A majority of surveyed CISOs said that when shopping for cybersecurity vendor solutions, they value input from their peers first and foremost – more than analyst reports, vendor content or any other source of information, according to a newly published research.
A joint project of communications agency Merritt Group and technology and Tech Exec Networks (T.E.N.), the survey also identified some of the best and worst practices when security vendors pitch their products to CISOs. Twenty-eight percent of CISOs said that receiving a phone call from an uninformed sales rep destroys any chance of building a business relationship, while approximately 34 percent said that vendors that strive to understand a company’s unique pain points stand a better chance of success. (All percentages are rounded.)
Despite its small sample size (53 participants), the survey inspired SC Media to reach out to its own industry contacts to elicit their perspectives. As it turns out, they share many of the same sentiments as those polled in the survey, the findings of which appear in Merritt Group’s official report, "Marketing and Selling to the CISO," 2020 edition.
Among the CISOs who participated in the survey, 64 percent said they rely on their colleagues as their main source of information pertaining to security products and vendors. The next most popular sources were conferences and events (13 percent); industry analyst reports (nine percent); and vendor content including webcasts and podcasts (eight percent).
“Trusted word of mouth reigns supreme,” agreed Mark Eggleston, VP, chief information security and privacy officer at Health Partners Plans, who said he chiefly relies on “trusted CISO or architects” for vendor advice. “CISOs are incredibly busy, and having trusted thought leaders distill pros and cons of any solution via practical experience is pure gold,” he added.
On the other hand, "Events, analysts, webinars, podcasts are all paid for and get lost in the noise of what is valuable or not," said Caleb Sima, VP of security at Databricks.
Sima said he discusses the vendor landscape "almost weekly via CISO Slack groups.” Other good forums for reaching out to peers, according to Eggleston, are conferences, sponsored meetups, organized dinners, and even LinkedIn “if you do a great job cultivating your network.”
Neil Daswani, co-director of the Stanford Advanced Security Program at Stanford University, and a former CISO at Symantec, said peer recommendations can be a major time-saver.
“If a security vendor has helped one CISO achieve success with mitigating risk, chances are they will be able to help other CISOs in similar vertical industries with mitigating risks,” said Daswani. “There is a class of early adopter CISOs that lead the pack in their field and try out new solutions first, which other CISOs may emulate and follow based on peer consultation.”
Gerald Beuchelt, CISO at LogMeIn, agreed that hearing from peers with “actual hands-on experience” with a particular solution “is tremendously valuable and cannot be replaced with even a very comprehensive test or proof-of-concept,” often because technical evaluations like these can’t always “address the many edge cases that present themselves in real-world environments.”
“In addition, actual practitioners also have a much better sense of issues that are not necessarily directly related to the features or performance of the technology, including actual vendor support performance, user acceptance, or other secondary and tertiary concerns,” Beuchelt continued.
When looking to be educated on industry trends, industry colleagues are again highly valued: 43 percent of surveyed CISOs ranked peer exchange as their top source of such information, while 28 percent said they read research reports and 13 percent said they turn to videos and webinars, reported Merritt Group.
Analyst reports: flawed, but still helpful
The report recommends that vendors avoiding investing in industry analyst reports, noting that CISOs seem to be particularly skeptical of them because solution providers sometimes pay for inclusion. “This system has hurt the credibility of industry analyst reports, and thus the impact they have on CISO purchasing behavior,” the report says.
However, here the CISOs who spoke with SC Media somewhat disagreed.
"True, beware of pay-to-play organizations. However, don’t entirely discount them,” said Eggleston. “Just ascertain the source’s angle first prior to listening to their sell. They’ll know you are not a pushover. Another tip is ask: ‘How do you make your money?’ That answer right there will tell you if they are swaying you to benefit themselves, not you."
Sima called analyst reports "a necessary evil” that can prove useful. “If I don't know who the players are in the space, I can use them to get a good idea of where to start and roughly the top players," he said. "If you're an org that depends on purchasing 'safe' vendors then this is good. If you want to be cutting edge and see beyond the horizon, they are not useful."
On the other hand, Eggleston said that any “white paper is typically vendor-sponsored garbage… They’ve really gotten a bad name. CISOs see right through that, and when I get a call for a free white paper via phone, my usual response is to hang up the phone.”
