Too often, vendors focus on new features and capabilities, which miss the ultimate point of why they are selling in the first place. CISOs want vendors that can solve problems. So why do so many fail to communicate that?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is Yaron Levi, CISO, Dolby.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Scrut Automation
Visit www.scrut.io to learn more or schedule a demo.
Full Transcript
[Voiceover] Want to learn more about a cyber security solution but don’t want to take to sales just to get some preliminaries? Then you need to check out our new podcast, Security You Should Know. Each episode is only about 15 minutes, with two security leaders asking the questions you want to know from one security vendor. It’s available now wherever you get your podcast or at CISOseries.com.
[David Spark] CISOs want vendors that can solve problems, so why do so many fail to communicate that?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I’m the producer of the CISO Series. And joining me as actually a guest cohost… Because you normally hear him as a cohost but not on this show. But that’s what he’s going to do right now. It’s Mike Johnson, the CISO of Rivian. Mike, say hello to the audience.
[Mike Johnson] Hello, audience. I’m happy to be guest cohosting for you today.
[David Spark] So, he’s not a regular cohost here, but he’s a regular cohost somewhere else.
[Mike Johnson] I’m an irregular.
[David Spark] Yes.
[Mike Johnson] Irregular cohost.
[David Spark] Like when he goes shopping for suits, you go for the irregulars, right?
[Mike Johnson] I definitely go straight for the irregulars.
[David Spark] There you go. Our sponsor for today’s episode is Scrut Automation. Stay away, stay ahead, and stay compliant. Do it all with Scrut. Our guest for today’s episode… I’m bringing him in now before I even talk about today’s episode. It is the CISO for Dolby, Yaron Levi. Yaron, say hello to the audience.
[Yaron Levi] Hello, audience. Happy to be here again.
[David Spark] All right. Yaron, let me set up the topic you proposed here. So, you recently wrote a post on LinkedIn that laid out the issue vexing a lot of CISOs. You want solutions that can solve problems. That sounds unbelievably basic. But what you were finding is that many of these vendors were just kind of filling up a Gartner bingo card. Like Gartner would set up the categories, and they would sort of fill those sort of distinctions so they could appear on a magic quadrant, I would guess. But everyone will tell you what they do but not what they solve, and this was your complaint. So, I want to just get into can you clearly explain that distinction to us. Why is that important, and why do you believe vendors are not getting this right?
[Yaron Levi] Yeah. So, I get bombarded all the time by either startup companies or vendors who ask me for feedback on their idea or vendors who try to offer their solutions. All of them I ask the same question – what problem are you trying to solve. Simple. And the reason I ask this question is because it’s very efficient. If I have this problem then I may be curious to learn more about it and see how people solve it. But if I don’t have it then I don’t want to waste time on it. It’s as simple as that. When I think about the CISOs, the problems that we care about are the risks to our businesses, and these are the ones that we try to find solutions for. So, we’re not playing BINGO. We’re just trying to find solutions for problems we have. So, in my post I said, “Tell me what problem you’re solving.” And in response, I received hundreds of sales pitches and none of them articulated the problems.
[David Spark] [Laughs] Yes, I know. This was actually one of the problems we had when we were putting together the show, Rundown. But you bring up a very good point. And actually for our new show, Security You Should Know, this was one of the things we heard from a lot of CISOs is the one thing we struggle is… And this was the unique distinction. Tell us what you do and then also tell us what you do not do. What is the problem you solve. And then part of that was how do I explain what you do to my CEO, which I thought was a very, very good distinction.
[Yaron Levi] 100%. Because then I have to study it internally, if I need to ask for budget or anything. So, yeah. If I can’t articulate in a way that my boss, my boss’s boss can understand then there’s no way I can get budget for that.
Where does this effort fall flat?
