How Can Security Vendors Better Stand Out?

By
David Spark
-

We like to think the best product will stand out in the market. In cybersecurity, is it enough to just rely on being great? When there are so many vendors selling to so few customers, how do security vendors make headway to getting noticed?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Edward Contreras, senior evp and CISO, Frost Bank. Joining us is Jason Taule, CISO, Luminis Health.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor, Doppel

Formal secures humans, AI agent’s access to MCP servers, infrastructure, and data stores by monitoring and controlling data flows in real time. Using a protocol-aware reverse proxy, Formal enforces least-privilege access to sensitive data and APIs, ensuring AI behavior stays predictable and secure. Visit joinformal.com to learn more or schedule a demo.

Full Transcript

[David Spark] We like to think the best product will stand out in the market. Now in cybersecurity, is it enough to just rely on being great? When there are so many vendors selling to so few customers, how do security vendors make headway to getting noticed?


[Voiceover] You’re listening to Defense in Depth. 

[David Spark] Welcome to Defense in Depth. My name’s David Spark. I’m the producer of the CISO Series. And joining me is my co-host, a regular co-host for this show. It’s Eddie Contreras, senior EVP and CISO for Frost Bank. Eddie, say hello to the audience.


[Edward Contreras] David, happy to be back again. 

[David Spark] Well, you just said hello to me. You got to say hello to the audience, Eddie. 

[Edward Contreras] Audience, I am so happy and ecstatic to be here. You have no idea. If you could only see the video. 

[David Spark] It’s more spectacular than you could possibly imagine. 

[Edward Contreras] [Laughter] 

[David Spark] Our sponsor for today’s episode is Doppel. Defend what’s real, disrupt what’s not. I’m talking about social engineering. Some really, really cool technology they’ve got. More about that a little bit later in the show. But first, Eddie, let’s talk about today’s topic, and this is a topic very near and dear to our hearts here at the CISO Series, kind of why we built this whole brand.

So, today’s topic is about how do security vendors get noticed by prospective buyers? For those of you don’t know, the original name of this series was called the CISO Security Vendor Relationship Series. I mean, we were really in on this very early on.

Now, not to pat ourselves on the back too much, but the business model of the CISO Series is to offer a solution to this very problem of getting noticed. 

Now, I talk to many startups and the common concern I hear again and again is, “We have this great product, but nobody knows we exist.” Now, David Mundy of Tuskira noted that when it comes to security solutions, the reality is we have thousands of vendors.

I want to give a tip of the hat to Richard Stiennon of IT Harvest who’s been actually counting them, and I asked him recently. There is somewhere, honestly, between 4,500 and 5,500 security vendors out there, and all of them are trying to sell to about 10,000 enterprise customers.

Eddie, there are many security vendors listening to this episode and anxiously hoping you’ll have the secret sauce to getting noticed. Do you have an answer? And if so, we could end this episode right now. 

[Edward Contreras] I wish it was that easy. Our sponsor would be not happy with us if it ended very quickly. In the financial industry, we have a program called the Bank Secrecy Act, BSA, and every employee in the company has to essentially take an annual compliance test that we understand this program.

Well, part of that program is an acronym called KYC, Know Your Customer. And in that, we can take a customer’s money so long as we know how the money came to them and how it’s going to go out. Such an easy concept to say, such a difficult task to execute, and I think this is something that the vendors really need to understand.

If you truly know your customer, if you know what is it that they’re looking for, what is it that you’re selling, how do you align those stars together? I think the sales practice then becomes more like a science project as opposed to like a circus, and you really want to stay away from the circus.

And so, yeah, know your customer is just a phenomenal phrase, but it’s difficult because it takes time. 

[David Spark] It is work. I mean, I’m not arguing. It’s not easy. And that’s why you didn’t have a quick [Laughter] answer to the question.

[Edward Contreras] [Laughter] 

[David Spark] All right. But to help us with this discussion, and I know because we’ve spent years talking about this, we’re not going to have all the answers right now, but I’m really interested in new insights, just new thoughts, new insights to this.