In the report, CISOs expressed certain content format preferences when a vendor is supplying the marketing materials. Among the survey respondents, the top choice of vendor content format was roundtable events and dinners (38 percent), followed by webinars (15 percent), white papers and ebooks (15 percent) and case studies (13 percent).
Only four percent said they chiefly rely on vendor marketing collateral such as sales sheets and brochures. But there are steps vendors could take to improve their credibility, said one of the guys.
“…[G]ood vendors can conduct scientific, data-driven studies that speak to their advantages,” said Daswani. Any vendor will, of course, stress their advantages. If they can do so with data, that is an important part of the story. But only part of the story. If vendors can be open about what are their products’ trade-offs as compared to their competitors, they can present a balanced instead of a biased story.”
“Advertising, marketing, pay-to-play analyst reports, and similar material can be a helpful facet of evaluating a product or a solution,” said Beuchelt. “This is particularly true when these materials are focused on providing context and content and do not focus on ‘high-gloss features’ or buzzwords.”
“Interestingly enough, actual product manuals are often most useful for me to actually gauge capabilities and usability of a product. But it is very important to put things into perspective and make sure that other more balanced or even negative sources are also taken into consideration” Beuchelt continued.
But what Daswani would really like to see more of often isn’t available: “I do believe it is important to have more objective, scientific studies [of cyber solutions] to be done by labs, universities, and consultants in order for our field to advance,” he said. “Security vendors should eliminate clauses in their contracts that prevent customers and others from doing objective evaluations and publishing the results. Can you imagine what the airline or pharmaceutical industries would be like if solutions could not be effectively evaluated by contract?”
How vendors can make a good or bad impression
The surveyed CISOs also shed light on what vendor behaviors can potentially help seal a deal or damage a relationship. In addition to understanding and addressing companies’ specific pain points, the execs also said they valued when vendors avoid using FUD (fear, uncertainty and doubt) in their pitches (26 percent) and when they lead with user case studies that are relevant to their organizations (23 percent).
The top three turn-offs were excessive email marketing (30 percent), cold calling (25 percent) and attempting to circumvent the CISO and speak with a higher-level executive (19 percent).
(The CISOs whom SC Media spoke with also shared some of their own favorite vendor practices and turnoffs. See here for more details.)
But are solution providers listening, and are they adjusting their marketing strategies in accordance with CISO’s preferences?
Mark Nunnikhoven, VP of cloud research at TrendMicro, said he agrees that CISOs “don’t have extra time on their hands and classic vendor pitches are a waste of their time. This is why peer advice is so valuable. It’s honest, open, and concise. CISOs need no-bull, technical information.”
“This necessitates a shift in how you market to CISOs,” Nunnikhoven continued. “It’s not so much marketing as education of where vendors’ products would be a good fit and where they aren’t. Vendors need to have honest conversations with CISOs and be honest about their offers’ strengths and weaknesses as concisely as possible.”
Nunnikhoven thinks vendors' technical blogs can be a useful communications tool for CISOs to reference. “It shows the needed expertise in a security area, is easily searchable, and leads with the most important part: the problem the CISO is facing and possible solutions for it,” he said.
Corey Nachreiner, CTO at WatchGuard Technologies, said the the report “seems to capture the resources an average CISO would value,” but he believes some of the survey responses may have differed if the researchers had expanded their pool of respondents beyond merely CISOs.
“First, CISOs are usually only found at enterprises or upper midmarket organizations, so this report doesn’t really cover what sources other security-focused buyers might value,” said Nachreiner. “And there are more technical, less business-focused security professional personas, both on the CISO’s team and throughout an organization, that can have influence on buying decisions that would have slightly different attributes. For instance, security analysts or incident handlers reporting to a CISO might find more value in sources like podcasts, social media, and subject matter forums.”
“Furthermore, because of its enterprise focus, the report also misses the SMB dynamic where MSPs and MSSPs serve as trusted third-party advisors for security buyers in non-enterprise organizations. And if the report went even further down the decision-making stack, the results would likely differ more significantly. As a CISO myself, I tend to value ebooks, technical papers, and feedback from my team and colleagues more than anything else.”