- CISO Series Newsletter
- Posts
- [09-03-24]--Red Flag? My Vendor Just Asked for My Mother’s Maiden Name
[09-03-24]--Red Flag? My Vendor Just Asked for My Mother’s Maiden Name
CISO Series Podcast
Red Flag? My Vendor Just Asked for My Mother’s Maiden Name
Just because a vendor is selling a security solution doesn’t mean they should expect your trust right away. Too many vendors initiate relationships with requests that stink of phishing emails. What are the appropriate first steps a vendor can take to build trust?
This week’s episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis, partner, YL Ventures. Joining us is Bethany De Lude, CISO, the Carlyle Group.
CISOs as storytellers
The new SEC breach reporting rules are influencing how CISOs go about operations, particularly in board communications. This has accelerated the trend of CISOs increasingly attending board meetings, noted Grant Ross at Dark Reading. As such, CISOs need to embrace storytelling, focusing on making the information "consumable" and relatable to the board. This involves avoiding jargon, using clear and accessible language, and connecting cybersecurity risks to broader business concerns like regulatory, brand, and financial risks. Frame security narratives in a way that is both credible and relevant to the board, while also being cautious not to overstate risks or use metrics that might not resonate with financial decision-makers.
Grinding a CISO’s gears
What hills are security professionals willing to die on that they don’t need to? A recent post on the cybersecurity subreddit addressed those topics security professionals are so passionate about, yet they may or may not be critical to the organization, but they will fight for them regardless. One critical issue was a CISO’s reporting structure. That would dictate their independence within an organization. While some issues may seem trivial, choosing which battles to fight is crucial for CISOs who aspire to be seen as credible and effective executives. A particular sore spot is terminology. For some security practitioners, terminology such as cybersecurity vs. information security is a serious debate. Even when they’re passionate, CISOs must keep their eye on the ball as to what really matters to their job: understanding risk and communicating that to the rest of the business.
An evolving role
How has the CISO role changed recently? Increased regulatory pressures have pushed CISOs into the limelight with the board. But this is also driven by the need for organizations to establish trust, argued Esther Shein at CSO Online. While the CISO position has gained more respect and visibility, making it easier to be included in high-level discussions, the role has also become more challenging. The pace of technological change and the expanding scope of responsibilities—ranging from regulatory compliance to business continuity—makes it difficult for CISOs to stay on top of everything. That inevitably comes with more stress. New liabilities, both civil and criminal, as seen in recent high-profile cases involving former CISOs, doesn’t make the job any easier. This growing pressure is leading some professionals to step away from the role, underscoring the heightened stakes and complexities of the modern CISO position.
Earning trust with vendors
Vendors have a high trust bar to meet when approaching a new CISO. This must be earned over time and cannot be assumed or rushed. Aggressive or impersonal tactics, such as sending unsolicited Excel files or automated messages, can harm the vendor's reputation and burn industry trust, explained Dave Bowden, CISO at Frontdoor. Instead, vendors must offer value from the outset, such as providing industry-relevant resources or personalized outreach that demonstrates an understanding of the CISO's specific needs and challenges. Building relationships through meaningful, differentiated interactions is the key to gaining a CISO's trust and ultimately their business.
Listen to the full episode over on our blog or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.
Thanks to Aaron Kinder of Livingston International for providing our “What’s Worse” scenario.
Thanks to our podcast sponsor, Scrut Automation
Subscribe
Subscribe to CISO Series Podcast
Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.
Best advice for a CISO…
"My best advice is for every CISO to remember that whatever they are doing, that and marketing. In my view, having a compelling brand—both your personal brand as well as your team’s brand—is smart business. So, if you don’t have a communications specialist on your team, hire one. And if you don’t have the funds to hire one, then go bring cookies to your corporate communications specialists—they can help you. It’s their job. They know how to sell. They can help you sell your program." - Bethany De Lude, CISO, the Carlyle Group.
Listen to full episode of "Red Flag? My Vendor Just Asked for My Mother’s Maiden Name."
What's Working With Third-Party Risk Management?
"We're always going to be integrating different vendors' technology and different software packages into our products. And we have to be really serious and proactive in looking at, ‘Hey, if this breaks down, will the whole app break down? Will our customers be able to use the service that we're providing them?’" - Nick Muy, CISO, Scrut Automation.
Listen to full episode of "What's Working With Third-Party Risk Management?"
We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!
CISO Series Newsletter - Twice every week
Cyber Security Headlines Newsletter - Every weekday
LIVE!
Cyber Security Headlines - Week in Review
Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Justin Somaini, partner, YL Ventures.
Thanks to our Cyber Security Headlines sponsor, Scrut Automation
Super Cyber Friday
Join us Friday, 09-06-24, for “Hacking Tabletop Exercises”
Please join us on Friday September 6, 2024 for Super Cyber Friday.
Our topic of discussion will be “Hacking Tabletop Exercises: An hour of critical thinking about enhancing incident response readiness.”
Joining me for this discussion will be DJ Schleen, distinguished security architect, Yahoo and Christina Shannon, CIO, KIK Consumer Products.
It all starts at 1 PM ET/10 AM PT and then we roll over to our meetup portion on Discord. It’s a great chance to connect with the cybersecurity community.
Thank you!
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at cisoseries.com.
Interested in sponsorship, contact me, David Spark.