And the person to help us with that very discussion, I got a chance to speak to him at another CISO sort of meetup, and I really liked his insights. So, thrilled that he’s here. He is the CISO over at Luminus Health, none other than Jason Taule. Jason, thank you so much for joining us.


[Jason Taule] Great to be here. It’s a pleasure to talk with both of you. 

What’s the ROI? 

3:58.047

[David Spark] Chris Hughes of Aquia said, “Cyber indeed has some unique aspects, such as a real inability to articulate ROI in many cases, trying to drive investment for a product that may or may not help stop something from occurring, which may or may not happen.” Jorge Monteiro of ETHIACK said, “If the best product wins, how can we make product evaluations more transparent?

Can we create public benchmarks that really let vendors compete on technical stuff? Or are we just relying on Gartner and analysts?” So, this last one from Jorge about product evaluations, I’ve seen so many people coming up to me and saying, “Oh, I’m going to create this area where people can look at security solutions and buy them.” I’m like, “Yeah, good luck.” Sounds like a good idea, but it’s not working out that way, is it?

I mean, you’d like that, Eddie, if it existed, right? 

[Edward Contreras] I would love it. It’s the same reason why I don’t order a lot of clothes online. You got to try it on. You have to see how that fits. If a medium just across the board fit everybody, great, but as I am fully aware, texture matters, body shape matters, designs matter.

So, medium’s a medium until you put it on and then you realize, “Well, maybe I like a little bit different style of medium.” But oh, yeah, it’s a difficult process here. 

[David Spark] Yeah. And the thing is, what we always kind of stress is anytime you’re looking at a new solution, it’s coming in with other solutions and they got to play nicely with them. So, does that shirt go with the pants and the shoes, right? 

[Laughter] 

[Edward Contreras] Yeah, exactly, when you’re putting your wardrobe together. That’s why you always talk to people, and they want to share results. And sharing results is good, but everybody’s technology stack is their own DNA. It’s unique. Any flavor of system.

Even quantity matters, you know, 5,000 servers, even though they’re all Windows, is different than 3,000 Windows servers. And so, it does matter. So, your DNA stack is going to influence the performance of that vendor’s technology, and so you really do have to give it the dry run.

So, while it’s a very tedious step, it’s a critical step. 

[David Spark] Jason, do you agree here or is there another way to make a marketplace? Because, I mean, there is Gartner, there’s G2, and just patting ourselves on the back, we started our show called Security You Should Know, but it doesn’t really have the sort of the roundup methodology that people are looking for.

Because you’d love to know that, like, I want to buy an EDR solution. Well, I want to look at the top 10 and what are the top 10 and how do I compare them? And there are kind of ways to see this, but like Eddie said, no one size is perfect for you.

Some people like certain designers over others. 

[Jason Taule] So, I think there’s three points to make here. First, we have a definitional issue. What does “best” mean? To use your analogy, best shirt, well, is it the best shirt for the winter? Best shirt for the summer? You have to define what best is, and that’s going to be unique to each organization.

Even when we’re dealing with common threats and common gaps in our security program, then I want to break it down into, well, is this something that has already been in existence for which there’s been ample opportunity for the vendors to understand the need and develop a solution versus something that’s rapidly emerging and there may only be one or two products, right?

It’s easy to be best when you’re the only entrant, right? 

So, let’s use this as an example. I think it’s ironic that many of us in IT ignored somewhat at our own peril, the OT world. Most CISOs have responsibility for both. If it’s connected to my network or interconnects with it and it has data on it, I don’t care what it does.

So, by OT, I mean all the operational stuff, the other stuff, the building management systems, the SCADA equipment, the manufacturing equipment, the biomedical equipment. If that’s on the same network, I have an issue. Well, it seems strange that that was there all along, but very recently, in the past couple years, a bunch of CISOs suddenly woke up.

This became the hot topic. There was a couple of new entrants into the market. There was a solution by Microsoft that came out called Defender for IoT. And many people, particularly Microsoft-first shops, were like, “This is fantastic. I can rely on Microsoft.” Well, turns out it did do things that nothing else solved for because there was nothing else out there.

That doesn’t mean it was the best. It was the best available solution at the time from a company that offered something that maybe you could afford. There are other solutions. There’s other products now called Phosphorus and Armis and they do a better version.

