Podcast Summary

Podcast: RSAC
Episode: Cyber at the Top: Choosing the Right Cybersecurity Partners: A CISO’s Playbook
Date: January 22, 2026
Host: RSAC
Guest: Tal Arhat (former CISO & CTO, Carlsberg Group)

Episode Overview

This insightful RSAC episode dives deep into the art and challenge of choosing the right cybersecurity partners from the perspective of Tal Arhat, who has navigated the intersection of IT, security, and operations as both CISO and CTO at Carlsberg Group. The discussion offers actionable advice on evaluating vendors, ensuring true long-term partnership beyond the contract, balancing innovation and stability, and navigating both established providers and startups in a rapidly changing threat landscape. The episode is packed with practical strategies, real-life examples, and wisdom for security leaders seeking meaningful partnerships instead of empty buzzwords.

Key Discussion Points & Insights

The Evolving Challenge of Choosing Cybersecurity Partners

• The Complexity of the Market ([02:26])
  • The cybersecurity market is increasingly crowded, with bold marketing claims and rapid technology shifts.
  • “You keep running not only after new attacks, but also about the defensive technologies... The technological environment is becoming more and more difficult.” (Tal Arhat, 02:26)
  • Vendors vary greatly in their ability to deliver real results; differentiation is hard.

The Dual Lens: CISO & CTO Roles Shape Vendor Evaluation

• Operational & Security Balance ([04:39])
  • Having managed both security and IT operations, Tal gained a holistic understanding.
  • Security choices directly impact operational stability and user experience.
  • “You can’t just implement the latest and greatest... and just tell the ops team to implement it and go on your weekend. Because when you create a problem, you’re going to deal with that as well.” (Tal Arhat, 04:39)
  • Mature purchasing decisions rely on understanding cross-impact on existing IT and users.

Criteria for Selecting a Vendor

• Real Problem Solving Over Hype ([06:07])

  • Is the vendor solving a real, prioritized problem or merely selling novelty?
  • Peer references are invaluable—seek real-world feedback from practiced CISOs.
  • “Are they solving an issue that I actually need solving?... I always looked at, am I solving something that I need solving or am I improving something in my existing estate?” (Tal Arhat, 06:07)
  • Analyst reports often lack practical value compared to practitioner input.

• Early Technical Diligence ([09:18])

  • Get technical quickly in vendor discussions; skip the generic pitch.
  • Early proof of concept—even with limited scope—helps validate vendor claims.
  • “If you start asking the technical questions quite early… and you realize based on the answers whether they actually understand what it is they’re selling... that’s a good sign for me.” (Tal Arhat, 09:18)
  • Avoid vendors unable to move beyond surface-level marketing.

• Signals of a Long-Term Partner ([12:55])

  • Scrutinize the vendor’s implementation realism and willingness to align their plan with your context.
  • If timeline or effort seems too optimistic or generic, be wary.
  • Having the actual implementation team present during negotiation is a plus.
  • “If that person is sending you... This will take us nine months, this will take us half a year... then I already feel better about this. Because you see that person is not trying to sell you fairy tales, they’re trying to really do what’s right for you.” (Tal Arhat, 12:55)

• Ensuring Alignment with Company Strategy and Operations ([15:00])

  • Providers need to integrate with your risk model, IT processes, and reporting—not impose their own.
  • Openness—treat strategic vendors as partners, share your roadmap, encourage dialogue.
  • “I need to be able for them to liaise to whatever system I have in place in terms of service calls, in terms of the definitions of what an incident is, in terms of SLAs, and that’s something I have to negotiate.” (Tal Arhat, 15:00)

Startups vs. Established Players

• Startup Risk & Reward ([18:27])
  • Startups drive innovation, but add operational risk; gradual engagement preferred.
  • Begin with limited (read-only/advisory) permissions, expand as trust is earned.
  • Assess founders’ and advisors’ experience; strong boards increase credibility.
  • “You can’t really avoid working with startups today if you want to keep more or less in line with what’s happening in the market... normally you start with these kinds of contracts or these evaluations with a read only visibility type of solutions...” (Tal Arhat, 18:27)

Assessing Value vs. Cost

• Understanding Pricing Beyond the Sticker ([21:15])
  • Initial price is usually negotiable; leverage procurement.
  • Balance solutions with hard ROI (e.g., onboarding tools) and those that reduce risk (e.g., backup systems).
  • Quality of life improvements for users are valuable—even if hard to quantify.
  • “First and foremost to all the CISO out there, the price you’re getting from a vendor... is probably 30% higher than what you’re actually going to pay.” (Tal Arhat, 21:15)

Tech Integration and Compatibility

• Integration Practicalities ([24:32])
  • Modern systems are better at interoperability (APIs, standards), but verify early.
  • Prioritize mandatory integrations (e.g., with core identity platforms, ServiceNow).
  • Don’t compromise on must-have connections; e.g., don’t switch user workflows unless absolutely necessary.
  • “If it has to talk with your idp, then it has to talk with the idp. Right. You’re not going to make any concession.” (Tal Arhat, 24:32)
  • Consider nuances like language support and regulatory environment compatibility, especially for global organizations.