3:47.102
[David Spark] John Patrick says this, “Salespeople often lack technical knowledge about their product’s limitations, leading to overcommitments just to close a deal. There’s often a lack of regular communication about product updates and changes, which can create challenges for affective planning and usage.” And Phillip Miller of Qurple said, “Many startups have only a concept with several features and are lacking a cohesive roadmap to addressing a business priority. Sadly, the same challenge exists for sales teams working at some mature publicly traded security companies. They, too, may lack understanding of how their solution solves a problem. Then the CISO’s team often ends up educating the vendor.” So, what I’m hearing from a lot of this is it doesn’t seem like it’s a problem-solution driven effort here. It seems like these are just salespeople trying to work in a machine to just sale the product and, well, heck, the real concerns of the CISOs are lost here. Mike, do you feel that way? And I know there was some generalizations made.
[Mike Johnson] No, I think what you’re getting at there, David, is interesting in that a lot of this… It’s not necessarily even unique to the security field. This is playbooks that sales teams just use over and over again. They need to get out there. They need to sale. They’re more interested in getting the message out, the broadcast, then necessarily what people are looking for. In some ways it’s marketing but not doing it very well. I think…to one of the other comments in here, I do think it’s critical that the sales teams need to understand the products that they’re selling. It’s one thing to just read from a playbook. But if you don’t understand what your product is, if you don’t understand what it does, you’re not going to be able to answer the “what problem does it solve” question that Yaron very astutely asks to these folks. But it really does seem like this is just a machine that folks are going from a playbook, and they’re just putting it out there, broadcast and hoping somebody latches on.
[David Spark] You know, you talk to people or salespeople in any industry for that matter, they kind of operate like this. And so I think that’s why there’s this feeling. Yaron?
[Yaron Levi] Yeah, absolutely. I think the sales team must know what problem their product or service solves because this is how they can show the value and find out whether the client cares about it or not. So, let me give an example from a different field – take two salespeople. Let’s say one of them comes and says, “We are an NSAID provider, and we provide 200 milligram ibuprofen pink tablets.” And then another one comes and says, “We provide tablets that makes headaches go away in 20 minutes.” Who are you going to talk to? I mean I don’t know what NSAID is. I’m sure it’s something in the medical field. And whether it’s 200 milligrams or 400 milligrams is better, I don’t know. But if somebody comes and says, “Hey, I have a tablet that will make your headache go away in 20 minutes,” okay, now I am interested because I have a headache, so I know what problem they’re solving.
[Mike Johnson] I think that’s an interesting example because if you compare those two, the former is talking to a very technical audience who knows exactly what those mean. That’s probably what they’re putting out there. They assume that who they’re talking to knows what that means. The latter is the more broad, “Hey, problem, solution, let’s talk.” What I think is fascinating about that example is I wonder if that’s what we’re seeing in the security field in that people are very used to talking to experts. And so they want to meet them where they are. They want to talk as if they’re also an expert rather than simplifying it down to what is the problem, and I’ve got the solution.
[David Spark] So, you think it’s more important that they’re seen as an expert rather than, “I’m trying to sell you pain medication.” Because can I just say, I love the example you used, and I’m just going to use an example of a friend of mine. Years ago, I met a friend of mine who had an extremely successful blog. This was when blogs could just make money off of on content on the site. I said, “What do you blog about? How do you get this?” And he just said, “Pain medication. That’s all I do. If I see a pain and I provide a way to solve it through a blog post, that is a successful model.” And he just said, “Pain medication. That’s it. My job is pain medication.” So, it seems like this is the way vendors should look at CISOs. Be pain medication. Yes? What do you think?
[Yaron Levi] Yeah, because we’re trying to solve problems and pains that we have. That’s essentially what we’re trying to do. And I think our field became so complex over the years. It’s so difficult for us to even keep up with all the different acronyms we have. You know, DSPM, and CSPM, and ASPM, and CTAM [Phonetic 00:08:41]. I’m like, “What does it even mean, all of that?” It’s really, really hard. And every day we hear some new acronym.
[David Spark] Yeah. Can I just say, there was a time I felt embarrassed to ask what an acronym is. Now I’m like, “Oh, it’s totally cool,” because it’s far too confusing.
[Laughter]
[Mike Johnson] Because they probably just made it up anyway.