They do more because that’s all they do. So, you always have that challenge. 

You mentioned the point before about your outfit has to match. Integration’s the biggest issue, right? This has been the biggest challenge. So, one of the other challenges is when we say best is I typically look to my existing vendors. Can you help me with this issue?

Right? I don’t want to go through the complexity of acquiring a new product. More screens, greater complexity, greater total cost of ownership is an issue that I want to manage. So, if I go to my vendor and I say, what can you do? They often have purchased a product.

Well, did they purchase the best product? No. They purchased the best product that was available in the market at a price that they were willing to pay and a company who’s willing to sell to them.

[David Spark] [Laughter] 

[Jason Taule] So, even then we have those forces and that’s been going on for 30 or 40 years. The biggest issue’s I don’t have a greenfield. I have design constraints. This stuff, not only do I have to get it to integrate with my existing tools, it has to fit my culture.

And as we have other quotes that we’ll talk about here in a moment, I think that’s really the bigger challenge is that culture. I want to make one last point, not to disparage any of the trade magazines that have existed for decades, but SC Magazine back in the day used to do and made a name for itself doing bake-offs.

They would pick a category. They would have a couple different vendors. Here too, the criteria, and this could be said of Gartner and whether there’s question of, not that there isn’t value in that, but that’s kind of a pay-to-play model and others have their limitations.


SC Magazine in the footprints had evaluation criteria, and in those days, this is a product that I particularly remember. Ron Gula was one of the first individuals to come out with anything in the intrusion detection space. He had a product called Dragon.

It had no command line interface, right? Now the test, this is intrusion detection. It was the only solution in the bake-off to find and stop everything that got thrown at it. As far as I’m concerned, no other criteria matters, right? That’s the job – block bad things.

Well, I don’t know what the motivation was, potentially it was ad revenue from their other major sponsors, but the criteria weighted heavily 50% on the GUI that this tool didn’t have. Now, most of the geeks that I’ve worked with, they would prefer a command line interface anyway.

It’s that kind of frustration. So, if you just take the top line and many people do, and look at the Magic Quadrant, I look at Forrester has their wave, etc. If you don’t dig into the details, there’s no way you’re going to understand what’s best or what’s best fit.

I really think it should be about best fit. 

Can there ever be agreement on this? 

10:50.545

[David Spark] Joseph Hoban of RedSeal said, “Boatloads of venture money flowing into such a tight space exploding the number of sellers chasing basically the same number of buyers. Buyers taking cover from this onslaught and coalescing into VC-sponsored advisory groups and or receding behind their favorite procurement partners.

It’s not as easy as it all used to be.” And Erik Lawrence of INFUSE said, “Everyone’s out here trying to ‘optimize their go to market’ like it’s 2015. It’s not. The game’s changed, the math changed. Most people just haven’t emotionally accepted it yet.

In cybersecurity, it’s not about marketing better anymore. It’s about demand generation at a sniper level. It’s about being so in tune with buyer signals that you’re already in the conversation before they realize they need you.” That’s a good line.

“Precision demand is the unlock. Most won’t do it because it’s hard, it’s messy, and it’s not sexy, but that’s where the outsized wins live now.” This is talking to exactly what you said at the beginning of the show, Eddie. It’s the sniper level. We talk about it like account-based marketing even, but if you really know your buyer, you’re in conversation – that’s a key thing – before there’s a need for your product, that’s huge.

I bet you you’ve been sold to like that. Yes? 

[Edward Contreras] Absolutely. And I think one of the things that I look at when I use a VAR, a value-added reseller, it’s the relationship. They’ve been with me for a while. They’ve been in the trenches. They’ve seen some failures. They’ve seen some successes.

And then there’s some stickiness there. They have recent memory of something that I’ve said, of something that I’ve asked for, of something that I needed. And all of a sudden, they’re going to come to me and say, “Hey, remember that conversation we had not that long ago during that red team/blue team exercise?

Well, guess what? I got this vendor here.” There is no better way to start a conversation than that. And for me, that’s the value. 