Common Mistakes in Vendor Selection and Onboarding

• Underutilization & Neglect ([27:54])
  • Buying solutions and not using them to full capacity is wasteful.
  • “If you buy something, make sure that you don’t only... you’re not only going to use it, but also use all the features or at least most of the features that you actually need...” (Tal Arhat, 27:54)
• Complacency in Long-term Contracts
  • Vendor engagement often drops over time; ongoing relationship management is key.

Governance After the Contract

• Ongoing Diligence & Bilateral Responsibility ([30:12])
  • Contracts should be written/set by specialists to include clear SLAs, expectations, change processes, and governance routines.
  • Ongoing regular meetings and updates are essential; both vendor and company must remain mutually engaged.
  • “When you sign the contract, you can’t just do like this, okay, now it’s your problem, right? I bought a from you; go and deliver. You have to be an active part of this as well.” (Tal Arhat, 30:12)

Real-World Examples: What Makes or Breaks a Vendor Relationship

• A Positive Example ([31:41])
  • MDR provider who prioritized professionalism and customer need over commercial upselling.
  • “They valued their professionalism much more than the income.”
• A Negative Example
  • A vendor who became disengaged as the contract end approached, neglecting issues and causing security incidents.
  • “They actually caused a couple of significant security incidents because of lack of caring.” (Tal Arhat, 31:41)

The Importance of Community and References

• The security field is “small and tribal”—reputation travels fast.
• Peer references will surface both good and bad experiences in the market. ([34:17])

The “Pub Test”: The Ultimate Vendor Criteria

• Memorable Advice ([35:14])
  • “Choose a vendor or a partner that you can see yourself sitting with in a pub five years from now and still get engaged by them. If you’ve done that, then you’re gonna be okay.” (Tal Arhat, 35:14)
  • The “pub test”—genuine rapport and mutual respect—can be the deciding factor.

Memorable Quotes & Timestamps

• On Market Complexity:
  “The technological environment is becoming more and more difficult...so many players out there...it is becoming really difficult to differentiate between who's actually delivering...” (Tal, 02:26)
• On Early Technical Vetting:
  “If it’s a salesperson...‘we are the bestest, we are the greatest...’ that’s already turning me off...” (Tal, 09:18)
• On Startups:
  “Normally you start with these kinds of contracts or these evaluations with a read only visibility type of solutions...over time, when you get a sense of how good the startup is...you’re starting to give them a bit more permission...” (Tal, 18:27)
• On Value vs. Cost:
  “Quality of life improvements for users...if you make it easy for them, they will want to cooperate with you. They don’t want necessary to be bad corporate citizens.” (Tal, 21:15)
• Contract Governance:
  “Have someone who is a specialist contract management person to actually look, help you write the contract. Right. Because by the end of it we are mostly...security people. We don’t necessarily know all the angles of how to manage large scale contracts.” (Tal, 30:12)
• MDR Provider Example:
  “They valued their professionalism much more than the income.” (Tal, 31:41)
• Guiding Principle:
  “Choose a vendor or a partner that you can see yourself sitting with in a pub five years from now and still get engaged by them. If you’ve done that, then you’re gonna be okay.” (Tal, 35:14)

Major Takeaways

• Prioritize solving real problems over riding hype cycles.
• Leverage your network—reference checks with peers trump analyst reports.
• Demand early technical engagement and concrete implementation plans from vendors.
• Treat strategic vendors as partners—share roadmaps, seek mutual alignment.
• For startups, introduce risk gradually; expand permissions as trust grows.
• Price is just the starting point; value includes risk reduction, productivity, and user satisfaction.
• Think through integration, language, and regulatory fit well before purchase.
• Maintain active governance and mutual engagement through the vendor lifecycle.
• Vendor relationships are personal and communal—the “pub test” is a great filter.

Useful Timestamps

• [02:26] – The evolving complexity of choosing vendors
• [04:39] – Dual responsibilities influence decision-making
• [06:07] – First criteria for evaluating vendors
• [09:18] – Early technical vetting & proof of concept
• [12:55] – Assessing partnership signals before signing
• [15:00] – Aligning vendor with your IT/risk strategy
• [18:27] – Evaluating and onboarding startups
• [21:15] – Pricing, value, and CISO communication with stakeholders
• [24:32] – Integration and technical compatibility
• [27:54] – Common onboarding mistakes
• [30:12] – Active contract governance
• [31:41] – Real-world partnership examples
• [34:17] – Reputation and the tribal security community
• [35:14] – “The pub test” as your ultimate guide

This summary captures the core wisdom and practical viewpoints of Tal Arhat on how to navigate, evaluate, and manage cybersecurity partnerships for long-term, strategic benefit—offering a “playbook” brimming with tested insights for today’s CISOs.