All security startups will tell you they talk to potential customers. The problem is that you limit your development when you only talk to CISOs who might buy. It’s not the same guidance you’ll get from a CISO who advises.
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Edward Contreras, senior evp and CISO, Frost Bank. Joining us is Steve Jensen, CISO, University of Maine System.
Join the conversation on LinkedIn
Huge thanks to our episode sponsor, Material
Full Transcript
Intro
0:00.000
[David Spark] All security startups will tell you they talk to potential customers. The problem is if you limit your development when you only talk to CISOs who might buy. It’s not the same guidance you’ll get if you talk to a CISO who actually advises.
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I’m the producer of the CISO Series. And joining me as my co-host for this episode, it’s Eddie Contreras, senior EVP and CISO over at Frost Bank. Eddie, say hello to our audience.
[Edward Contreras] Hello, audience, and thank you, David, for having me back.
[David Spark] We love having you back. Our sponsor for today’s episode is Material Security, protecting your company’s most valuable materials. That would be the emails, the files, the accounts that live in your Google Workspace and Microsoft 365 cloud offices.
If that describes you and your environment, then you are going to want to listen to what I have to say a little bit later in the show. Let’s get to today’s topic, Eddie. Cybersecurity startup founders can have a blind spot. They often build from their own experiences, but without having a CISO on board as an advisor, they often don’t get the brutal advice about the industry that they need.
You need people to kind of push back. “The startups that win do not build in isolation,” said Val Tsanev of CyberRisk Alliance who posed this discussion on LinkedIn for advisors, the need to look beyond customers. First, Eddie, do you agree? Have you ever advised startups?
And why do you see this as essential, if you do?
[Edward Contreras] It’s a great comment if you think about how to unpack that, and most likely it’s relevant across not only startups, but operational departments as well. If you do anything in a silo, you’re going to have challenges. You’re going to have an opaque view of something.
You’re going to look at it as perfection until you get that one person who wasn’t a part of the design process. And all of a sudden, they bring in a whole new lens. And then all of a sudden, the conversation just sways away. So, absolutely. But as a CISO, to your question, you have to do this.
This is part of the job. You’re not only protecting your company, but you have an opportunity to influence your technology partners. So, absolutely advisory work is something that’s essential.
[David Spark] Have you ever done any yourself?
[Edward Contreras] Absolutely. Absolutely.
[David Spark] And have you run into these startup founders that only focus on the customer and you’re like, “Guys, you’re missing something”?
[Edward Contreras] You have a lot of private conversations to say, “Hey, let’s go off the record here real quick, and we’re going to hurt some feelings because I’m about to say something bad about your baby.”
[Laughter]
[David Spark] Yes. That is an interesting way to take it. All right. We’re going to jump into this conversation right now. Thrilled to have our guest on, first-time guest with the CISO Series, with the University of Maine system, the CISO over there.
None other than Steve Jensen. Steve, thank you so much for joining us.
[Steve Jensen] Thank you, David. It’s such a pleasure to be here.
What’s most important?
3:02.447
[David Spark] Jon G. Shende of Thales Cybersecurity Products said, “Every product company has brilliant engineers and technical savants. The real question is with all that expertise building products, how many of said product geniuses have spent time in end-to-end architecture, build, and security design from Edge to apps to cloud and now AI.
Do you know what’s top of mind with CISOs, CTOs, CIOs, GRC, IT Audit, Legal when it comes to security and how to build cohesive messaging and measurable outcomes?”
And Marielle Palm of BC said, “Building in a bubble is the silent killer. Real validation isn’t just talking. It’s brutal, unfiltered, and in the room with the people who’ll buy. If your advisors aren’t challenging you, you’re just confirming your bias.
That’s a real risk.” I love the end of that quote right there. I mean, if you have an advisor that just says, “Yes, you’re doing everything right,” why do you have that advisor? Right, Eddie? [Laughter]
[Edward Contreras] Yeah. I mean, Marielle hits the nail on the head here. You want constructive criticism. You want to challenge the status quo. You want to force somebody to think differently. If everybody just comes in and says, “Great product,” really what you just have is a chorus.
But what you want is somebody to challenge every thought process that goes into your product, challenge the user interface, challenge the integration system, the backend. Even just challenge how it operates, right? Is it sitting on the right operating system?
And you have a chance also to challenge your pricing model. Hey, let me challenge everything to make you rethink. And through that challenge, you’re not asking them to change everything. It’s either confirm or it’s an opportunity to adjust. So, challenge just strikes…
It’s the start of the conversation.
