A

You're listening to the cyberwire network. Powered by n2k. This exclusive N2K Pro Subscriber only episode of CISO Perspectives has been unlocked for all Cyberwire listeners through the generous support of Meter building Full Stack Zero Trust networks from the ground up. Trusted by security and network leaders everywhere, Meter delivers fast, secure by design and scalable connectivity without the frustration, friction, complexity and cost of managing an endless proliferation of vendors and tools. Meter gives your enterprise a complete networking stack, secure, wired, wireless and cellular in one integrated solution built for performance, resilience and scale. Go to meter.com CISOP today to learn more and book your demo. That's M-E T E R.com CISOP Foreign. Welcome back to CISO Perspectives. I'm Kim Jones and I'm thrilled that you're here for this season's journey. This past season, we've pulled the deep conversations out of the conference bar to tackle these complex issues from every conceivable angle. Today we ask the question, what role does the vendor play in the Cyber Talent ecosystem? Let's get into it. SA. Foreign. Have you ever imagined how you'd redesign and secure your network infrastructure if you could start from scratch? What if you could build the hardware, firmware and software with a vision of frictionless integration, resilience and scalability? What if you could turn complexity into simplicity? Forget about constant patching. Streamline the number of vendors you use, reduce those ever expanding costs and instead spend your time focusing on helping your business and customers thrive. Meet Meter, the company building Full Stack Zero Trust networks from the ground up, with security at the core, at the edge, and everywhere in between. Meter designs, deploys and manages everything an enterprise needs for fast, reliable and secure connectivity. They eliminate the hidden costs and maintenance burdens, patching risks and reduce the inefficiencies of traditional infrastructure from wired, wireless and cellular to routing, switching, firewalls, DNS security and vpn. Every layer is integrated, segmented and continuously protected through a single unified platform. And because Meter provides networking as a service, enterprises avoid heavy capital expenses and unpredictable upgrade cycles. Meter even buys back your old infrastructure to make switching that much easier. Go to meter.com CISOP today to learn more about the future of secure networking and book your demo. That's M e t e r.com CISOP. Before I go on, I'd like to take a moment to dedicate this episode to my friend and colleague Joel Anderson. Joel suffered a devastating loss several weeks ago and thus had to cancel his appearance for this episode. As I fly solo for this podcast outing I wanted Joel to know that he is in my thoughts and to honor him and his family during their time of grief. Joel, please know that the Jones clan is here for you and that your cyber security family mourns with you. Some years ago, a friend of mine and longtime CISO left the chair to become the chief security strategist at a well known security technologies company. A few weeks later, we sat down for a long overdue dinner with some friends. During the meal, we discussed their transition from responsible charge to vendor, which they were less than thrilled about. Overnight, I went from being a respected colleague to just another vendor. My colleague complained I'm no longer allowed in CISO events. I'm no longer eligible to sit in CISO exclusive meetings. Professional organizations that I have supported for years treat me like a second class citizen and folks whom I've interacted with freely and openly won't return my calls. Why do you see so street vendors like dirt? As I was about to respond, another colleague of mine who had crossed over to the vendor side nodded her agreement. You're an anomaly, Kim, she asserted. You treat vendors as partners. Most of your peers treat us like dirt. As the only non vendor at a table of colleagues in full rant mode, I didn't pursue this conversation further over dinner, but I did spend some time mulling over the problem. I admit that I was taken aback by these comments, but only a little. Vendor opinions of me tend to be bipolar. I tend to be direct and sometimes pointed. While many vendors enjoyed this honest dialogue, many more found me difficult to engage with. Like most relationship challenges, vendor CISO relationship problems are two sided. Regarding CISOs, I would say their issues centered around something I like to call the egoism of motivation. While our careers tend to be fairly lucrative these days, most of us end up fighting an uphill battle for resources and understanding with those who would quickly turn us into scapegoats. Yet despite this environment, we keep going back into the fray with zeal, passion and dedication. We are not cops or soldiers, priests or firemen, but in some visceral level we have tended to share the same passion for service in making a difference. Keeping this in mind, it can be difficult to work with those who understand our concerns yet do not necessarily share our motivations. CISOs have no objection to money or profit motives. That being said, it is at times vexing to engage in conversations about a tool or service with vendor personnel who either a Don't share your motivations b in many cases don't necessarily have similar experiences c have left responsible charge positions to pursue potentially more lucrative roles and or d seem more concerned about acquiring your very limited dollars versus resolving your near and long term challenges. In short, it often appears as if some of the fundamental tenets and characteristics valued by operational