Hundreds of cybersecurity companies compete for attention from chief information security officers through email solicitations, cold calls and tech conferences.
Here are five strategies corporate security chiefs use to weed out unsuitable cyber providers.
“As a CISO, the deluge of marketing and solicitation from cybersecurity startups was intense,” said Jerry Perullo, a cybersecurity management consultant who was CISO of New York Stock Exchange owner Intercontinental Exchange Inc. for 20 years until leaving the post in 2021. At one point, he counted all the emails that had been blocked by filters he had set up to find he received more than 120 solicitations a day.
He had a category defined in his filtering tools for these types of messages, which his company dubbed “UCE,” or “unsolicited commercial email.” Since these emails weren’t malicious and often dealt with relevant topics, fine-tuning the filtering system was important, Mr. Perullo said. One trick was to block any email he received with the word “whitepaper” in the subject, he said.
Anne Marie Zettlemoyer, chief security officer for Palo Alto, Calif.-based CyCognito Ltd., which provides cyber-risk-assessment tools, said she is more inclined to read emails with a warm introduction, or those from vendor representatives who follow up based on the interest she has expressed. Certain emails she deletes almost immediately.
As vice president of security engineering at Mastercard Inc. until earlier this summer, she got many generic emails aimed broadly at financial-services executives, with some that addressed her as “Dear Buyer.” Other automatic turnoffs were vendor agents who sent calendar invitations without having spoken to her and those who called her on a nonwork number.
Pursue versus being pursued
CISOs often prefer to be in the driver’s seat when it comes to finding vendors. For Ryan Heckman, assistant director of identity and access management governance at Principal Financial Group Inc., vendor selection is a continuous process to ensure his team’s capabilities align with the ever-changing threat landscape. Mr. Heckman was until late July cybersecurity manager at Iowa-based convenience store chain Casey’s General Stores Inc. He recalled that during a recent evaluation of capabilities and needs at Casey’s, he wanted to get a handle on industry products that could be useful add-ons for the company, so he did some window shopping at last summer’s Black Hat USA conference. By talking to vendors about the company’s requirements, he was able to narrow it down to about a half-dozen options that he could then research on his own and run by peers.
In the following months, Mr. Heckman’s team of cyber specialists tested various platforms and assessed each against the known attack vectors at the time. Some products were found to affect the end-user experience and were quickly eliminated. Others performed well, requiring additional comparison of integration and administrative overhead to narrow the field, he said. This hands-on approach, coupled with open-forum peer discussion with others in retail led to the final product selection, Mr. Heckman said.
Ellen Benaim, CISO at Templafy ApS, a Denmark-based cloud-based content-management platform, was bombarded with emails after the Log4j bug emerged late last year. She waited to respond until about two weeks later, when she had secured the budget and resources to investigate vendors. In the meantime, Ms. Benaim said, the company addressed its Log4j vulnerabilities on its own, and started looking for a supplemental tool.
Her vendor research included using CISO forums. One fellow CISO who used an open-source vulnerability-scanning tool demonstrated it for her and discussed hiccups the company had experienced with a different solution they used to work with. “That type of experience is invaluable,” she said. Templafy has since implemented the tool demonstrated by the other CISO.
Partners, not transactions
Once they narrow the pool to one or two contenders, security chiefs said the final vetting process considers factors such as price and the ability to customize services and tools, plus the vendor’s own security practices and financial soundness. Vendors that make the cut are often willing to adapt to fit a customer’s needs, said Chris Castaldo, CISO at Philadelphia-based tech company Crossbeam Inc., which helps companies find new business partners and customers.
“You can tell when someone is really passionate about making your problem their problem to solve,” he said.
One way to weed out vendors is to discount those that come off as cagey, don’t provide information requested or are just plain sloppy, Ms. Zettlemoyer said. It’s important for vendors to understand what a customer wants and avoid careless mistakes, she said. One vendor didn’t personalize a pitch, showing her materials prepared for another company. “It sounds basic, but [some] vendors miss the mark,” she said. “With security, there are 3,000 vendors and nobody is really irreplaceable.”
Write to Cheryl Winokur Munk at firstname.lastname@example.org
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8