[David Spark] Excellent point. All right, Steve, I throw this to you. The reason you’re advising a startup group is because you like what they’re doing. But even when you like everything somebody’s doing, there can still be holes. And it’s really the job to find those holes, even if you don’t know what they are right away.
Yes?
[Steve Jensen] Yeah, I agree. My thoughts about this is it’s really about the danger of building in an echo chamber. In security, it’s very easy to build something that’s technically elegant and operationally unrealistic in its application. A lot of products created by really smart engineers solve specific technical problems, but they haven’t really lived through the life cycle of deploying, maintaining, defending a product in a production environment.
When you’ve actually run a security program like I have in different industries, you realize that technology is only part of the equation. You’re dealing with budgets, staffing constraints, integration challenges, executive expectations, sometimes even politics in the organization.
Another part which maybe was overlooked is that some startups often overlook their own internal security posture. A CISO advisor isn’t just helping shape the product features, they’re also looking at how the company handles customer data, how access is managed internally, how logs are retained, secrets stored, and what happens when a customer asks for things like a security review.
I’ve personally seen and had deals in security loss based on how mature the vendor looks during a security assessment. So, having that CISO involvement early helps ensure that the company itself is built in a secure, trustworthy way, not just their product.
What are they looking for?
6:23.525
[David Spark] Aviv Nahum said, “Hard disagree. Only customers matter. People who don’t deploy, don’t buy, and don’t feel the pain don’t shape winning products. And advisors don’t and won’t do any of these things. Won’t deploy because of conflicts, etc.
Revenue is the only feedback loop that actually forces truth.” And Luigi Lenguito of BforeAI said, “I still think closing sales is a much better indicator to be on the right track. And at Seed, one should already have sensible ARR/revenue. My experience with advisors is too variable.
Until the procurement team enter the picture, I’m not sure any ‘indication to buy’ truly matters.” By the way, I agree with that right there. “Still, what you suggest is better than hoping something will stick after having been in a coding tunnel for one year.”
All right. This is an interesting thing because there is a lot of truth to all that matters is when they actually purchase, not saying, “Oh, yeah, I’d buy that when…” Eh, maybe they wouldn’t. But at the same time, you look at the true innovators out there.
You look at the Henry Ford thing. You ask people what they want, they’d say faster horses. And same thing with Steve Jobs and the iPhone. So, sometimes your customers don’t know and they’re not always right because they just are not innovators. And this wouldn’t hold true for innovation, would it, Steve?
[Steve Jensen] These both highlight a tension that most security startups eventually run into. On one side, you have advisors giving strategic or operational guidance. On the other, you have customers who are actually buying. Revenue, like they mentioned, is absolutely a powerful signal, but if people are willing to pay for something, it means solving at least part of a problem.
But revenue itself doesn’t always mean the product is successful long term. For example, sometimes tools are brought in just to check a box for compliance reasons. To me, the stronger signal is what happens after the sale. Do customers expand their use?
Do they renew? Do they advocate for the product internally or even externally in their peer groups? That’s where you see whether it truly fits into operations.
Advisors, especially CISOs, they can help interpret those signals. They can say, “Yes, you closed the deal, but here’s where you struggle at scale. This feature becomes a major pain point once you have like 100 customers instead of 10.” In many cases, the distinction between advisor and customer isn’t even that clean.
The best advisors are often the same people who later become customers. Like a CISO might even start giving feedback in an advisory capacity, help shape the product and eventually bring it into their own environment once it matures. So, it’s not always advisors versus revenue in my mind.
Sometimes your advisors are your future revenue because they trust the product, have helped shape it into something that they would actually want to deploy. I think the healthiest companies listen to both and customers provide the validation. Advisors help prevent strategic blind spots that could only show up later.
[David Spark] All right, Eddie, customers, sales, it’s all that matters. But it’s the lot that matters, I’m not going to argue that. Given what you’re building, you can’t just look at that, can you?
[Edward Contreras] You can’t. And I think the hard part about this conversation, even though I love the statement, “Hard disagree,” because it forces you to look at this statement, right?
[David Spark] Mm-hmm. By the way, that is a good way of getting people to pay attention to you.
[Edward Contreras] Oh, it’s energized. It’s clickbait. I’ll click on it three times a day. I look at that statement. And when you’re an executive, when you’re being brought into a company, one of those first questions you have to ask is what am I here for?
What’s the organization’s goal? Are you looking to mergers and acquisitions? Are you looking to sell off just right after seed funding? Are you looking for longevity? Because all of that plays into account. If you’re just trying to balloon your valuation, revenue’s all that matters, right?
It’s like, “Hey, let’s get the number out there.”
