08-13-20 - Put Your Faith in Vendors' Outrageous Claims

Put Your Faith in Vendors' Outrageous Claims

August 13, 2020

CISO | Security Vendor Relationship Series

This week's episode of Defense in Depth

Trusting Security Vendor Claims

Trusting Security Vendor Claims

 On this episode of Defense in Depth:

Co-host Allan Alford and Lee Parrish, CISO, Hertz, discussed:

  • From those surveyed by Valimail survey, a third to a half didn't believe that vendors did a good job explaining what their product does, or that the product actually performed, or there was any way to actually measure that performance.

  • Many questioned those numbers because they feel many security buyers still fall for security vendors' boastful claims. Both can actually be true.

  • Stunned behavior at a trade show is not the indicator of knowledge and susceptibility to vendor pitches.

  • When you're under the gun as a security professional to produce results you often become victim to security vendor claims because you want to deliver on demands from the business.

  • By nature, CISOs should be skeptical about vendor claims and information within their own environment.

  • There's a battle between those vendors truly trying to deliver value and those who are using their marketing savvy to sway industry thinking.

  • Don't place all the blame on the vendors. CISOs still have trouble understanding their requirements, risk, and priorities. Many are guilty of engaging in "random acts of security".

  • Claims can often be more trustworthy if the vendor is willing to explain what they can't do.

Thanks to this week's sponsor of Defense in Depth, AttackIQ.

AttackIQ

AttackIQ, the leading independent vendor of breach and attack simulation solutions, built the industry’s first Security Optimization Platform for continuous security control validation and improving security program effectiveness and efficiency. AttackIQ is trusted by leading organizations worldwide to plan security improvements and verify that cyberdefenses work as expected, aligned with the MITRE ATT&CK framework. 

Helen Patton, CISO, The Ohio State University on the importance of storytelling

TOMORROW, Friday [8-14-20] We're Hacking Healthcare Security

Join us tomorrow, Friday, August 14th, 2020 at 10 AM Pacific/1 PM Eastern for "Hacking Healthcare Security: An hour of critical thinking on reducing risk across the health industry’s unique threat vectors.”.I'll be leading this discussion with Jon Ehret, vp of strategy & risk, RiskRecon and Errol Weiss, CSO, Health-ISAC.REGISTERPlus, immediately after the video chat (11:00 AM PT/2:00 PM ET) we'll rollover to the CISO Series Friday Meetup. Each participant will be randomly matched up in impromptu 1-on-1 five-minute conversations with fellow cybersecurity professionals. Link to do that will be made available during the video chat.Huge thanks to RiskRecon for sponsoring.

Elliot Lewis, CEO, Keyavi Data on the appropriate vendor pitch

Best Moments from “Hacking Cybersecurity Marketing” Video Chat

Best Moments from "Hacking Cybersecurity Marketing" Video Chat

Here are seven minutes of highlights from last week's video chat: “Hacking Cybersecurity Marketing: An hour of critical thinking on best ways to get security professionals to know and care about your product".

To see the entire replay of the video chat, go here.

Joining me in this valuable hour were Steve Zalewski, deputy CISO, Levi Strauss and Allan Alford, co-host, Defense in Depth.

Best Bad Idea from "Hacking Cybersecurity Marketing"

SUBSCRIBE TO BOTH PODCASTS

Go ahead and click on any of these links to subscribe to the podcast feed of your favorite podcast catcher.

If you're already a subscriber, THANK YOU! If you like either or both shows, please tell all your friends on social media and write a review on iTunes.