Just because a vendor is selling a security solution doesn’t mean they should expect your trust right away. Too many vendors initiate relationships with requests that stink of phishing emails. What are the appropriate first steps a vendor can take to build trust?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining us is Bethany De Lude, CISO, The Carlyle Group.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Scrut Automation
Full Transcript
Intro
[Voiceover] Best advice for a CISO. Go!
[Bethany De Lude] My best advice is for every CISO to remember that whatever they are doing, that and marketing. In my view, having a compelling brand—both your personal brand as well as your team’s brand—is smart business. So, if you don’t have a communications specialist on your team, hire one. And if you don’t have the funds to hire one, then go bring cookies to your corporate communications specialists—they can help you.
It’s their job. They know how to sell. They can help you sell your program.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of the CISO Series. Cohost for this very episode, it’s Andy Ellis, the operating partner over at Wild Ventures. Andy, make yourself known to the audience.
[Andy Ellis] Good morning, folks. Or, depending on when you’re listening to this, good afternoon, good evening, or good night.
[David Spark] That is his way of communicating to people all over the world who listen to this program. And I’m always surprised how literally we have listeners all over the world. We’re available at CISOseries.com. If you are not familiar with many of our other programs, please go check them out. You can find them over at CISOseries.com.
Our sponsor for today’s episode is Scrut Automation. Stay aware, stay ahead, and stay compliant. Yes, automate risk assessment and monitoring. More about just that a little bit later in the show. Andy, I did something I hadn’t done in years.
[Andy Ellis] Not playing a pinball game?
[David Spark] No, this is involved in this. I finally saw the movie *Jaws*.
[Andy Ellis] What?
[David Spark] I know! I had never seen it before. Never had seen it. I’d seen the final scene in *Jaws*. I finally—a local theater was playing *Jaws*. We got to go see the movie *Jaws*. The reason being, I was so eager to see it is because the *Jaws* pinball machine came out within the year, actually just a number of months ago.
And so, my wife and I—my wife, who’s also become addicted to pinball—we saw the movie *Jaws* and then played the pinball machine afterward, which, by the way, did not help us play it any better. But I have the memory of just how scared people were of that movie.
[Andy Ellis] Right.
[David Spark] There are moments that you jump in the film.
[Andy Ellis] But by modern standards, it’s not scary at all.
[David Spark] No, not at all.
[Andy Ellis] Yeah, no. Occasionally, I do this. I’ll watch a 20- or 30-year-old movie, and I’m like, “Wow, that really did not hold up.”
[David Spark] We have memories of things being scared of things. And I showed it to my kids, and we’re like, “What is this? This is scary?” They don’t believe it. Also, the experience of being in the theater dark is different than watching it on the television in the middle of the day as well. How old were you when you saw *Jaws*?
[Andy Ellis] I don’t even remember. When did *Jaws* come out?
[David Spark] 1975?
[Andy Ellis] So, I probably saw it around when I was 10 or so—not when it first came out, but…
[David Spark] Yeah.
[Andy Ellis] It was terrifying. I remember being freaked out. I would not go in the water for months. And I grew up in L.A., so you have access to beaches. And I’m like, “Yeah, no.” And to this day, I’m very skittish about sharks.
[David Spark] Here is my brush with greatness. The film was shot, as I understand, on Martha’s Vineyard, correct?
[Andy Ellis] I believe it. Yes.
[David Spark] I believe it was shot on Martha’s Vineyard. Our neighbors had a house there, and supposedly—and I have no idea where it is; I couldn’t tell you where the frame is—but supposedly, their backs appear in *Jaws*.
[Andy Ellis] Okay.
[David Spark] That’s my brush with greatness.
[Andy Ellis] Actually, I’ve got one—the Patriots tweeted out a picture for the 4th of July of the flag being held on the field. And I’m in the picture.
[David Spark] Ah, that’s cool!