But if you’re looking for longevity, if you’re saying, “I want to have a 10-year ecosystem here, I want to have a marketplace,” what Steve said is spot on. Then all of a sudden, revenue doesn’t matter as much. It’s expansion and renewals that matter.
Now you’re thinking, “Wait a minute, do I have stickiness?” And so, I think that’s a conversation that you can’t just look at it at face value and make a determination. You have to understand the direction of the company, the organization, and you have to align.
You’re brought in for a reason. If you’re brought in to advise, what’s the purpose of the company? You have to know that.
Sponsor – Material Security
10:48.256
[David Spark] Now, before I go any further, let me tell you about Material Security. Remember I told you, if you have Office 365 or you’ve got a Google Workspace environment, you’re going to want to pay attention. For the last few decades, email security has meant bolting a gateway on and hoping it caught everything coming in.
But today’s CISOs know that’s not enough. The threats aren’t just coming through the front door anymore. They’re living in your drive, your third-party OAuth grants, and your historical mailboxes.
I mean, think about it. Your history lives in all that’s stored in your mailbox. Pureplay email security charges a premium solely to guard the perimeter. If you want to protect files, monitor risky OAuth access or monitor account takeovers, it’s another product, another portal, another contract, another headache.
Material Security takes a very different approach. They built a platform that treats your cloud workspace as a single unit. They secure the email, the files, and the accounts. Not as separate silos, but as the connected ecosystems they are.
Now, the best part of all this, it actually costs less than the legacy gateway you’re currently paying for. One price for everything. No hidden extras for data discovery or identity protection. It’s security that works at a price that makes sense. So, stop paying for a gateway and start protecting the workspace.
You can see how it’s done at material.security. Go check them out. And when you see them, let them know you heard about them from the CISO Series.
I didn’t think of these options.
12:25.951
[David Spark] Anton Chuvakin who’s the host of the Google Cloud Podcast said, “It is hard. The founder thinks they built based on a valid experience.” And let me pause Anton’s quote here. The number of founders I’ve met who discovered the problem on the job, left, and started a company because of it – very numerous.
That’s like most of the stories out there. All right. But going back to Anton’s comment, “And it is valid, but valid at Google does not mean valid at a 4,000-person agricultural equipment maker in the Midwest.” Nrupak S. of Coles said, “I agree. Security implementation challenges are about making it easy for non-cybersecurity users to adopt cybersecurity capabilities offered by product directly or indirectly easily.” Eddie, we had at a live show a question from a vendor who said, “How do you sell when every buyer thinks they’re a special snowflake?” And it’s something you have to think about when you’re selling your product because everyone’s going to say, “Well, we’re not like them.
We’re different.” Doesn’t everyone feel that way?
[Edward Contreras] Yeah. And I applaud the sales folks out there, right? That industry, they take a lot of bad rep. It’s a bad rep industry. They take a lot of no’s to get to that yes. And so, kudos to them for doing what they do. These two quotes, they’re great quotes.
I love the fact that you can look at this and understand not everything’s meant for everybody. If you think of the concept of an EV car, what a great concept. Who wouldn’t want to be in an EV car? Who wouldn’t want to not have to spend money on gasoline or oil changes?
Well, do you live in an apartment that doesn’t have EV chargers? Does your workplace not have EV chargers for you to fill up? Does it mean you have to spend an hour a day or an hour a week in a location that’s 30 miles away from home? It’s just not for everybody.
And so, I think you look at these security tools very similar, and I love that analogy. What works at Google may not work everywhere. And I often have that conversation with our team. Don’t always look at the top right quadrant of Gartner. It’s a phenomenal quadrant, but not everybody plays in that spot, and you have look at our system to understand what’s appropriate for us.
[David Spark] And we’ve talked about this, too. As a buyer, the “market leader” may not be appropriate for you at all. All right. I throw this to you, Steve. This is just really interesting about understanding you could interview 10 different people and say, “Look, I interviewed 10 different people in 10 different markets.
I think I understand the space.” And the problem is you got to interview another 100 more, don’t you?
[Steve Jensen] Yeah, I agree that you do. I think one of the biggest gaps in security is between perception and reality. A lot of vendors assume CISOs are always looking for the most advanced, the most sophisticated, the most innovative solution, but in practice, most are just looking for things that are dependable, understandable, operationally sustainable.
The threats that we deal with every day are often very simple. It’s still phishing, credential theft, misconfigurations, unmonitored systems. They drive the majority of incidents. So, tools that help the most are the ones that reduce the noise, save time, integrate cleanly into workflows.