So, yes, you can find the unicorn cold call once in a while, and I don’t want to discourage all the salespeople out there. I know it’s part of the job. The top of the funnel’s important. But the reality is those VAR relationships, those value-added reseller relationships, those are the sticky ones.

That’s where you make some of the big sales. And those are the relationships that can trickle further down the road than most people realize. I have direct relationships with vendors, absolutely. But some of my biggest spends are through some of those VARs, and some of my most important spends are through those as well.

So, again, I spend all throughout the entire ecosystem, but when it comes to really solving a problem, I kind of look for those relationships. 

[David Spark] What’s your experience with VARs, Jason? 

[Jason Taule] We lean heavily on them. In fact, we expect our VARs to do just that, value-add, right? Not just a relationship. That’s good. I don’t want you to know me. I want you to know my tech. I want you to know my business. I want you to know my industry.

I want you to know my challenges. As I mentioned before, rarely do any of us have this greenfield. We’ve got to take whatever solution. It’s got to fit in our environment. In the healthcare setting particularly, we have legacy infrastructure, particularly on the biomedical side, on the OT side.

The device itself does its job just perfectly, just as well today as it did a decade ago when we acquired it. The problem is it sits on underlying technology that’s aged out. It’s gone off service. It’s gone off support. I have to have that solution work.

Well, typically the way we justify that is we segment things. Well, now suddenly, I can’t see into that segment. Your solution has to be the right solution to work in that tech environment. You have to price it the right way. That’s where the VARs come in because if I’m one voice articulating that to a vendor, that doesn’t represent the market to them.


And back to the original point, if the vendors are only focusing on the 10,000 large customers, that’s easy, right? It’s a quick, big return on that investment of your time and energy, but clearly there’s way more organizations that need it, and I’m just one.

I think the VARs hearing from multiple organizations because think about it, everybody needs this. I don’t care whether you’re a small startup. I’m not going to do business with you if you don’t show me respect for the data that I have to share with you.

That fundamentally is the challenge that the CISO has. It’s not just keeping the bad guys out. That’s part of it, but we have to enable the business. We have to provide those assurances to our customers and anticipate their concerns, and if we don’t do that the right way, we’re never going to succeed.

So, if a VAR’s listening to me and understands what those challenges are and combines it with the others with whom they have relationships, that’s really useful feedback. I actually think that there is an opportunity for some of the roundtables that CISOs belong to, to pivot.

And not just have it be about the CISOs receiving good guidance, which is absolutely important and useful, but wouldn’t it be nice if we could use those forums to inform the vendor community? Not just about their existing products, but about product categories for which there is no vendor now?

I don’t know what the percentage is, but using the 80/20 rule, I’m more concerned about the 20% of my attack surface, as it’s called, for which there is no existing vendor. I want to incentivize vendors to expand their offerings to provide coverage in those gaps as well, and again, that’s the VAR relationship.


Sponsor – Doppel 

16:03.600

[David Spark] Before we go on any further, I do want to tell you about our awesome sponsor, and that’s Doppel, and this is about social engineering, so this is pretty darn cool stuff. Doppel is the first social engineering defense platform purpose-built to dismantle impersonation threats before they cause harm.

Now, while legacy tools focus on detection and alerting, Doppel goes further using AI and infrastructure correlation to link phishing emails, fake domains, deep fakes, and impersonation campaigns across channels, from executive protection to brand impersonation takedowns, Doppel doesn’t just flag threats, it disrupts them at the source.

So every attack fuels their shared threat grid, giving every customer the benefit of collective intelligence. The result? Faster disruption, stronger resilience, and fewer opportunities for adversaries to profit. Doppel makes digital deception unprofitable, protecting your people, your reputation, and your revenue in a world where social engineering is now the biggest threat to enterprise security.

For more, go to their website. It’s doppel.com Check them out, and when you do, let them know that the CISO Series sent you there. 

There must be a better solution. 

17:22.290

[David Spark] Kim Tran of Gimmal said, “It’s less about being the best product and more about buyers, many experienced or reluctant, being afraid to make the wrong selections/decisions. It’s less about the cost of doing nothing and more the cost of doing something.

How much social capital/credit am I willing to spend convincing and fighting with my executives and CFO that we need this? Will I/we get blamed if this solution doesn’t work out as intended/promised? Who else do I need to involve that will likely derail and detract any progress I’ve made?