[Andy Ellis] So, it’s cool to actually have—oh, there’s my picture being tweeted out by a major… But now, granted, I’m like this tiny pixel. You only recognize me if you know it’s me.
[David Spark] Let’s bring on our guest because this has nothing to do with security—anything that we’re talking about. You heard her at the beginning of the show, and now I’m going to officially introduce her. She is the CISO of the Carlyle Group. None other than Bethany De Lude. Bethany, thank you so much for joining us.
[Bethany De Lude] Andy, it’s my pleasure. And to you, David, as well.
[David Spark] I’m glad that you…
[Andy Ellis] I’m just—I’m up here celebrating with joy that I got first billing there.
A CISO’s Tale.
[David Spark] The new reporting rules are starting to change how CISOs operate and report in organizations. Grant Ross at Dark Reading cited a report from Splunk that found that over 90 percent of respondent CISOs are now regularly attending board meetings. That’s good. We’ve talked about the importance of CISOs being storytellers before, but this seems more imperative than ever when talking to the board.
So, let’s get into specifics. Andy, I’ll start with you. What are the architectural elements you need for a compelling story? Do you start with the action or emotion you want to evoke and back it up from there? I want to know what are the elements we’re thinking about when we’re going into that board meeting?
[Andy Ellis] So, I think it’s a fairy tale. If you take the structure of the modern fairy tale, that’s basically what you want to have as your elements, which is you need to have a protagonist to get at risk, right? That’s whatever your asset or your business unit or system is. You need to have a set of hazards that they’re encountering along the way, plus some adversary and a potential bad outcome.
And once you have that structure—and then, an important thing is, and the reason I like to say fairy tale versus any other form of story is that fairy tales actually always downplay the risk. You’d make it consumable, and you always make it that you were reasonable in not going over the top. And this is a place that many CISOs and security practitioners get lost is they want to tell you every possible bad outcome, and you become not believable because you sound like Chicken Little saying, “Oh, look, an acorn fell on my head.
The sky is falling,” instead of saying, “Oh, look, an acorn fell on my head. Maybe we should think about protecting our heads with hard hats.”
[David Spark] All right. I’m throwing this one to you, Bethany. Same question I just asked Andy—what are those architectural elements you need for a compelling story? And do you think like, “All right, this is the net result I want. How am I going to get us there?”
[Bethany De Lude] I’m going to actually pull the thread on something Andy said, which was really drilling down on the word “consumable” because I think that’s really the key word in this fairy tale. When I go into these conversations, I know what I need to do is to establish myself as a credible leader.
I need to let the board know that I’m concerned about the same risk that they are and that, oops, I just so happen to be a cybersecurity expert. So, I think when Andy was talking about not relying on FUD, that’s even more true today because CISOs are expected to have more business savvy. So, when you go into these conversations, talk in the vocabulary of the board—talk about regulatory risk, talk about brand risk, operational risk, financial risk.
Then, connect for them the security program and the role it plays in managing these risks that they care about. And above all, do not use jargon. No one wants to be a part of a conversation where they feel stupid. Board members are smart—they will disengage if you try to out-jargon them. So, make sure that you’re using consumable language.
See how I did that, Andy? I pulled it all back to the word “consumable.”
[Andy Ellis] Yeah, no, I love that. And there’s a key thing in there about when you use the language of your counterparty, which is really important, but make sure you understand the connotations that language has for them. I see too many people walk in, and they want to talk about ROI. And if you can’t actually measure this, the moment you walk in and say, “Oh, this is like a 25 million ROI,” the CFO is going to want to say, “Okay, where did that show up on the balance sheet?” Because to them, the moment you start talking dollars, “Okay, we have a balance sheet that has dollars, so you’d better be able to tie it back to this.” So, make sure what traps you might get into if you try to use too much of their language.
[Bethany De Lude] That’s a
fair point. I think something that I have found really helpful is actually to pull stories that the board members likely have read. They read the *Wall Street Journal*, they read *Forbes*, they read *Bloomberg*—being really selective about which stories I flag for them and connect dots about learnings from those headlines that relate to our business.
