View this email in your browser

Super Cyber Fridays!

Join us TOMORROW, Friday [05-19-23], for "Hacking the Software Supply Chain"

Join us Friday, May 19, 2023, for “Hacking the Software Supply Chain: An hour of critical discussion of catching intruders to your SDLC pipeline.”

It all begins at 1 PM ET/10 AM PT on Friday, May 19, 2023 with guests Mackenzie Jackson, developer advocate, GitGuardian and Julie Tsai, Board Member, Bay Area CSO Council. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, GitGuardian

Defense in Depth

Do RFPs Work? 

Do RFPs or requests for proposals work as intended? It seems they're loaded with flaws. Yet for some organizations who must follow processes, they become necessary evils for both buyers and sellers. What can we do to improve the process?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Geoff Belknap, CISO, LinkedIn. We welcome our guest Keith McCartney, vp, security and IT, DNAnexus.

Here’s what we discussed:

The RFP’s purpose is to create an equitable buying process that nobody seems to believe. "They’re the embodiment of screening mechanisms coupled with a way to theoretically level the playing field,” said Fernando Montenegro of Omdia. It appears to be a check box requirement to appease company’s policy and regulations. "Usually they have a preferred vendor and just need to show that they have fairly done due diligence," said Jessica Murdzak of Optiv Inc."The requirements are often aligned to favor the vendor that the team wants,” Robin Oldham of Cydea. “It drives up the cost for vendors responding to RFPs they were never going to win, which ultimately is paid for by customers."

To win an RFP you have to be involved before the RFP process begins. "Vendors are usually just column fodder - procurement has to have at least X amount of proposals to push it through to purchase, thus the RFP,” said Kenny Stella of ALTR. “If we aren't having discussions pre-RFP I've basically missed the boat already." Getting in early has been Pete Mistry of Okta’s technique: "My personal approach has been very much to ensure that we are influencing the decision-making tree within an organization before an actual RFI/RFP is issued as this generally means that we stand a much better chance of securing the customer."

RFPs often fail to reward innovation. "RFPs are also often written with a “rear view mirror” perspective on available solutions and their functionality, which can inadvertently block out new and innovative vendors,” said Rick Bullotta. "A good RFP will be written in a way that defines the desired business outcome, not the solution. That way, you're not limiting innovation in vendor's proposals,” said Dan Edwards of Park National Bank. Supporting that theory, Michael B. of Progress said, "Good RFI and RFP docs should lay out the problem and ask for approaches to solve it.”

The RFP is often a good exercise for the issuer. "The RFP is useful in forcing the requesting party to at least exercise some forethought in describing what they need," said Paul Hugenberg, Rea & Associates, Inc. To get the solution you want, you need to ask the right questions, noted Yaron Levi of Dolby Laboratories, "Don't just ask, ‘Do you have X,’ but ask to explain or demonstrate how the vendor accomplishes or supports X."

Don’t just get in early, start working early to truly understand the needs. Easier said than done, but try to find a way to get working with the company on a limited time or even pro bono so you can scope their problem statement and requirements. “Through this exercise, you demonstrate your ability to understand their issues and give them exposure to your capabilities,” said Michael Lines of Open Technology Solutions, LLC.

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Thanks to our podcast sponsor, TrustCloud

LIVE!

 Cyber Security Headlines - Week in Review 

Make sure you 

 to join the LIVE "Week In Review" this Friday for 

Cyber Security Headlines 

with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Dave Hannigan, CISO, Nubank.

Thanks to this week's headlines sponsor, Hunters

Cyber chatter from around the web...

Jump in on these conversations 

"What is your favorite question to ask someone when interviewing them for a job in infosec?" (

)

"Do you believe statements like: 'Cybersecurity has millions of unfilled roles!'...LinkedIn gives you a different picture." (

More here

)

"Cybersecurity is a huge career field. What career path within this field should you take?" (

More here

)

Coming Up On Super Cyber Friday...

Coming up in the weeks ahead on Super Cyber Friday we have:

• [05-19-23] Hacking the Software Supply Chain

• [06-02-23] Hacking the Future of Risk Management

• [06-09-23] Hacking Data Loss

Save your spot

and register for them all now!

Thank you!

Thank you for supporting CISO Series and all our programming  

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.