It’s not just a fresh coat of paint we’re talking about here. It’s a complete gutting and reno job at hand, and not everyone is willing enough or patient enough to go through it.” Oh, that gets a lot of stresses there. 

All right, last quote from Virginia Case, who said, “Everything in my job is politics. Also, the best product is the one that can articulately explain the pain, the resolution, and the price without causing cognitive burden.” Whoo, good point here. “Where sales is deeply knowledgeable and the onboarding process is a walk in the park with caring people who empathize with the buyer and facilitate their success by addressing complex needs without a lot of fanfare.

Great customer service and experience is the final frontier.” So, these are two beautiful companion quotes to each other. Kim going through and saying, “It’s a giant ball of stress,” and Virginia saying when the vendor comes in or VAR comes in and essentially eases that stress.

Is that how you feel, Jason, on both sides? 

[Jason Taule] A hundred percent that’s how I feel. Politics is everything in this job. I don’t know that every organization understands that that’s what the CISO job is. I think many people, boards in particular, liken the job to the defensive coordinator of an American football team, right?

Keep the other team from scoring. That’s good. That’s part of the job. It’s an important part. The CISO that’s going to succeed is really the politician. I’m not a politician, but by that, I mean the role is offensive coordinator as well. Help enable the business.

And in order to do that, you have to have conversations. If the vendors don’t understand that I’m not always the only buyer, typically I have to have an investment commitment from the board, they have to understand what the issue is. That’s all politics, right?

Because we have this thing called risk appetite. How much risk are we willing to tolerate? That’s a conversation. I have to inform the conversation. Here’s what the business wants to do. Here’s the business strategy. There’s an IT strategy to support that.

Here are the risks. Now I have a set of needs that I can partner with my vendors and my VARs to help me solve for. 

The other challenge is that many security organizations are, again, not the only buyer. I may be the one to recommend that we address this issue in this priority or even recommend using this solution, but I have a CTO. I’ve got to make sure that person looks at this for fit with our tech stack and fit with the direction.

No point in trying to harden an environment that we’re moving away from, right? This is the proverbial challenge about changing the tire on that moving car. Right now, we’ve got quantum to worry about. We’ve got the advent of AI, not just the inclusion of OT and some of the other recent changes.

We still haven’t figured out where people are working, right? Some people work from home. Some people got asked to come back to the office. We have people relying on internet from home in a hospital. I know what the future’s going to be looking like, but I don’t know exactly what tech we’re going to use.

Am I relying on people using their home internet? All of these challenges, that’s where the CTO and the CIO and the CISO have to come together with the board to say, “What do we want to look like?” And again, the VARs and the vendors who are looking ahead and coming up with good decisions are going to be the ones that can help with that conversation.


Let’s also not forget that the teams that deploy typically aren’t the security team. Most security teams that I know and the ones that I’ve led, it’s my job to help have that conversation with leadership to figure out what we’re going to do. It’s often some other team’s job to implement, and then we, with separation of duties, oversee the implementation to make sure that we’re actually doing what we expect, doing that good governance, getting the results we expect, if not doing a course correction.

What we just said, that’s not a technical problem. I mean, there are technical aspects to it. Politics is a bothersome word. I prefer to say it as a business conversation about business needs and how we can enable that, right? Because if we have the conversation and identify that there’s risks and costs, if business doesn’t like the costs, then we have to iterate and maybe even revise the strategy.

That’s what this is all about. 

[David Spark] All right, Eddie, I take this to you. Politics is an ugly term, but I think the way that Jason phrased it at the end is good, is most of your job is dealing with the business. It’s not dealing with the technical dirt, is it? 

[Edward Contreras] Yeah, and I’ll use Jason’s phrase, right? The business conversation. If the vendor, the partner that comes in here wants to be a part of that conversation, understand there’s two sides, right? There’s a heads and a tail. There’s Android and there’s iPhone, right?

There’s a way that you’re going to enter this conversation where there’s already a bias. Somebody prefers one versus the other. So, if you want to be a successful vendor in that conversation, understand the complexity of that conversation and say, “Hey, I’m here to help.” I think one of the biggest positives that I typically get from a vendor is when they’re willing to open their customer portfolio to me.