If there’s a headline about a regulatory fine over cyber, I’m going to go with it. They understand regulations, they understand cyber, they want to avoid fines. So, I’ll make connections about, “Here’s how we’re postured relative to what happened to the person in this real mass media story, and here are ideas we might want to consider to even further reduce the likelihood that we could appear in a similar story.”
[Andy Ellis] Simple hack here—set a Google alert for all of the companies that your board members are either employed at or also board members on. Because when they’re in the headlines, just use those headlines.
[David Spark] Good tip.
[Bethany De Lude] That’s terrific. I know what my homework is after this session.
What annoys a CISO?
[David Spark] Cybersecurity professionals are very passionate and have strong opinions, especially for issues that don’t have great importance—those trivial topics. Which of your opinions are so strong that you will not bend and you will fight to the end? Now, that is a question asked by a Redditor on the Cybersecurity subreddit.
By the way, if you’re not reading the Cybersecurity subreddit, it’s filled with entertaining conversations. So, the battle we fight knowing full well we will lose every time and all efforts are futile, but we do it anyway. So, here are some of the common responses: using the term “cyber” rather than something more descriptive like “information security,” others cited the overuse of AI, arguing over ineffective mandated password rules, shaking up developer leadership, and trying to turn off email forwarding.
So, I’ll start with you, Bethany—what’s a non-critical issue in security that you keep fighting for vehemently?
[Bethany De Lude] I keep fighting against the notion that the CISO should report to the CIO. I think this reporting structure had its season, but the season has passed. And I think it’s imperative for the CISO to be on even footing with the CIO and definitely not subordinate to that role. And when you look at how the CISO’s prominence is playing out in new security regulation, like the SEC’s new cyber rule, when you look at where the CISOs have landed in the DOJ crosshair with the former Uber CISO being committed of a felony, the CISO has a much more prominent role.
The CISO needs to be in all conversations at the highest levels of the organization to be effective. And therefore, the CISO reporting to the CIO just no longer makes good sense. I am very passionate, and I will die on my sword on this one.
[David Spark] Okay. By the way, you’re totally not alone on this one. This has come up many times, and Andy is smiling. He’s going to jump all over this. And do you have some others yourself too as well?
[Andy Ellis] No. First penalty flag is this is not a trivial issue. This is an important issue. Like, I just wrote an op-ed on this one—the death of the CIO. It’s one of my most-read op-eds ever. Like, I actually think the CIO and the CISO are both half of one C-level position, and those are going to merge at some point anyway.
But separate from that, I’m throwing a flag because this is not a trivial issue. But I suspect that most CISOs who have credibility do not have trivial topics that they’re going to fight and burn energy on. This is probably the single key thing that keeps people from becoming executive material. If you are willing to burn energy on stupid things—are we calling it cyber?
What’s the definition of a hacker?—like any of these things, you’re not an executive. Just stop right there.
[David Spark] Understand. But the whole point of this is we like to complain—cybersecurity professionals.
[Andy Ellis] No, I went and I read the entire thread, and I laughed at every single one. I’m like, “Yep, I’ve had people who’ve worked for me who’ve fought on that one. And I’ve had to deal with the consequences of some other executive came to me.” And it’s, “Hey, can you not have this person in an executive meeting?”
[David Spark] So, your attitude is—but the whole debate is, if you run down this road, you’re never going to be an executive fighting for this kind of stuff.
[Andy Ellis] Until you get off this road, pick a hill to die on that matters.
[David Spark] So, there’s nothing—given up on all of this stuff? Have you given up on all of it, Andy?
[Andy Ellis] No, yeah. Like, you want to call it “cyber,” fine. I grew up when it was “information warfare.” Like, everybody who’s client information security could get off my lawn, but I’m not going to fight over the naming. Like, to me, “hacker” originally means somebody who crawls around in weird crawl spaces in buildings—like, literally the MIT roof and tunnel hacking culture had nothing to do with computers and everything to do with physical access to places you weren’t supposed to be.
