “If you can’t deliver actionable value immediately, you won’t be able to sell.”
The CISO evolution isn’t over. With threats compounding and as CISOs find themselves in the center of global events with political, legal, and technological repercussions such as the SEC’s SolarWinds investigation, organizations will be forced to re-examine their approach to security in general. “CISOs aren’t yet considered C-level executives,” says Frank. “We don’t like to be the ones business leaders search for when there’s a problem — we want to be at the table when the problem arises. That’s still the transition that a lot of organizations are making, not just security leaders, but organizations trying to understand how to best position the CISO for success.”