[David Spark] Like yesterday.
No one said it would be easy.
9:01.818
[David Spark] Brian Druckenbroad of Newfold Digital said, “I love how bold some claims are here. Real world with legacy code bases, tech debt, on premise environments. How many can really deliver on their promises? The hard part is there isn’t really a way to create a guarantee or warranty on the claims.” And by the way, this is a whole different story of how do I know if my product is actually doing the thing that it’s supposed to do, and that’s a whole other discussion. But Tim Golden of Compliance Scorecard said, “I am reminded of my first English writing class in high school. Answer the five W’s, who, what, why, where, when, and how, in the first paragraph.” So, this goes back to also my sort of pain medication comment here of sometimes we’re overwhelmed by sort of the fancy pitch and that marketing people are just trying to show their ability to write rather than address the concern of the CISO, the potential buyer. What do you think, Yaron?
[Yaron Levi] Yeah. I like really what Tim said about the five questions and answering those five questions. Because it really shows that you really truly understand in your bones what you’re doing. And even more so, why you’re doing it. And I think it’s also especially important for startups. Because as a founder, if you’re going to dedicate the next whatever, five to ten years, of your life to work on a problem, you’d better know what you’re dedicating your life to. And you need to answer these questions. I mean first and foremost, I mean for yourself I think it’s a must do. There’s an interesting book that I read by Ben Horowitz from Andreesen Horowitz. It’s a large VC in the valley. It’s called “The Hard Things About the Hard Things.” And he basically describes every founder has two states of mind – euphoria and complete horror. So, if you’re going to just live the next five or ten years of your life between those two mindsets, you should really know very well why you’re doing this. I think especially for startup companies it’s extremely important to know.
[David Spark] Mike, are you in a state of euphoria or complete horror right now?
[Mike Johnson] That feels like… Can I be in both at the same time?
[David Spark] No, you definitely can’t.
[Mike Johnson] I don’t see why not. Like euphoric horror sounds like a great idea.
[Yaron Levi] I think most CISOs are. And that’s why maybe CISOs can make great founders. Because we’re used to being…
[David Spark] I’m going to do a little aside for our audience right now. I was making fun of Mike when he first joined on. I should capture an image of this for the future. Whenever Mike first signs on to do a recording, he kind of has this look of just complete confusion of like, “What have I gotten myself into?” And I’m like, “How many hundreds of shows have we done together, Mike?” And it looks the same each time. [Laughs]
[Mike Johnson] Because I live in that same place of euphoric horror when I’m joining this podcast because I now it’s just going to be a roller coaster from the beginning.
[David Spark] All right, let’s go back to the topic at hand. So, I think the people selling aren’t getting in touch with the core needs of their customers. I think maybe that’s what Yaron is trying to get at. What do you feel? Do you feel that the vendors are getting to the core needs, some are, some aren’t? Where are we falling here?
[Mike Johnson] What you have is there is that, “I need to get an initial conversation. And how do I get that initial conversation?” That gives you, once you’re in that conversation, that ability to understand my needs, what my problems are, what I’m trying to solve. What I’m tackling is not the same as what Yaron is trying to tackle. There’s an 80% overlap, by all means, but that’s an 80% overlap. And those are going to be addressed by broad solutions. It’s that 20% that’s really difficult for me to solve, for Yaron to solve, for any CISO out there to solve. If you’re selling, how do you know what that 20% is? So, it’s very difficult, like putting myself in the shoes of a seller, it’s not easy to know what that is.
But what you need to do and success should be measured in do you get that initial conversation to really understand what those issues are. I’m not going to broadcast to the world what my 20% problems are because… For many reasons. But if I’m talking in a conversation with a vendor, I can start to have a little bit more clarity on what my problems are, and they can then have a little bit more of a conversation. So, this is a long way of saying I understand and can relate to the challenge that sales folks are having. But at the same time, just broadcasting out the same message over and over again isn’t necessarily going to get to the root of the problem and really have a good, productive conversation.