I’m not going to fight on that hill. I don’t care. I got better things to do with my time and energy—and better things to do with your time and energy—than waste them fighting over these things.
Sponsor – Scrut Automation
[David Spark] Before I go on any further, I do want to tell you about our spectacular brand new sponsor, and that would be Scrut Automation—a leading GRC platform that helps you stay aware, stay ahead, and stay compliant, which is what you want to do. So, let me give you some specifics on this. Scrut Automation liberates growing enterprises from the morass of compliance debt to proactively manage their strategic risk, enabling organizations to build sustainable GRC strategies that effectively govern and monitor their security programs.
So, with Scrut’s super flexible GRC platform, security and risk professionals can gain visibility into their risk posture, monitor controls in real-time, and showcase proof of compliance with industry frameworks without stretching the security budget and stay in alignment with the organization’s business goals.
It’s the basics you want from a GRC program, and that is exactly what Scrut Automation does. Just go to their website. Visit scrut.io to schedule a demo or to learn more.
It’s time to play, “What’s Worse?!”
[David Spark] Bethany, I’m sure you’re familiar with how this game is played, yes?
[Bethany De Lude] Yes.
[David Spark] We have two crappy scenarios. I make Andy answer first, but you can agree or disagree with him. And this is actually a new submitter. We have not had one from this person before, so excited that we can quote someone new. Remember, I’m always looking for good What’s Worse scenarios—the more difficult to decide, the better it is.
This comes from Aaron Kinder of Livingston International, and here are your two options, Andy. Scenario number one: You find out that a senior executive has been using personal devices to access sensitive company data without proper security measures. Scenario number two: You discover that a junior employee has been sharing their login credentials with their colleagues to make their work easier.
[Andy Ellis] Oh, number two, this is easy. Sorry.
[David Spark] It is really nice to occasionally get handed a layup.
[Andy Ellis] Okay.
[David Spark] Let me also qualify—option one was personal devices, plural. If that changes anything, just…
[Andy Ellis] Sorry, you’re describing me, honestly. I’m of the world that—I actually, I think I’m forward-thinking in that I think the correct model for IT in the future is actually going to be everybody only has personal devices, and we have some form of networked EDR that protects them from you, the employer, because I’m tired of ransomware.
So, this one doesn’t really worry me nearly as much as the—oh, wait, we’re passing around credentials, so we don’t know who’s doing something. That one—that’s the obvious worst.
[David Spark] But just want to stress that it’s senior executive versus junior employees. So, a junior employee’s…
[Andy Ellis] That doesn’t even affect the calculus for me.
[David Spark] Not at all?
[Andy Ellis] Not at all.
[David Spark] All right. I think it was super easy for Andy. Is it super easy for you too, Bethany?
[Bethany De Lude] Yes. For the executive, I jingle that shame bell because the executive should know better and not do that. I have to agree with Andy on the sharing of credentials. In history—I used to work for the NSA, and I’m sure we all remember the very public breach that happened when credentials were shared with a contractor.
That is a much more devastating situation than an executive using executive privilege to work around some controls.
[Andy Ellis] And that actually ties right back into the ransomware problem that I just discussed. Yeah. Look, there are enterprises in which using a personal device is seriously a problem, but it still doesn’t even come to the level of sharing credentials.
[David Spark] But the thing is—hold it, but I’m just going to still argue this with you, but…
[Andy Ellis] Okay.
[David Spark] The executive with the personal device not following any of the proper security procedures, so…
[Andy Ellis] Maybe not following any of the proper security procedures.
[David Spark] They’re not following any of the
proper security procedures, therefore letting their personal device be very susceptible. Now, this is an employee sharing with colleagues that are supposedly all on the same page. So, it could conceivably be staying in a bubble.