And a good example of that is where we’re heading is around GenAI. Organizations are increasingly worried about sensitive data being pasted into ChatGPT, other browser-based AI assistants. We’re starting to see more practical controls emerge.
For example, I know the CISO over at Concentric AI, and they told me they acquired a company that extended browser-based data loss prevention into GenAI tools. It’s something, real impact in an environment. Instead of trying to block AI outright, the platform can monitor what’s being sent through the browser to detect risky behavior and automatically mask it, redact it, block sensitive data.
That’s a great example of hiring like an industry CISO into the fold for strategic advisory but also having the view of a buyer because he had prior industry experience. It’s also a great example of how security meets users where they already are instead of forcing them into unrealistic workflows, trying to ban tools that they’re going to use anyway.
CISOs aren’t really rewarded for the most impressive architecture diagram. They’re rewarded for keeping the organization out of the headlines, enabling businesses to run safely. The products that tend to succeed are the ones that respect the reality of small teams, limited budgets, operational complexity.
They solve a real problem without creating many more new ones. So, that sample of interviews has to be quite broad and you have to make sure that you’re addressing real problems.
Would this work?
16:59.285
[David Spark] Anatoly Chikanov of Primary Ventures said, “Target a slightly different set for advisors. Your VP of security/directors often be great advisors because they are actually closer to the reality of running XYZ products in production versus the CISOs.
The level of product input/advice, there will be more technically targeted in that case from the product side.” This would be the VP of security/directors. “Now CISOs can help with the logos, getting the big names and intros, but you also need some closer leadership practitioners to help balance that out with some technical acumen.” I mean, one of the things I hear, Steve, from CISOs is they’re communicating with the business all the time, that’s their job, but they kind of like miss being in the trenches and playing along with everybody else.
I mean, have you experienced this yourself?
[Steve Jensen] Yes, I have. It depends on the company and the level of the CISO in the organization, but I really like these two quotes. I think that they’re very practical and it’s a good realistic angle. It takes us a little bit away from, hey, just having CISO advisory until what do we really need as a startup?
CISOs operate at that strategic level. We’re thinking risk, budget, regulatory exposure, and how the tool fits into an overall program, but the directors and VPs are living more of the operational reality every day. They’re the ones dealing with broken integrations, alert fatigue, deployment friction, and all the little things that determine whether a tool becomes critical infrastructure or just another unused license.
They’re usually the ones that know what slows a team down. They know what gets bypassed and what makes their lives a lot easier.
So, if a startup only talks to CISOs, they may get strategic guidance, but they may miss the practical details that determine whether the product succeeds in production. And the strongest advisory group, in my mind, may need both. And I would assume they would anyway in most startups because CISOs really understand the buying process and risk priorities, but the operational leaders understand how tools behave once they’re actually deployed.
[David Spark] That’s an interesting point because so many startups go into the market thinking like greenfield, not realizing you’re joining a club of a bunch of other tools. Like are you going to play well with everybody else? Eddie, you’ve run into this?
[Edward Contreras] I have. I’m going to do something that I rarely do here, but I’m going to have to quote the globally famous Aviv Nahum, which was referenced earlier.
[David Spark] Go right ahead. He’s now globally famous.
[Edward Contreras] Globally famous. “I have a hard disagree here. I have a hard disagree here.” And here’s why. I think when you talk to plant owners, cost center owners, their job is to maintain cost. And one of the number one things every company I’ve been a part of, you talk about tool sprawl and how you started this show off, what happens when you build in a silo?
Ultimately, the CISO’s going to make the call. Is my budget bloated? Do I have too much? Which ones work well together? Those are the conversations you’re having.
And I agree with Steve. Everybody plays a role here. But if you’re truly looking for an advisor to help guide the product, you need to talk to the executive team because they’re the ones ultimately that are going to make those decisions. Now, I will let my directors bring in a tool, but the long-lived tools, the ones that we have long-term partnerships, I’m putting that stamp on that, right?
I’m making sure, hey, they’re working in our environment. They work well in our ecosystem. And I will share with those companies, “Here’s why I made that decision.” You know what it was? You focus too much on one person and that person may not have realized, oh, I have a partner in the mid-range area, in the Unix team, on the Windows team, on the customer service desk.
They’re focusing too much on how do I get the most use out of this tool and maybe not so much on who are my customers, which may be internal to the organization. So this is where I do truly think you need an executive advisory team to help you understand how to be sticky in a corporation and hide that longevity.
So, yeah, I have to quote our globally famous quote here.
[David Spark] I would just think of this, when a CISO comes into a company and there’s already a series of tools in operation, get the sense they’re your stepkids. You got to kind of love them for what they are. They’re there, but you’re going to bring in your own tools.