Sponsor – Scrut Automation
13:55.005
[David Spark] Before I go on any further, I do want to tell you about our spectacular sponsor, Scrut. Scrut Automation. So, this company is helping businesses eliminate compliance debt and take control of risk without slowing down. That is key. So, listen. Managing compliance and security shouldn’t be a roadblock to growth. Scrut simplifies the process with automation. AI driven insights and real time monitoring so teams can streamline audits, track security controls, and stay ahead of regulatory requirements without the manual workload. Now, with Scrut, security and risk professional can gain instant visibility into their compliance posture, automate evidence collection, and manage multiple frameworks effortlessly. AI powered insights help teams focus on what truly matters – reducing risk, maintaining trust, and scaling with confidence. Don’t let compliance slow you down. Scrut helps you stay secure, audit ready, and focused on growth. Go to their website. That is scrut.io. Go to that website to schedule a demo or just learn more. It’s scrut.io. Check them out.
Well, I guess that’s one way to solve it.
15:08.290
[David Spark] Richard B. of the Department of Water and Environmental Regulations said, “I always like the, ‘I know you have product X. My product does the same but one percent better or has one hardly used feature, so I suggest you pay for both.’” And David Rawlings of World Wide Technology said, “I read Yaron’s post as more of a PSA and less of an invitation for vendors to randomly shoot their shot to hone their cold outreach skills, but maybe I misread this one.” All right, so I should tell the audience that there are dozens and dozens, maybe a hundred responses to this. And most of them are pitching Yaron their product and not actually having this discussion. And so Yaron was like, “Did I lead them the wrong way?” But it was pretty clear what Yaron was saying, but I think the ball got rolling. Like a few did it, and they said, “Oh, I guess this is what we’re supposed to do.” And then just everyone started doing it. But that’s not what you wanted, was it, Yaron?
[Yaron Levi] No. But I’ll own that one. That’s on me. I could have drafted it a little bit better, so I’ll own that one. But I think it’s one of those things when they say no good thing goes unpunished. So, yeah, my intention was really to say, “Hey, make it easier for both of us. And if you talk about the problem you’re solving, it’s really more efficient and easy for us to talk as opposed to the process we’re going through right now.” And, yes, I got bombarded by 200 messages to the post. I think I got another 300 to my work email and private email and what have you. So, yeah, there was a lot. But the interesting part was that if you look at them… And, again, they are on the post. You would see that most of them say what they do, nobody was saying what problems they’re solving. So, in a way, they kind of prove my point. I really hope that the discussion is really going to help all of us. Right? This is not shooting bullets at anybody. This is really I’m trying to help and say, “Look, if you want to be able to talk to us then we need each other. We need a partnership. And to make it easier for both of us, make it easier for us to understand what you’re doing.
[David Spark] Let me ask you a question, both of you. And I’ll start with you, Mike. Is there a time you sort of give feedback to the vendor? Like, “Hey, this really isn’t the way to approach me. It would be much better if you did this.” And I know I can’t do this with everybody. I have so many hours in the day. But at one time… I’m assuming it’s one of those get you at the right time. Where do you stand on that, “I’ve got to give this vendor feedback,” or, “I’m letting this go. I don’t have time or patience to get into this.”
[Mike Johnson] Like most things, it depends. Sometimes it genuinely is just right time. Like maybe I’m standing in the line in some long line at Disney World, and I’m just looking at my phone. And a LinkedIn message comes in, and I’m like, “Yeah, I got nothing else to do. I’ll just toss a little bit of advice back to this person.” But more often where it comes up is someone I’ve worked with at a different vendor. So, maybe they’ve switched vendors, or I’ve been introduced through a mutual friend. There is some connection there that I have a reason to engage. And genuinely I think most humans want to be helpful, and so I’ll spend a little bit of time being helpful. The most likely scenario is I know you either directly or indirectly, and so I’ll take a moment to say, “Hey, maybe we can clean this up a little bit,” or, “Here’s a better approach.”
[David Spark] But do you ever do this to someone you do not know at all?