[Andy Ellis] No, if you’re sharing your credentials, that means that everything is on the table. If you’re—like, this is not even a slight slippery slope. Like, the sole root of trust we have in a company is your identity, and it’s tied to your credential. In both cases here, you’re not doing zero trust correctly because you shouldn’t allow anybody to log in from any machine you don’t know about, whether it’s personal or not, because it shouldn’t be technically possible.
[David Spark] How is this any different than when a company has a generic user account that three or four people have logged in?
[Andy Ellis] That’s very different. That’s a shared account that’s being passed around. You just have problems managing it. That’s very different than, say, one of our producers—not that I’m going to put Andrew on the spot—logging in as David Spark and doing things that are now attributed in all the logs to you.
And so, when the FBI shows up because our producer might’ve done something illegal, they’re like, “Oh, it was David.”
[David Spark] But again, I am stressing the fact that we may have a trusted space here, and that may be opening up to a completely untrusted space.
[Andy Ellis] Yeah. David doesn’t like it when we so quickly agree, Bethany, is what’s really going on here. Every time we do this, he, like, tries to argue with us. Yeah.
[David Spark] I’m just trying to make a decent argument here. Bethany, do you agree?
[Bethany De Lude] Okay. Let’s be more provocative then with the executive. If I learned of this, chances are if they’re working outside the security controls, then there’s probably something that we can do to remove friction from that access and do it in a secure way. If you have users who don’t understand that sharing passwords is just patently terrible, you have a different systemic risk.
[Andy Ellis] In fact, if a junior employee is sharing their password, that actually probably means you have a very large culture problem because someone told them that was okay, which wasn’t me and my team. So, it was probably their manager.
[David Spark] Or they could have been just stupid.
[Andy Ellis] Never discount human stupidity. If a junior employee does the thing, it’s because the culture said that’s the thing that you’re supposed to do. Nobody around them said, “Don’t do this.” At the bare minimum, I have people who saw a bad practice and didn’t do anything. More likely to me, this is the smoke that points at the fire of all across my organization.
I suspect people are sharing passwords.
What’s the future for a CISO?
[David Spark] As the CISO role evolves, we’re watching it become more heavily integrated into business, allowing cyber to have more influence. We’re talking about this with the board discussion. While facing more regulatory pressure, CISOs are being seen as purveyors of trust, argued Esther Schein on *CSO Online*.
For a while, CISOs kept falling into the Rodney Dangerfield “no respect” trap. Is that changing too? I think it is. Let’s just say a couple of years ago—and I’ll start with you, Bethany—where are CISOs getting more respect? What’s getting easier for you? What’s actually getting harder?
[Bethany De Lude] So, David, what I think is the situation for CISOs right now is that we live in the Chinese curse of interesting times. On the one hand, security is everywhere. We see it in news headlines. I was at the airport, and there were posters for security tooling. And you even have podcasts—immensely popular podcasts—dedicated to the topic.
[David Spark] And by the way, I see many of our sponsors advertising at the airports too, which I’m always amazed by.
[Bethany De Lude] And so, the good news is that we actually are more relevant just by the environment and the awareness of the environment. That has changed from one of my first CISO roles back in the early 2000s, where you were still trying to explain, “Why is security important? What are the bad things that can happen?” So, that part’s really good, and you’re getting the opportunity to be in rooms that previously you would not have been in.
You wouldn’t be in the boardroom. You wouldn’t have a security steering committee. There’s a lot of—you wouldn’t be talking to investors. They wouldn’t have cared. There’s a lot of things that are getting easier as folks understand why cyber and cyber health is a strategic imperative. Now, on the other hand, what’s getting so much harder is the pace of change—the pace of change in the role, the pace of change in technology.
You have to be a regulatory expert. You have to be a privacy expert. You have to be a business continuity expert. You have to be an expert on novel technologies, which there still isn’t expertise because security sometimes—how you evaluate a novel technology lags behind how that technology wants to be used.
So, it’s a tremendously high-paced environment in a way where you can no longer completely understand your ecosystem. You have to have great people, and you have to rely on external experts as well. And that’s different. I used to know the entire stack inside and out.