And so, hey, don’t take our word for it. Talk to our customers. We’ll set up a call. We won’t be anywhere near that and let them tell you the good, the bad, and the ugly. And then what we do is typically invite the person that has some of the most constructive feedback.

Hey, you ask the questions of this person who’s gone through this process. So, again, when you’re talking about delivering and being a good partner and having that business conversation, that’s full transparency and that really does level the playing field.


What are we going to do now? 

23:19.867

[David Spark] Praneeta D. of Quilr said, “This isn’t just another marketing challenge. It’s a full-on market compression crisis – 4,000 vendors, 10,000 buyers, a few slots a year. No playbook written five years ago can solve today’s math. But here’s the hopeful part.

Chaos rewards the bold. In a saturated market, playing safe guarantees invisibility. It’s the companies that dare to rethink go to market, who build trust faster, create ecosystems, not just customer lists, and who treat relationships as assets…” ooh, that’s a key line, “…that are breaking through.

It’s not just about spending more. It’s about spending smarter, smarter alliances, smarter storytelling, smarter empathy for what CISOs actually need right now, not what we wish they needed. The game has changed. So must the players. And maybe that’s the real opportunity.

Those who adapt fastest will define the next era of cybersecurity leadership.” All right, there’s a lot there, and we’ve heard this about trying to get a job in cybersecurity, and I’ll just sort of boil it down to this – hack the system. Have you seen anyone do that well, Eddie?


[Edward Contreras] Absolutely. Right? And I think what a lot of salespeople need to understand is CISOs are executives, right? You don’t go into that conversation with the mindset of sell now, right? It’s kind of like, if you’re going to buy an exquisite car, there’s a different person looking for that car than somebody who’s looking for their first car ever.

And so, the sales tactics are different. Somebody who’s going to buy a six-figure car versus a five-figure car, they’re going to want to test drive it. They’re going to want to have a conversation. What’s the safety protocols? There’s a lot of different dialogue that occurs with the CISO and with the executive team from a sales perspective than you typically wouldn’t have with a practitioner.

And so, I love this conversation, and that quote is phenomenal, when you think about the relationship as an asset. Invest in that asset. That asset is valuable. There is not only an asset that brings revenue to your company, but that asset can spawn other relationships.

And so, when you talk about know your customer, that’s really where you put your effort towards. 

[David Spark] All right, Jason, I throw this to you, the whole concept of hacking the system. Have you seen anyone doing it right? Are you impressed by anyone? And with this being said, anything you say now will all of a sudden, everyone’ll rush to do that kind of a thing.

If you’re giving some specific guidance, you know what I mean? It’s like it ends being a “hack,” if you will. 

[Jason Taule] I don’t think this is unique to selling security products to a CISO. What works is when you have someone who understands the job. Some organizations have field CISOs that help sell, someone who’s walked in that man or woman that they’re trying to sell to, or the person to whom they’re trying to gain attention, they’ve walked in their shoes.

They understand what those challenges are. That’s the person that’s going to succeed, right? They’re not leading with FUD. They’re not sending me unsolicited emails. They know that I don’t need somebody else to tell me what to work on. I’ve been doing this for 40 years.

That’s not to say that that’s true of all CISOs, there are many that are new to the role, and they may have slightly different needs, but typically a seasoned executive got there by earning it. So, they know what they’re doing. Don’t address those issues.

Come to them when they’re ready – to borrow Eddie’s point – if I’m looking for that high-end car, I’m going to walk into the dealership. They don’t have to come to me. Now I’m ready. Now let’s have the conversation. Well, what are you looking for exactly, what are your needs, etc.

So, what frustrates me is when you say you’re doing that, but then you don’t really back it up. 

If you understand my industry, I’m in healthcare, among the most heavily regulated sectors there is. You’re selling a tech product. You’re expecting me to install it on my network, a network that’s full of sensitive information and regulations, and you didn’t anticipate that I might ask you some security-related questions about your tech?