[Mike Johnson] I will say that there probably are a few LinkedIn private message threads that I have that genuinely happened, but it really was just pure, random chance. Maybe it was something…a company that I was familiar with or a problem space that I had, so there was some familiarity there. But it’s certainly not with everyone that comes through.
[David Spark] All right, Yaron, same question to you. At what point do you sort of engage back personally? Like, “Uh, not the way to engage right here.”
[Yaron Levi] Yeah, I think it’s kind of going back to what Mike said. It’s sometimes if kind of you have the time or you’re waiting in line for something or whatever.
[David Spark] And you’re in a good maybe even?
[Yaron Levi] In a good mood or bad mood. It depends. Right? I mean…
[David Spark] [Laughs]
[Yaron Levi] Or bad mood. Bad mood, too. I also want to emphasize something that Mike said about the relationship and the trust. This is, I think, what’s important. When you build a relationship with people over the years… In our industry, we have a great community of people, and people know each other and talk to each other all the time. So, people genuinely want to help each other out, and they do. Obviously I have a day job. I cannot do it all day long, and I don’t. But periodically from time to time, as Mike said, some private message or something, happy to help. But there’s only so much we can do.
Where do we begin?
19:52.082
[David Spark] Ross Young, who is the CISO in residence over at Team8, said, “For me, the big three questions are what problems do you solve…” Ah, you mentioned that. “Why is this an urgent issue to fix?” That’s a good one. “And what differentiates you from vendors in the same quadrant.” And we’ve heard that one before. That is three great questions. And, heck, if you got a message and someone explaining that, wouldn’t that solve a lot, Mike?
[Mike Johnson] Yeah. I don’t like the quadrant mention.
[David Spark] By the way, same quadrant, let me say, that’s hitting the issue…let me just say in the same category. I’ll say that. Even though it’s Ross’s comment.
[Mike Johnson] No, no, no, that’s what I was going to say is what separates you from your competitors is a really good thing to explain. It could be cost. It could be recommendations from other customers. It really is a reasonable thing to answer. The first time I read this and thought about it, “This is an urgent issue to fix,” at first I was like, “Eh, that’s a good one.” But then it dawned on me, if you’re randomly hitting me out of the blue and you happen to land on something that is an urgent issue for me, I might have a bigger problem than the fact that I was just waiting for somebody to come at me with, “Well, here’s a fix to your urgent problem.” I think it’s really more the approach that I like is plant the seed. And then when I do have that issue, when I do have that challenge, I know who to come back to. And that is then more of a relationship that you can nurture over time versus you just happened to get me at the right time, because the likelihood of you doing that is very low.
[David Spark] By the way, I want to double down on that for a second. It’s not just about you, it’s about you getting the message, “We’re the ones who solve X.” And the fact that that sticks in your brain. And if they’re good at making it stick in your brain, you’re going to run into other people who have the problem with X.” And they go, “Oh, you know what? I just talked to this company, and they deal with this thing. You should give them a contact… I’ve got a contact over there.” There is enormous value to that because CISOs talk to CISOs. Yaron, am I right on this? It’s like do you lean on that value? I’ve got to assume you’ve referred someone you never worked with before but you knew what they did. You had no need for it, but a colleague mentioned they had a need.
[Yaron Levi] Oh, yeah. Absolutely. And we do it all the time. When we have a problem, when we have a need, we reach out to the community and say, “Hey, did anybody…? What are others doing about X?” Or whatever the issue is. So, yeah, we do that all the time. And to your point, if somebody articulates what they do and what problem they solve, and it’s easy to understand how they’re doing it, and they’re it in a way that… Like Mike said, plant the seed. Build the relationship. I have a folder in my inbox that basically is called “cold outreach to keep.” And basically this is something that I just got a cold message. It looks interesting. I recognize the problem. It’s not something I have. I may need it one day, I may not. I just throw it in there. And then whatever, a year from now, maybe now there’s as time to deal with that or now I can do something about. Or somebody asks me and says, “Hey, do you know anything about this?” I can go to this folder. I just search for this name, or person, or whatever, and just pull it out from there. Easy.
