The vendor innovation hub: A CISO’s imperative

Written by our inhouse resident editor, Lyndsay Turley, an experienced communicator and cybersecurity advocate for over 15 years.

I’ve always questioned the defensive stance taken towards vendors by many in the cyber security profession.  I understand it of course.  CISO’s are incessantly deluged by more pitches than they can handle, as is the case across most industries I am sure. But this doesn’t mean there isn’t value to be found amongst the noise. With the ever-accelerating pace of technology development, it’s incumbent upon them to acknowledge their reliance on and seek to influence what they bring to the table.  The trick is getting to the point when you can have a reasonable conversation.

Now I know I am going to be accused of being biased for saying the following, but I am driven to describe a dynamic I discovered for the first time at the Pulse CISO 360 Congress in Rome last month. This time the sponsored one-to-one meetings – usually held in out-of-the way meeting rooms, were staged on one of the hotel’s outdoor terraces. We walked through them every time we went to the conference sessions, and they were absolutely buzzing. I learned later that more than 200 meetings had been organised between companies and vendors over the two days. Unlike many other events, these meetings were not compulsory: All were there because they wanted to be. One CISO looked up after meeting with several vendors, and asked for more, saying “right, who else can I speak to.”

It became clear to me that this was almost as much a feature of the event as the conference programme.  The terrace had been transformed into a temporary innovation hub, where CISO’s freely discussed current requirements and vendors gained access to unique insights that enhance their offering.  In one case, a CISO helped a vendor recognise a completely new application for their technology as they talked through a very current business problem the CISO had at the time. Many vendors sent technical experts, and quite a few were regular attendees, respected for being part of the community. That point where you can have a reasonable conversation had been reached in what another CISO delegate described to me as a “collegiate atmosphere where everyone is on the same footing.”

Most practising professionals will admit that they have a constant need to understand what vendors are up to. (ISC)2’s Global Information Security Workforce Study has for many years repeatedly identified ‘researching of new technologies’ as the most time-consuming task for the professional community. In a previous role, I used to organise ‘vendor days’ where major vendors happily wheeled out their development road map and front-line practitioners willingly listened. They would sell out in a matter of days.  Yet the defensive stance persists, as I noted in my first blog post Supply Chain Angst: We love an opportunity to slam those vendors.  Why?

Vendors do have their role to play in this. One good friend of mine, a security leader who has worked in both vendor and end-user roles recently told me that too many work too hard to get a meeting only to undermine their position.  “I don’t want to be sold to.  I want to talk to them, and they need to listen,” he said.

CISOs, for their part, also need to be willing to talk.  As highlighted in our report of last years’ Talk to the Board conference: “often there is great opacity in the information that is being shared… the most valuable thing is clear feedback about how the business needs to iterate and improve.  There is no point in building something that is invisible or irrelevant for the buyer.”

I’ve been around long enough to see some of today’s biggest cybersecurity vendors grow to be much larger than – and more often than not – have far more insight than their customers around the trends and cyber threats we are all facing today.  They have front-line access to invaluable data and information, particularly notable at time when Artificial Intelligence (AI) is becoming embedded in the everyday.

When I approached Pulse last year and encouraged them to let me write about the insights that come out of their conference sessions, I wasn’t referring to the sponsors. I am now happy to declare that I am as much a fan of what they may have to share as the delegates that come from the other multi-nationals, financial services, government entities and the like. Their influence is powerful and creating an imperative for CISOs to be heard, whether they are a potential customer or not.

I can appreciate that there is an inherent challenge that comes with any sponsored industry event as vendors may seek to speak with potential customers who may or may not be open to their message on the day.  In Rome, I learned that this challenge disappears with genuine conversation, in an environment where everyone can discover their mutual interest.

Lyndsay Turley
August 2019

Pulse will be continuing this conversation as part of CISO 360 Asia & Oceania in Singapore, 25-26 September. 

Join keynotes, case studies, group exercises, panel discussions and the CISO innovation hub in Singapore to benchmark with peers how to build resilience and governance across supply chains. Pulse facilitates a natural integration between inhouse practitioners and technology innovators – we are all part of the same jigsaw after all!

Learn more about how you can join us and contribute within a confidential, professionally-charged environment.

Back to Pulse Conferences

You currently have JavaScript disabled!

This site requires JavaScript to be enabled. Some functions of the site may not be usable or the site may not look correct until you enable JavaScript. You can enable JavaScript by following this tutorial. Once JavaScript is enabled, this message will be removed.