CISO ‘How to’ Without the Bull: Vendor Management

True value comes not merely from delivering products, but ensuring they make a genuine positive impact. My name is Nick Harris, and I’m the CISO in Residence at Assured.

Imagine you are travelling on the Orient Express and decide a seven-course tasting menu would be the perfect way to enjoy the journey. However, you pay the full amount before drinks are even served; you don’t see the menu beforehand; there is no understanding of dietary requirements; and you aren’t even sure you’ll have the appetite for everything on offer. As it turns out, you arrive at your destination after only four courses, and to get what you need, you pay 100% again for another seven courses.

Does this sound familiar to buyers of cybersecurity products? We pay 100% up front for all the licenses that might be used, and encouraged to buy a three-year deal having never fully experienced the product/service. While it might, with some luck, be 100% deployed and utilised, there is little value generated.

Value vs ‘true value’?

Let’s look at the question of value. The expectation of many vendors is that “value” relates to the delivery of a product. This might be anumber of endpoint agents running, repos scanned or device compliance postures assessed. But this is the easy bit.

Value shouldn’t be about 100% coverage or a 100% user base – value is where a product or service makes a genuine difference. We need to get to a place that customers are therefore only on the hook to pay once they’ve been able to generate that value: e.g: 50% of cloud security compliance issues resolved, all critical OS vulnerabilities patched on 80% of endpoints, or 40% of legacy code libraries updated.

“The good vendors and Solutions Sourcing out there recognise that shipping the product isn’t actually adding value.” Nick Harris

The good vendors and value added resellers (VAR – but we don’t like this term. Lets go with Solutions Sourcing) out there recognise that shipping the product isn’t actually adding value, and they work with their customers hands-on to actually make a difference. I’m not talking about paid-for professional services here – no company should have to pay more to achieve a successful deployment. Vendors and VARs know exactly what best practice looks like and how their own products generate value for customers – so they can apply this knowledge after initial deployment to tweak the rules, remove noise and reduce false positives.

Buying up front

I fully understand that cybersecurity vendors have invested a huge amount of R&D into their products and their shareholders what accurate revenue projection. But why should a customer be forced to bear the risk that a piece of software might not be a good fit? Proof of value/concept trials are all very well, but we all know that it takes time for operational deployments to move into business as usual (BAU).

Paying as you use, or even on a frequent (e.g. monthly) basis, means you pay for what is consumed, can maintain a healthy cashflow and have leverage with the vendor if you experience shortcomings in the capability or service. An effective Solutions Sourcing support should be arguing this case and, at the very least, agree an acceptable price per unit for the first set of licenses, upon which to bolt-on further licenses as needed.

Time to value

We also need to talk about how long it might take a customer to generate true value from a product. Vendor solutions that are only truly effective after a period of learning, and/or that requires agents and sensors to be deployed to assets or into the CI/CD, are going to be on the back foot compared to those that require quick-to-enable APIs or integrations. Those that do, such as cloud security posture management (CSPM), attack surface management (ASM) and advanced email security products can do this well, immediately present useful data and highlight what their product is good at.

Now, these insights may not indicate genuine value – which only comes once improvements are ‘made’ – but I would encourage you to look at how quickly a product can start you on this journey.

How VARs can drive value

Solutions Sourcing’svalue arguably comes not from its ability to bulk buy and get big discounts, where they should very much be passing on pricing reductions as they purchase more volume.. It comes from doing the best for its customers through its industry experience, relationships and insights. Here’s what to look for:

“Solutions Sourcing should offer strong recommendations for product solutions that fit your requirements and budget, rather than the few vendors they have strong relationships with.” Nick Harris

· Solutions Sourcing should offer strong recommendations for product solutions that fit your requirements and budget, rather than promoting tools you dont have a need for and pushing the few vendors they have strong relationships with. IF they do, then they save your time with accurate market research and pricing expectations which are well understood up front. In other words, you can question they replace your need your Gartner subscription.

· They can also help define success criteria based on their inside-out knowledge of a product

· Good vendors have dedicated Slack/Teams channels with their customers which are shared with customer success managers and engineers. This way, not only is information on new features and improvement opportunities tailored to the customer, but this route for resolving issuesis far quicker and personal than being forced to raise a ticket that gets lost in a queue

· Most importantly, Solutions Sourcing can take the workload away from the customer for any disputes, contract negotiations, issues with service, etc. They need to represent

the customer like an agent represents their client, and not sit on the fence trying to keep both the vendor and client happy. By owning conflict resolutions and pushing the vendor to drive more value (more percentages of vulnerabilities resolved, etc), the Solutions Sourcing does much of the heavy lifting

Hopefully the above will help to enhance your organisation’s relationships with its vendors and Solutions Sourcing, so you’re only buying the courses on the Orient Express that you really want and need. I’d love to hear your thoughts on what has worked and where you have tried different approaches that are equally valuable.