During this episode of Emissary Live, we talked security with a serial CISO and information security expert. Roy is the former Chief Information Security Officer at Sabre Corp., Anthem Health, Sallie Mae, GE and others, with more than 30 years of experience in information security.

Three main takeaways from the panel:

  • In today’s environment, technology is continuously evolving; as a vendor, you have to be able to explain how your solution can solve not only problems that already exist, but also problems that businesses are only just beginning to experience, especially within IT security.
  • The most effective communication you can provide as a vendor will demonstrate that you understand the business you’re approaching well enough to articulate problems and offer customized solutions.
  • Don’t be afraid to leverage your network – communicate with your current partners and get creative about how your current relationships can lead to new partnerships.

Listen Now!

Panel Discussion Highlights

Q:

Given the varied career that you’ve had, what did you see as far as the changes in the IT security space over the time that you’ve been leading? What are some of the biggest trends that you’ve seen come, and how have things evolved from your perspective?

A:

When you look at IT, it was very much viewed as a back office support function in most corporations. Print servers and file shares, and getting people on and off the network. Where technology has evolved, it really now not only needs a seat at the table, but it needs to be part of the innovative discussions that are really helping to shape and drive the organization’s business strategy. I think security is the same.

More and more, the CISO role still oftentimes reports to the CIO. But you’re seeing some organizations that have it report elsewhere outside of just pure technology. I think that innovation, consumerization, digital transformation, I think those are all things that we all, whether you’re just in technology or you’re in cybersecurity, technology is what you have to be focused on. So, I think the CISO role has much more a seat at the table than it did. It’s much more viewed as not necessarily a technical function, but a risk management function. I think that’s been the evolution, which I think needed to happen in order for this role in this industry to help protect organizations, corporations, their data, their information assets.

Q:

We hear a lot from both vendors and technology leaders that the IT security field is dense and really competitive right now because of the volume of solutions. How can vendor teams differentiate themselves and play meaningfully in this space?

A:

Cost certainly comes into play. Creative tiering and leveraging of how you cost and price your product is certainly more critical with smaller organizations, or those who are more in their infancy and their maturity level, if you will. Then cost and how it’s basically negotiated and tiered over time is a differentiation and a selling point.

I think also the ability of the vendor to provide counsel and to provide support outside of just the regular maintenance agreement. Let’s say, for example, the willingness to actually have staff from that supplier service or that vendor on site helping with the installations. And not for just a week or two, but for long-term commitments because the technology depth of knowledge wasn’t as great or the number of resources wasn’t as great, was a huge, huge differentiator for some vendors.

Q:

What would you say makes for a successful proof of concept or a pitch for security solutions providers specifically? How do IT security solutions providers really put their best foot forward into those marketplaces at that stage?

A:

I can honestly say, in my tenure as CISO in the last three plus organizations, the number of technology vendors, security vendors that got to me I could probably count on two hands. It was very rare for them to have an audience directly with me. I often would either refer them to one of my direct reports, my chief security architect or whoever, to do the initial vetting. 

The ones who did get to me who I hadn’t had a relationship with, they had a unique approach to a particular set of problems that I knew we were facing or would face. It was through an introduction of somebody else I knew and trusted. Or there was a personal reach out, not just the mass, I would call, telemarketing type letter that’s sent out. It was more of a personal communication, which demonstrated to me that that individual knew my business and understood the types of problems that we were facing, and they were willing to basically have a conversation.

Q:

For those who are looking to up-level, to go from having maybe one or two Fortune 500 customers to really becoming more of a trusted solution, what guidance would you give as far as how to become more viable, to reach that next echelon?

A:

If they already have their established relationships with a few key organizations, I will say that CISOs, unlike many other professional C-levels, are pretty well internetworked. We know each other. It’s a small field. Many of us have known each other for years and track the different companies we’re in. I would say you leverage those relationships and get them to help, point in the right direction. “Who else do you know in the industry that’s having these similar problems? Is there anybody that we can help with? Would you be willing to make an introduction?” 

I have done that a number of times for trusted suppliers of service and vendors. And I say, “Yeah, I know a couple. Let me reach out.” I think leveraging that type of relationship is key within the CISO community. We all want to make sure that we’re doing security to the highest levels possible. We all realize the challenges of budget and staff. And we’re all looking, how do we stop the threat actors and make it better because nobody wants to be breached.

For more insights like this from serial executives and industry experts, you can connect with one of the thousands of advisors in our network from Fortune 1000 firms. Contact us here to see what an Emissary can do for your business.