That if it has an AI component, I might ask you some questions about how you’re using AI. When you’ve got nothing, the deal’s done. Now, and by the way, the trust that a VAR brings, hopefully they will have vetted that vendor and say, “Not only is this a tech I think you need to know about that fits you, but this vendor also gets it.” I’m looking for them to do a little more of the matchmaking, [Laughter] if this is a dating service, right?

Make sure that this tech not only fits my needs, but the way that vendor operates is right for us. Both of those things have to have that good fit. It’s shocking to me when I hear vendors say, “I’m the first CISO to ever ask them these questions.” Really?

Then that just tells me bye from somebody else, right? 

[David Spark] Well, you’re not hitting the right target or the CISOs are depressingly not good at their job. But also, I’m sure you’ve had these situations, quick question to both of you because I remember I used to work in advertising. I would have these people pitch these tech products to me all the time.

And I started to ask some technical questions, and they didn’t bring anyone or at least educate their basic sales staff on really simple stuff. Trust me, I’m not that deep, and I wasn’t going too deep. And they do this line of, “Oh, we’ll have to get our tech guys back to you.” And first of all, in my history of them saying that, no one’s ever gotten back to me ever.

But that really is kind of shooting yourself in the foot. It’s like, well, now I don’t trust you kind of a thing. Have you had these problems? 

[Jason Taule] I wouldn’t say it’s a problem. I think it’s a common model because they’re trying to manage their investment. They don’t want to have conversations with unqualified leads or for organizations where they’re talking to somebody that doesn’t have the budget or doesn’t have the authority.

Wait until we get to those to take our valuable technical resource and invite them into the conversation. 

[David Spark] You know what? We did an episode of this show talking about how much a salesperson needs to know their product in the marketplace. And the thing is, you got to handle pretty much the basics. Yes, Eddie? 

[Edward Contreras] Absolutely, right. I’ll go back again, I love analogies. You know that, David. If you’re buying a house, that person better know where the wood came from, where that tile came from. They better understand the ceiling heights and understand the HVAC system.

Yes, they’re a realtor, but man, you’re about to make a big investment. You better tell me the ins and outs of this house before I want to go any further. And the sales folks, they have to be able to do that. If you’re looking at a five-year commitment, and you’re looking to spend three to four million dollars, I really want to understand how much do you trust your own product?

Because if you haven’t put in the work and you want me to commit that much money, it speaks a lot. 

I like what Jason said, right? There’s a lot to come from that investment around knowing the product and coming to the table technical versus coming to the table with knowledge. And the CISOs don’t want the technical folks. That’s absolutely right. But we want knowledge.

And there’s a difference between showcasing your technical guns versus showcasing your knowledge, and it’s really to make sure that the salespeople understand you’re really selling something here that’s going to build a relationship. You’re not just solving a problem.

We’re going to be here together. And if I have an issue, even if it’s not your product that caused the issue or your product that was looking to solve it, if my company has an issue, I want all my vendors calling me, no matter what the issue is. 

[Jason Taule] I also think that your need for a technical resource can be deferred if you’re willing to go into a no-cost proof of value, and that makes my decision that much easier. So much of this is not about having the right answer. I don’t even know what that is.

We started with the best answer. I think the real objective is can I defend the answer I came up with for all of the people and all the quotes and all the impact and all the people, having to convince everybody and the risk of getting it all wrong.

Bottom line, help me defend it, and if I can go into a proof of value. As an example, not too long ago, we had multiple vendors offering a SOC SIEM solutions. 

We did a bake-off, right? Here’s the data. One vendor found more stuff, more anomalous things that the others missed. That’s a no-brainer, right? I mean, what’s the value of finding one attempted hack that somebody else missed? I’m not even going to attempt to quantify that, but by going through that proof of value, particularly when I socialized with the CTO and the CIO and others, what are the success criteria?

Not just from my perspective, but from a broad range of perspectives, the POV proved that it was very easy to go into and now entering into the contractual discussions about pricing and sizing, etc., it’s very easy because we already know that we’re going to be able to get value out of it.

If you’re not willing to do that, that also suggests a lack of confidence, to Eddie’s point, in your own products. And if you have content to give me during the sales cycle, valuable content, don’t put it behind a pay gate. I mean, I’m not saying give me everything, but one or two answers maybe that help lead the conversation.


