CyberWire Daily – CISO Perspectives: Why is the Vendor Role So Contentious in the Cyber Ecosystem?

Host: Kim Jones (N2K Networks)
Date: March 27, 2026

Episode Overview

In this unlocked episode of CISO Perspectives, host Kim Jones dives deep into a critical and often fraught topic: the role of vendors within the cybersecurity ecosystem and the persistent tension between CISOs and security vendors. Drawing on personal experience and industry perspectives, Kim aims to unravel why the vendor relationship is so often contentious, what underpins CISO skepticism, and how mutual respect and honest communication can improve these interactions.

Key Discussion Points & Insights

1. The Cultural Divide: CISOs vs. Vendors

• Kim recounts an anecdote about a former CISO feeling ostracized after transitioning to a vendor role, highlighting the division between "in the chair" CISOs and those on the vendor side.
  • “Overnight, I went from being a respected colleague to just another vendor…Professional organizations...treat me like a second-class citizen and folks whom I've interacted with freely and openly won't return my calls.” (05:41)
• Perceived Mistreatment: Many CISOs treat vendors with suspicion or dismissiveness, which can be demoralizing for those who have crossed over from operational roles.

2. Understanding the CISO Perspective

• Egoism of Motivation: CISOs are driven by a service-oriented mission, often fighting uphill for resources and respect.
  • “We are not cops or soldiers, priests or firemen, but in some visceral level we have tended to share the same passion for service in making a difference.” (10:30)
• Vendor Motivation Gap: Vendors are seen as caring more about sales than operational realities, sometimes lacking the same passion for service or an understanding of day-to-day challenges.

3. Communication Breakdown

• Trust Issues:
  • Referencing Paul Glenn’s Leading Geeks, Kim explains the contrasting views on truth between technical and non-technical roles:
    • For “geeks,” any exaggeration is a lie; for non-geeks, it’s normal speech.
    • “CISOs often find it daunting to trust vendors. Our differences leave us at an impasse...” (16:24)
• Time Drain: The burden of cutting through vendor hype takes valuable time away from CISOs’ core objectives.
  • “Every time a vendor speaks to someone in my organization, I lose a week's worth of work getting to the truth behind the sales pitch.” (18:01)

4. Guidelines for Healthy Vendor-CISO Relationships

Kim’s principles for more effective engagement:

• Plain Spoken Interaction:
  • Clearly communicating requirements and intentions (exploratory vs. immediate need).
• Mutual Respect for Time and Goals:
  • “It is disrespectful of their time and their mission to have them spend months with you for a supposed potential sale when in reality you have no intention of making a purchase.” (22:51)
• No Loss Leaders:
  • Value exchange should be fair—don’t demand excessive freebies.
• Respect Vendor Budgets and Talents:
  • Declining gifts if uninterested and recognizing the expertise vendors bring.
• Reciprocity in Expectations:
  • Expect honesty, long-term focus, and fulfillment of promises from vendors, just as CISOs expect discipline from their own staff.

5. What Vendors Should Do

• Prioritize Transparency:
  • “I would rather be told no, I can't do that than have someone tell me that their service or product meets a need...that they are not equipped to perform.” (28:10)
• Long-Term Relationship Focus:
  • Prefer vendors who work for enduring partnership, not quick sales wins.
• Do What You Say:
  • Deliver consistently on agreed outcomes.

6. The Path Forward: Rebuilding Trust

• Mutual Work Needed:
  • “Vendors and CISOs do need to reevaluate their relationship if the collective profession is to improve. That relationship needs to start with mutual respect. Both sides have work to do in strengthening our ties if we are to succeed.” (31:22)

Notable Quotes & Moments

• On the Vendor Perception Problem:

  • “Why do CISOs treat vendors like dirt?” (07:18, Colleague to Kim)
  • “You're an anomaly, Kim...You treat vendors as partners. Most of your peers treat us like dirt.” (07:45, Kim’s colleague)

• On Dishonesty vs. Cultural Norms:

  • “For the geek, lying is evil, truth is sacred...for the non-geek...exaggeration and opinions stated as fact are simply a part of normal speech.” (16:40, referencing Paul Glenn)

• On the Time Burden of Evaluating Vendors:

  • “Every time a vendor speaks to someone in my organization, I lose a week's worth of work getting to the truth behind the sales pitch.” (18:01, Conference anecdote)

• Closing Reflection:

  • “My $0.02.” (32:00, Kim’s signature sign-off on perspectives)

Timestamps for Important Segments

• 05:41 – Story of a CISO feeling marginalized after moving to a vendor role
• 10:30 – The “egoism of motivation” in CISO and vendor worlds
• 16:24 – Discussion of trust and the cultural concept of “lying”
• 18:01 – The cost of vendor-CISO miscommunication
• 22:51 – Kim’s engagement rules for dealing with vendors
• 28:10 – What Kim expects from vendors (transparency, honesty, delivery)
• 31:22 – The need for mutual respect and relationship reevaluation

Tone and Style

Kim’s tone throughout is direct, introspective, and pragmatic—seasoned with analogies, anecdotes, and actionable advice. The approach is frank without being harsh, and always oriented toward building bridges and improving professional relationships.

Conclusion

This episode offers a nuanced take on the sometimes adversarial, often misunderstood relationship between CISOs and security vendors. Kim Jones encourages both sides to empathize, communicate plainly, respect each other's time and expertise, and strive for long-term partnerships over quick wins. At its core, the episode argues that only through mutual respect and honest dialogue can both vendors and CISOs fulfill their essential missions in the cybersecurity ecosystem.