[David Spark] Very good point, Andy. And I agree—things are looking good but worse at the same time.
[Andy Ellis] Yeah, I think that it used to be that the CISO was seen primarily as this technical voice in the wilderness that kept running around trying to yell, “Stop,” but a day late and a dollar short. You were trying to get risks addressed after the train had already left the station. And that just didn’t work.
And I’m not saying it’s all roses now, but the challenge is instead of chasing down individual trains, we’re now responsible for looking over the entire travel ecosystem. So, there is no company that says, “Oh, this part of our business, security shouldn’t care about at all.” Whereas I recall 20 years ago being told, “You shouldn’t worry about this.” Like, literally, an HR professional told me that I shouldn’t care about personnel security—not my problem.
And I’m like, “Really? I’m pretty sure I need to care not only about the security of our people but of their data and of how they get access to our buildings and all of these things.” And that was just a battle—to have a seat at a minor table. And now the problem is we have access to too many tables, and we have to figure out which ones to invest our time in.
[Bethany De Lude] And that’s why you need that communication specialist.
[David Spark] I would also say that I think the communication is happening in the mainstream media. I’ve mentioned this many times before. There was a time that the cyber stories would hit the trade first, bubble up to the mainstream, like your *New York Times* and *Wall Street Journal*, and it’s reversed itself, where it hits the *Wall Street Journal* and *New York Times* first.
Your CEO will come to you and go, “Hey, do we need to worry about this?”—something they saw. And then what happens is the trade dives deeper and makes sense of the story. So, in a sense, the fact that this is becoming front-page news, like you referenced, it’s helping elevate and get us out of the essentially Rodney Dangerfield scenario.
Bethany?
[Bethany De Lude] That’s exactly true. And I also think we should touch upon one other area that has significantly changed, and that has to do with CISO liability. Those of us who were CISOs understood that if there had to be a sacrificial lamb after a data breach, that we were going to be it. We would likely be the person who got fired even…
[David Spark] This is a good point.
[Bethany De Lude] Even though, if you went through the audit trail, we probably asked for the investment that wasn’t made that led to the breach, but that’s a different issue. We have a whole different kind of liability. It started with personal criminal liability when you’d looked at the Uber case, and now it has moved on to personal civil liability.
Look at the situation with the SolarWinds CISO—that’s new. That’s a big shift, and it’s having some unintended consequences to the industry, like to the CISO profession. I’ve known some great people who have stepped away, and I know some great people who will not step up because they don’t want to take on that liability.
And that’s new. That is new. You always wanted—this was your big aspiration as a cybersecurity professional.
[Andy Ellis] Yeah. I’m hoping the Tim Brown case resolves in the way it ought to, which is this is a massive overstep by the SEC. They should never have gone after him. And thankfully, one of the recent Supreme Court rulings says that he potentially means he’ll get a trial in front of a jury of his peers and not inside some secret SEC court.
So, we’ll see if he avails himself of that. But I’m less worried about the Joe Sullivan case. I don’t think that actually sets a liability precedent for most of us. There were enough shenanigans between Uber and Joe that I don’t think we need to worry about that. But Tim functionally did nothing wrong and was not a CISO.
And the SEC going after him is having a chilling effect on our industry.
[Bethany De Lude] 100%. That was homework I gave to every CISO that I know—like, actually read the complaint. Read every single word of that complaint. And if you don’t see yourself in that complaint,
you haven’t been doing your job.
[Andy Ellis] Right? The complaint is that Tim Brown told his management that what they were doing was not appropriate. They went and did it anyway. And now he’s liable, and he was not an officer. I’m sorry—pretty sure that’s not how corporate liability works.
[Bethany De Lude] Yeah. And that *Luper* decision—it’s going to be interesting to see what the knock-on effects of that with *Chevron* overturned. So, I’m on pins and needles.
[Andy Ellis] Absolutely.
