Our Latest Product Release Includes Shiny New Security Vulnerabilities

Our Latest Product Release Includes Shiny New Security Vulnerabilities

September 12, 2018

CISO | Security Vendor Relationship Series

This week's podcast episode

Our Latest Product Release Includes Shiny New Security Vulnerabilities

What you'll learn:

On this week's podcast, co-host Mike Johnson, CISO, Lyft, and guest Anne Marie Zettlemoyer, security strategist and independent researcher, discuss the following:

  • Recognize the signs of InfoSec burnout. People in security are often cynical and struggle to feel a sense of accomplishment. Check in with your employees to make sure they're doing okay. And when they say, "I'm fine," follow up with a serious, "Are you sure?"

  • Create a safe space to vent. A constructive way to deal with burnout is to have an outlet. Consider an online discussion board or Slack community where there's a willing group of participants who will recognize and sympathize with your frustrations.

  • Should you release a product with known security vulnerabilities? Do the demands of the business and the expectations of customers outweigh known security concerns? It all depends on the importance of the new capability and the severity of the vulnerability. And make sure the decision makers are talking with the engineers so they know why their work may not be released as quickly as they hoped it would. Consider roping in PR into the discussion so they can manage the customer response.

  • Security vendors are actually using some of our feedback to great success. Multiple vendors have been thanking us for our advice on how to pitch CISOs. In fact, we learned about one success story that resulted in multiple meetings from a simple email outreach.  

  • Not every product requires the same rigor of testing..While it's good to have a process for product testing, how rigorous you test depends on what's being protected and how mission critical it is.

    • Don't be distracted by the shiny object. We've said this multiple times before, but try not to always gravitate to the latest and greatest in security. Make sure to focus on the basics. 

    Special thanks to Signal Sciences for sponsoring this episode of the podcast. If you’re using WAFs, make sure you read “Three Ways Legacy WAFs Fail,” by their head of research, James Wickett.

    This week's article for the CISO/Security Vendor Relationship Series

    Best Responses to "4 Stories of Security Vendors Overcoming Roadblocks"

    Best Responses to "4 Stories of Security Vendors Overcoming Roadblocks"

    I think it might be safe to say that the majority of a security vendor’s time is trying to avoid being a roadblock or running into roadblocks. As part of the CISO/Security Vendor Relationship Series, I called out to security vendors to tell me their tales of overcoming hurdles in security sales. They told me their stories and the audience responded. This video highlights my favorite responses to the article.

    This week's article for the CISO/Security Vendor Relationship Series

    One CISO’s Grand Experiment to Engage with Security Vendors

    One CISO's Grand Experiment to Engage with Security Vendors

    Last week Allan Alford, CISO of Mitel made a public announcement on LinkedIn that he was going to set aside two hours every week to learn from vendors about new and old cybersecurity solutions. I called Allan up and we talked about why he needed to do something like this, the struggles CISOs have in the face of traditional vendor pitching, what makes a good vendor pitch, and how vendors have reacted to his announcement. Read the article for more on these takeaways:

    • CISOs are turned off by the firehose of spam emails and cold calls. There very well may be some excellent solutions in all those pitches, but since they come with such a ferocity and no understanding of who they're pitching, they all get deleted and ignored. 

    • CISOs still need to learn about vendor solutions. Even though they're ignoring all these pitches, CISOs are looking for other ways to learn, because honestly, they need to understand the categories and the products that solve specific security problems.

    • Follow this basic formula for pitching: Just explain what your company/product/service does, and then explain how your offering is unique.

    • Don't worry if you're not the right fit today. Just because a CISO learns about your product today, doesn't mean they're going to purchase it today. But everything Allan learns now will be in consideration for his next budget cycle.

    BE FEATURED IN ONE OF MY VIDEOS

    For those of you who remember the original articles in the CISO/Security Vendor Relationship Series, they were always followed up with a video where I would highlight my favorite comments. Would you like your brilliance quoted in a video from the CISO/Security Vendor Relationship Series?Leave a tip, opinion, or tell me your own story on the LinkedIn post. Best comments make it to the featured video.

    Sponsor the podcast or the series!

    Very soon the CISO/Security Vendor Relationship Series and podcast will be moving to its very own home. You'll see more articles, videos, an ebook, and a webinar. We've been extremely fortunate to have a number of vendors eager to sponsor the podcast and the series.

    If you'd like to sponsor the podcast or the full series please reply to this email or connect with me on LinkedIn.

    SUBSCRIBE TO THE PODCAST

    Got a podcast catcher? Search for "CISO" and chances are you'll find the CISO/Security Vendor Relationship Podcast. If it doesn't come up, go ahead and click on any of these links to subscribe to the feed.

    If you're already a subscriber, THANK YOU! If you like the show, please tell all your friends on social media and write a review on iTunes.