security teams are either less evident or less important amongst our vendor brethren. Even for those of us who manage to get past our own egoism, there still exists the challenge of vendor CISO communication Several years ago, I came across a webinar by Paul Glenn, author of the book Leading Geeks. Mr. Glenn discussed Severin axiomatic concepts for which geeks and non geeks have contrasting ideas. Glenn's sixth contraxion, one, which I feel is especially relevant to the topic, centers around the concept of lying. For the geek, lying is evil, Truth is sacred. Answering yes to a question when you don't absolutely know if something is true is a lie, and exaggeration and opinion stated as fact are lies. For the non geek, lying is not good, it is bad manners. Answering yes to a question that you know is false is a lie, and exaggeration and opinions stated as fact are simply a part of normal speech. With such a disconnect in terms and terminology, CISOs often find it daunting to trust vendors. Our differences leave us at an impasse where vendors are often perceived as disingenuous and the time it takes to find proper questions to ask is taking away from our daily missions. Just last week, one of my esteemed colleagues said at a conference, every time a vendor speaks to someone in my organization, I lose a week's worth of work getting to the truth behind the sales pitch. With these type of cultural dynamics in play, it is easy to understand why CISOs and vendors operate, at best under a guarded truce. But it doesn't have to be that way. As a ciso, I operate with certain guidelines when dealing with vendors. Be plain spoken. Understand what requirements you are trying to fulfill and communicate them directly. As part of that communication, ensure your vendor understands whether your engagement is exploratory, whether you are trying to fill a short term spend, or whether this will be a long term process happening within the next fiscal year. Like you, your vendors also have requirements they need to fulfill. It is disrespectful of their time and their mission to have them spend months with you for a supposed potential sale when in reality you have no intention of making a purchase. No Loss Leaders While I freely admit that I will always try to obtain services as cheaply as possible, I recognize that the vendor must make a profit. I do not insist upon loss leaders or additional free services from a vendor in order to close a deal. If offered, I will accept them, but I do not make or break deals based upon the amount of free stuff I receive. Respect vendor budgets. This one plays in the realm of both ethics and mutual respect. Vendors will regularly offer up dinners, tickets, etc. To get your attention or your time. Notwithstanding appropriate legal and corporate guidelines for accepting such gifts, I make it a practice not to accept such offers if a I am not interested in the product or b I have no budget for such products. Respect vendor talent it is nothing short of egoism to assume that the technical resources that vendors place in front of you are not equally as driven, passionate, intelligent and capable as the operational talent on your own team. Their difference in perspective and path should not be seen as inadequacy in any form or fashion. On the other side of the relationship, the vendor reps with whom I've operated best also understood my expectations of them. Be plain spoken, I would rather be told no, I can't do that than have someone tell me that their service or product meets a need of mine that they are not equipped to perform. Don't attempt to put a square peg into a round hole for the sake of a sale. Focus on the long term. While I respect your near term quota, I am looking for vendor partners who understand my long term needs and constraints. Don't sacrifice a long term relationship for the sake of a short term sale. Deliver, do what you say you're going to do and ensure your products do what they say they will do as well. I expect this level of discipline and results from staff. I should expect no less from my vendors. Vendors and CISOs do need to reevaluate their relationship if the collective profession is to improve. That relationship needs to start with mutual respect. Both sides have work to do in strengthening our ties if we are to succeed. My $0.02. Foreign. And that's a wrap for today's episode. Thanks so much for tuning in and for your support. As N2K Pro subscribers, your continued support enables us to keep making shows like this one. If you enjoyed today's conversation and are interested in learning more, please visit the CISO Perspectives page to read our accompanying blog post, which provides you with additional resources and analysis on today's topic. There's a link in the show notes. Tune in next week for more expert insights and meaningful discussions from CISO Perspectives. This episode was edited by Ethan Cook with content strategy provided by Mayon Plot produced by Liz Stokes, executive produced by Jennifer Ivan and mixing sound design and original music by Elliott Peltzman. I'm Kim Jones and thank you for listening. Securing and managing enterprise networks shouldn't mean juggling vendors, patching hardware, or managing endless complexity. Meter builds full stack zero trust networks from the ground up, secure by design, and automatically kept up to date. Every layer from wired and wireless to firewalls, DNS security and VPN is integrated, segmented and continuously protected through one unified platform. With Meter, security is built in, not bolted on. Learn more and book your demo@meter.com CISOP that's M E T E R.com CISOP and we thank Meter for their support in unlocking this N2K Pro episode for all Cyberwire listeners.