[David Spark] By the way, we did an episode of our other show, *Defense In Depth*, all about CISO stress and about dealing with intense stress. And we had Tim Brown as a guest, and it’s a phenomenal episode to listen to because Tim—and I’ve mentioned this before—his first 30 days of dealing with the SolarWinds issue, he lost 30 pounds just to stress.
[Bethany De Lude] And he had a heart attack too, didn’t he? Didn’t he…
[David Spark] Or, he may have, I don’t know. He may have. He’s dealt with an insane level of stress.
[Andy Ellis] And here’s what’s fascinating. Tim could retire. He’s got a pony farm somewhere in the middle of America, like…
[David Spark] He stuck through. He could have left at any time. Yeah, he stuck through.
[Andy Ellis] He could have left at any time and chose not to. Like, he chose to help this company get through this, and this is what’s happening to him.
[Bethany De Lude] It’s awful.
What do you think of this vendor marketing tactic?
[David Spark] Working with a vendor is all about trust. That’s something that needs to be earned. And trust takes time. Vendors shouldn’t come out of the gate expecting they’ll immediately gain trust, argued Dave Bowden, CISO over at Frontdoor. He set an example of a vendor sending out an Excel file as part of their initial sales process, ignoring basic security hygiene.
Between strangers in that initial sales phase, what are good initial steps a vendor can take to start earning trust? And would you ever open that Excel file, Andy, if you got one from a vendor?
[Andy Ellis] So, I’m not going to open it, and that has nothing to do with security and everything to do with, “Who are you, and why do you think you get to waste my time this way?” If I can’t open an Excel file, I have bigger security problems than getting one from a stranger because I’m getting email from strangers all the time that look like colleagues.
The big challenge here is, and I see this a lot in the lead gen, inside sales, SDR, BDR, ADR, whatever you want to call the group today, which is there’s become this sense of entitlement. And it’s gotten actually worse with automated messaging that they feel more entitled even as they’re spending less time per outreach.
I get calendar invites—cold calendar invites.
[David Spark] This is chronic.
[Andy Ellis] “Hey, let’s meet.” And it’s as an invitation, it’s going to show up on my calendar. And I’m just like, “If you go away”—like, those ones, I will often reach out to a CMO. I’ll just reach out to a CMO, and I’ll say, “You have a team that is doing this. This is so unacceptable that I’m emailing you.
And otherwise, I would have to name and shame your company on LinkedIn for doing something that is just vicious.” Like, this is the real problem, is you have a job to do as an SDR. It’s the worst job in the industry, which is you have to get the attention of prospective buyers who might or might not even be in your ICP.
And let’s be honest, you’re mostly spraying and praying. You’re like incontinent dogs running around trying to mark every lead that’s out there. And it’s pretty awful. Like, I’d say 50 percent of the outreach that comes to me, I can tell I’m not in your ICP within seven words. You didn’t do your work, and I’m having to do it for you.
And that’s a problem. And you’re burning all of the trust the industry has. It’s not about individual trust anymore. Basically, people don’t trust email from random strangers anymore.
[David Spark] I had to actually block someone because I was part of some drip campaign, and I actually responded to their emails, and they flat-out ignored them and let their drip campaign continue.
[Andy Ellis] Oh yeah. The drip campaigns that don’t acknowledge when you reply—just shoot me now. I’m like, “I told you no.” And three days later, I get the next drip, and the drip says, “You didn’t respond to my message.” I’m like, “F you, I did.”
[David Spark] Yeah, I had one that said no, and the drip campaign response was, “Awesome. How do we get started?” You didn’t read. All right, Bethany, I throw this to you—this whole trust element with vendors, they want to build it immediately, and it’s not going to happen like that. Would you be opening up an Excel file that came in an initial email?
[Bethany De Lude] I would not, but I might repurpose that email as a phishing simulation.
[David Spark] Oh, there you go.