[David Spark] This goes to a phrase I’ve said many times before. You don’t need to know who looked at your video. You don’t need to know who downloaded your tool. I know you would like it. You would like to know if this is working. You would like to know if it’s doing, but at the same time, when you do that, people will bail.

And here’s what you don’t know is you don’t know the people who didn’t even consider you and bailed. Oh, my God. I put this up on a post a while ago and it was an explosive response, and it had to do with the “Click here to get a demo” rather than just posting a video demo of your product.

I get it. But also at the same time, I hear from vendors, like, “Uh, the way our product works is kind of our special sauce.” But then again, how hard would it be for someone to see a demo of somebody else’s product? That’s a whole other subject altogether.


Closing 

32:50.021

[David Spark] All right. There’s some really, really good quotes here, especially some of the ones I mentioned at the end. I’ll start with you, Jason. Which quote was your favorite and why? 

[Jason Taule] I liked the quote from Virginia Case. It’s that nasty word “politics,” and I probably wouldn’t use that word, but she’s spot on. Here is someone who knows what it is to be a CISO. And that’s what I said. You’re going to be more effective if you understand what it’s like to walk in my shoes.

I don’t know if she’s recently accepted the title of CISO. There are many people that do. 

[David Spark] She’s a consultant and we’ve hired her. She’s actually really smart about branding and marketing. 

[Jason Taule] Absolutely. I mean, that’s the bottom line. She understands what the job is. And if you don’t, how are you going to be able to anticipate the questions that that person has? And what I want you to do is do my homework for me, right? If you have not only the marketing collateral that says, “Here’s the AI questions you’re going to have so that you can check that box and satisfy certain regulatory requirements.” Is there a displacement strategy, right?

If I buy your product, are there existing products that I no longer need? You should know that, and you should be able to help me with that. That’s what I’m saying when I say walk a mile in my shoes, and that’s why I like that quote from her. 

[David Spark] All right, Eddie, your favorite quote. I know you like Virginia’s quote too. 

[Edward Contreras] Virginia’s is a phenomenal quote, but I will pick Praneeta’s quote. And it is about the relationships being an asset, and maybe this is more of a life lesson or a professional lesson and not just about the vendor lesson, but every relationship is about an asset, right?

There’s some value there. I look at assets as values. And so, being able to invest in those relationships is key. They pay dividends. And so, it’s not just about selling. It’s about maintaining and it’s about just expansions. And so, when I look at those relationships, not only will it do well in your sales career, it will do well in your professional career.

So, invest in those relationships. 

[Jason Taule] If I might, one last point to speak praises to Virginia again. The biggest challenge that the CISO has is people. It’s not the tech. And even if it’s the best change in the world, people don’t like to change. I’ve been doing it this way.

And unfortunately, that’s much of the job. It’s changing culture. I often paralleled the job that Moses had getting the Israelites through the desert. There’s a reason it took 40 years, right? Hopefully, our cultural change won’t take quite as long, but what we have to do is live the guinea pig life of whatever tech change we’re going to make so that we can give good assurances that this is not going to have an undue impact.

It’s not going to hamper our business and our people’s ability to do their job or in my case, provide better care for our patients. In order to strike the proper balance, that requires that partnership. We will obviously have to accommodate certain variances, but I need to make sure I’m giving leadership and a management team, I think she says, explain the pain.

Yeah, there will be pain. There’s going to be pain associated with any kind of change, but it’s not undue. It’s manageable. 

[David Spark] All right. That brings us to the very end of the show. Huge thanks to my guests. That would be Jason Taule, who is the CISO over at Luminus Health, and my co-host Eddie Contreras, who’s the CISO over at Frost Bank. But also, as much as I love you guys, I have the big thanks to our sponsor, and that would be Doppel.

Remember, go to Doppel. Social engineering attacks, they’re confusing. They’re complicated. Doppel can help you with that. Go check out their website doppel.com. Thank you very much. Thank you, Jason. Thank you, Eddie. And thank you to our audience.

We greatly appreciate your contributions and for listening to Defense in Depth. 

[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.

If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.