[David Spark] I want to make a call out to our audience on just what you just said there. I’d be interested… And when we post this episode, please leave it in the comments on the LinkedIn post. I’d be interested to know from our audience is how many of you have actually laid the ground work in terms of explaining what you do, and you got results six months, a year, two years later. Like exactly what Yaron said. Because I bet you the ones who do play the long game, it turns out to be quite fruitful for them. What do you guys think? Yes?
[Mike Johnson] Yeah. There’s actually one that comes to mind for me that I’m having that conversation with them next week or so. And it goes back to conversations that were had within some of these Slack communities a year ago. And the person that I’m talking to actually…they’re not the one who planted the seed, but they supported their customers. And their customers were happy to talk about them and happy to recommend them in a conversation that at the time I didn’t really care about. It wasn’t something that I was really worried about at the time, but I now had the problem. I went and did a search in this Slack community for prior conversations about this particular issue, and I got a short list very quick of vendors that I needed to reach out to. And that was me then going and engaging with them. And that’s a far more valuable situation than them doing cold outreach randomly that they happened to land into Yaron’s folder. If I’m coming to your website and I’m engaging with your website, you already have the hook at that point. Yes, there is absolutely cases that come to mind for me that the seed was planted a year ago.
Closing
00:24:54
[David Spark] Well, that brings us to the very end of the show. And I’m going to ask you first, Mr. Yaron Levi, which quote was your favorite here of the handful that I read and why?
[Yaron Levi] I would go with David Rawling from World Wide Technology who basically called me out on my comment. The way that he read my post was the right way, meaning it was a public service announcement, as opposed to an ask for pitches.
[David Spark] By the way, I appreciate he called out. I thought that was quite funny actually.
[Yaron Levi] Yes. Yes. Yeah.
[David Spark] [Laughs]
[Yaron Levi] I think the first few comments I saw back after I posted it, I’m like, “Oh my God, what have I done?”
[David Spark] Honestly, I think it was a few people took the bold choice, and then the others just… It was like they started the snowball, and it just kept rolling. [Laughs] All right, Mike, what was your favorite?
[Mike Johnson] So, I’ll highlight Tim Golden’s message where he talked about the five W’s from high school.
[David Spark] “Why” being one of them.
[Mike Johnson] Yes, “why being one of them.” The five Y’s is back to incident root cause analysis, which is where I always go.
[David Spark] Right, that’s a Japanese production philosophy.
[Mike Johnson] Yeah, Kanban. But the five W’s really, I think, is something that folks should just think about, and it’s a great way of very quickly explaining the situation, the item, the product, whatever it is.
[David Spark] Well, that brings us to the end of the show. I want to thank our sponsor, and that would be Scrut. Scrut Automation. Remember, with Scrut you can stay aware, stay ahead, and stay compliant. So many good things for you. Just make all these sort of tough jobs around compliance and risk management a lot easier. Just go to their website and get a demo. You just look and research some more. Check them out. Scrut.io. Check them out. And I want to thank you, Yaron, for bringing this discussion. This was a great, great discussion. I love this. Yaron has done sort of a lot of variations of this. But what I love is that you sort of pinpoint on one element of the vendor-CISO relationship each time and let us sort of dissect it. And I really, really enjoyed this conversation. So, thank you so much for bringing it to our attention and for being part of this discussion. And, Mike, thank you for crossing over to Defense in Depth and participating. Being the “little bit country” in our “little bit country and rock and roll” Donny and Marie duet that we usually do.
[Mike Johnson] Okay. I’m going to take that one.
[David Spark] Yeah. There we go. There you go. Your 1970s reference for everybody.
[Mike Johnson] Deep cut.
[David Spark] There you go. By the way, we lost Wayne Osmond recently, I believe. One of the Osmond brothers, unfortunately we lost. That was not the point of this, but I do want to thank our audience for your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site, CISOseries.com, where you’ll also see plenty of ways to participate including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@CISOseries.com. Thank you for listening to Defense in Depth.