[Bethany De Lude] So, I did get something helpful out of it. The problem is really, you both nailed it, is that it’s a vendor spam and not a differentiated messaging touchpoint. It’s not about building a relationship—it’s how bad actors work. If I throw out a thousand, I just need to get one. Why not want to be one in a thousand?
I want to be the one that you paused, thought about, offered me something of value, and stood out from the pack. And if you can’t get my personal interest, you definitely aren’t going to get my business, and you’re not going to be the one that I respond to that day. So, like, advice I think for vendors who are trying to break into the security market—you need to leverage other CISOs to help market for you.
Find someone in my industry, offer me a community touchpoint, not a sales pitch. I think that’s really key.
[David Spark] One of the things I always see is there is a desire to get a lot done in one message. I ask you—what have you seen? And I know you have a generic vendor response email that you operate under.
[Andy Ellis] I don’t even send it out anymore. It’s not worth my energy.
[David Spark] But if anyone searches on Google for it, “Andy Ellis vendor response.”
[Andy Ellis] Vendor rebuff.
[David Spark] It’s actually well written. It’s excellent. But you’ve seen just a way that a vendor just creates an engagement moment with you because I know you have relationships with vendors, Andy. So, it started somewhere.
[Andy Ellis] Oh, I have one I use with one of our companies. I won’t mention since we don’t do the sponsorship thing here, which is literally, but you can go find it. We wrote the first 91-day guide for CISOs, and it’s pretty vendor agnostic. Obviously, it says you should care a little bit about this space, but it’s literally designed for CISOs in transition and says, “Oh, and so this is a great outreach.
Somebody lands a new job, every vendor is going to connect them and say, ‘Hey, I want a meeting.'” And we’ve got a company that can connect and say, “Hey, by the way, I know you’re getting spammed with folks. Here’s a guide for your first 91 days for things to think about. I’d be happy to chat if you’re ever interested, but if not, that’s okay.
Like, here’s valuable content for you.”
[David Spark] I’m going to ask the same question—what was a good way a vendor engaged with you? Bethany, you close this out.
[Bethany De Lude] Same thing. Very similar to what Andy described. I had a vendor who reached out to me when I was hiring. They just wanted to have coffee near my office. This is a recruiter, so that’s not even my part of the business—I’m not responsible for talent management and our recruitment function.
But the pitch was around, “Hey, I see you’re looking for these cyber roles. I happen to have a playbook for how to market cyber roles effectively. I’ve done a comp analysis in your area, and I just got back to…” They are in which I work—part of the country—and have connected with a few CISO think tanks I’d like to talk to you about.
So, if you have time for coffee, here—let me…” And he went ahead and sent the marketing playbook. He said, “I’d love to sit down and just talk to you about what I’m seeing out there in the marketplace.” It was great.
Closing
[David Spark] Very good. That brings us to the very tail end of our show. I want to thank Andy, as always, and a huge thanks to our sponsor, and that would be Scrut Automation. Remember, their website is scrut.io—S-C-R-U-T.io—for your GRC needs. Get some visibility into your risk posture and the status of your compliance GRC industry frameworks, and don’t stretch your security budget.
No need to do that. Go to scrut.io. Bethany, thank you so much for joining us today. Are you hiring over at the Carlyle Group?
[Bethany De Lude] Yes, we are hiring. We have several technology jobs available as well as in the cyber organization. Specifically, we’re looking for a world-class product security expert. So, please go to LinkedIn or our website and apply.
[David Spark] Awesome. Find
it on the Carlyle Group as well. Thank you very much. Thank you, Andy, and thank you to our audience. We greatly appreciate your contribution. Send me What’s Worse scenarios that are not softballs for Andy. We can’t have that anymore. It’s—as hard as I try to make it a little harder, was not successful this time.
[Andy Ellis] Nope. Nope. One more in the Andy wins column.
[David Spark] I know—the Andy Wins column. I’m sick and tired of the Andy Wins column. We greatly appreciate you listening and contributing to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows—Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week in Review. This show thrives on your input.
Go to the participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.