Those are going to be your kids, right?
[Edward Contreras] Every stepchild is crying right now.
[Laughter]
[David Spark] And the reason I bring this up is that every time I’ve seen a post online on LinkedIn about, “Hey, if you had a greenfield situation where you’re walking in, you could develop your own program,” I mean, it always gets an explosive response, and I think this is like fantasy camp for CISOs.
You mean I get to build my own program every single tool I want?
[Edward Contreras] You don’t always get that. There’s opportunities and you might have a greenfield platform, but not typically a program. So, you’re going to have these tools. And again, to the owners out there, these companies, talk to people, talk to leaders.
And again, referring to Steve, you kind of need everybody in your ecosystem to give feedback, but don’t make decisions on some of the lower-level areas, not because they’re not warranted, but they’re going to make your product better. But again, if your focus is longevity, stickiness, if your focus is on renewals and extensions, you have to understand what are CISOs signing for?
When are they putting their name on that X?
[David Spark] So, Steve, I’m going to let you have the closing comment here, and that is your advice for startups, where do they need to be challenged?
[Steve Jensen] I feel that the most challenge is around priority deployability via reality. They tend to build these elegant solutions to problems they personally experienced, but that doesn’t mean that it’s the top five issues for most CISOs. Advisors should be pushing on questions like is it actually urgent?
Will it survive real enterprise deployment? Would the company pass security view from a large customer? These are kind of areas where uncomfortable feedback early can save a startup millions in wasted development. The strange part of startup universe is that the most dangerous sentence is, “This totally makes sense to me.” Reality has a habit of disagreeing and good advisors are just professionally paid reality checks.
Closing
23:00.964
[David Spark] Well, that brings us to the very tail end of the show, where I ask both of you which quote was your favorite and why? And being that you’re the guest, Steve, I go to you first, which quote was your favorite and why?
[Steve Jensen] My favorite one is absolutely the one about building in a bubble. It’s brutal advisor feedback.
[David Spark] That’s Marielle Palm. Yeah, go ahead.
[Steve Jensen] It’s simple. It’s exactly right. In security, the polite feedback usually keeps you comfortable, but the brutal feedback keeps you alive. So, if any experienced CISO says, “Don’t build that,” it’s not negativity, it’s pattern recognition, and they’re trying to save you from spending 18 months solving problem number 47 on the priority list.
And those uncomfortable conversations are often the difference between a startup that can pivot early and one that runs out of runway.
[David Spark] All right. Very good. All right. I’m going to assume your favorite quote is Aviv Nahum, Eddie, or is it a different one?
[Edward Contreras] [Laughter] It’s a different one, but you can set it up that way too.
[Laughter]
[David Spark] Which quote is your favorite?
[Edward Contreras] Everybody’s going to assume it’s Aviv, and while I appreciate his honesty there, and he’s now been referenced as a global influencer on LinkedIn, mine is Anton.
[David Spark] Oh, Anton Chuvakin with the Google Cloud Podcast.
[Edward Contreras] When you think about what Anton said there, you have to look at that and personalize it. Not everything’s for everybody. And if security was easy, there’d be a whole different industry here. It takes years of practice, and so does getting to the executive level.
And so, don’t just do what you did at your last company and don’t do what other companies do. Do what’s right for your own company. So, you do have to really put some retrospective on it and internalize what’s best for my company. I love Anton’s quote.
[David Spark] Awesome. Well, that brings us to the tail end of the show. Thank you so much, Steve and Eddie. I want to thank our sponsor, and that would be Material Security. Remember, protecting your company’s most valuable materials, the emails, the files, and accounts that live in your Google Workspace and Microsoft 365 Cloud offices.
Remember, go to their website. That’s material.security. Let them know you found out about them through the CISO Series. Eddie, as always, thank you very much for helping us out on this episode. But Steve, any last words you’d like to say? And the question I always like to ask, are you hiring there at the University of Maine system?
[Steve Jensen] Yes, we are hiring. You can check out the Career site at the UMS Maine website. And just to shout out to the UMS Maine and all the campuses’ fine university schools for the state of Maine.
[David Spark] And that brings us to the tail end of the show. You can also find Steve’s LinkedIn profile on the blog post for this very episode, and you can contact him directly. Tell him how much you loved him here on Defense in Depth. That’s a good way to butter him up when you then ask him about jobs at the University of Maine system.
Thank you as always, people. I’m no longer going to go into the earnest voice. I started doing that, going into the earnest voice. I’m not doing that anymore. I’m just saying it straight up. I do appreciate you contributing, and I do appreciate you listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.