The top concerns I hear from CISOs and CIOs when selling cybersecurityBy: Jerry Reidy
I have been selling technology to large businesses longer than I’d like to admit and I cannot envision myself in any other occupation. In fact, sales is the best profession on the planet, and it is a vocation I feel lucky to be a part of. I will confess that playing shortstop for the New York Yankees is my dream job, but until the Yanks return my calls, I will continue to put sales on the top of the list of the best and most rewarding careers.
I have seen and learned a lot during my sales tenure, but 2013 was when things really changed for me. I was working for a company that was addressing issues around ransomware, which was a relatively new issue at the time. The concept of protecting companies from the bad guys was so exciting to me. I realized that I could make a difference by helping companies thrive while keeping their intellectual property, employee, and customer information safe and out of the hands of people who want to cause them harm. I couldn’t then, and still can’t now, think of a more rewarding endeavor.
Top Cybersecurity Concerns From CISOs & CIOs
So here I am today, years into my career with a lot of stories and experiences to share. However, one of the things I find most interesting is that my conversations with CISOs and CIOs don’t really change all that much. Sure, technology continues to evolve, and everyone gets excited when a new shiny technology or cybersecurity capability is introduced, but at the end of the day, the same topics and challenges continue to be discussed. So, for those who are interested, I have listed my top five most common topics discussed when talking with CISOs and CIOs.
As they say: You can’t secure what you can’t see. I once asked a super-smart CISO who I really admire “how many windows machines do you have in your environment?” She paused, looked at me with a smile, and said, “it depends on who I ask.”
You may be asking yourself, why does a really smart CISO not know how many windows machines she has in her environment? First of all, her answer just shows how smart she is. Too many IT executives think they have this topic covered. This CISO was different, she realized that it is very hard to get this simple question answered with absolute certainty. Yes, one tool may give her an answer, but she knows she will get conflicting information from other tools running in her environment. For example, an EDR tool used by security will give her one total, the MDM tool used by IT will give her a second answer and the ITAM team using a third tool will give her a third response. The question is which one is right? Really smart CISOs know they have visibility gaps and are always looking for ways to solve that issue.
The word fundamental is defined as something that is basic or essential. When talking to CISOs and CIOs this word inevitably comes up. However, it usually comes up after a discussion around how an expensive cybersecurity tool never produced the value for which they hoped. The conversation goes something like this. “We purchased X tool at the cost of our entire security budget, and we found the tool to be wasted money that does not deliver on the value promised and we still have security concerns.”
Companies have external and internal pressure to buy the “next flashy cybersecurity tool” that has all the bells and whistles to prevent a nation-state actor from rappelling from the ceiling to break into their data center and steal the crown jewels. However, the real focus should be on the basics. Fundamental things like closing visibility gaps, timely patching, and software updates are the best way to protect a company’s crown jewels. If you’re not good at the fundamentals everything else is pointless.
As the great baseball player Barry Larkin once said, “What people don’t realize is that baseball professionals are sensational because of fundamentals. Unfortunately, sensationalism has taken over the professionalism in our sport.” I think the same can be said in the cybersecurity field. Too much sensationalism/marketing and not enough focus on the fundamentals. Good CISOs and CIOs are always looking to get better at the fundamentals.
What to Believe
CIOs and CISOs are very busy people. These are some of the hardest working professionals in the world. They have a tremendous amount of pressure on them to provide value to their organization while eliminating risk and ensuring a secure environment. They would love to buy a solution that would help them do their job better, but they don’t have the time or bandwidth to dig through all the marketing content that cybersecurity vendors produce. Also, many of them have been burned by overpromising and underdelivering technologies.
Have you ever been to a cybersecurity conference? Walk around and look at all the vendors’ marketing material. I defy you to find a tagline that is unique. My guess is you will see 20 vendors saying the same thing. CISOs and CIOs crave to have a trusted advisor to help them navigate through all the noise and help them make good decisions.
Ripping and Replacing is painful
Ripping and replacing deployed technologies in an organization is not a decision that is taken lightly by any executive. Many companies know they have issues with the technology they are using, but the idea of swapping something for something better is a hard sell. And who is to say the new technology will bring any more value than the former one? The idea of removing a tool that has been financially invested in with hundreds of hours of training and user experience is not for the lighthearted. CISOs and CIOs only want to go through this exercise if it is the last option or there’s a strongly compelling event (and a compelling security event is not high on their list of things they want).
IT and security teams are rarely on the same page
There are many teams that play an important role in the success of IT and security within an enterprise organization. You have IT Operations, Server teams, Laptop teams, Security, and Risk just to name a few. Each team has a separate budget and a technology/tool they want to use to perform their job. Each team has invested lots of time and money in the tools they are using.
The unintended consequence of having these different departments working autonomously is an environment where it is nearly impossible to quickly detect and respond to security threats. For example, if a security team discovers a vulnerability, they need to coordinate with the IT team to remediate it. The most common issue with this scenario is that the IT team’s tool tells a different story. The back and forth between teams will happen in an effort to figure out who is right and who is wrong. This all takes place while a potential threat has more time to wreak havoc. CISOs and CIOs want a better bridge across the gaps between teams and tools.
Enterprise Technology Management and Oomnitza
As I mentioned I am a sales professional, and a good sales professional worth his or her salt never misses an opportunity to sell. So, allow me to quickly explain how Oomnitza can solve the challenges outlined above with its Enterprise Technology Management platform.
The thesis of our founders was why isn’t there a single system of record for IT and Security professionals when this is absolutely critical for any business? They noted that Sales teams have a single system of record ( Salesforce), HR teams have one (Workday) and Finance teams have one ( Oracle). But IT/Security does not have one?
Oomnitza was established to give IT and security teams the same visibility and simplification advantage their counterparts in other areas of the business have while driving value in five key areas of a business, (Security, Compliance, Logistics, Finance, Employee Experience).
Oomnitza is a solution for endpoints, applications, infrastructure, and networking. It automates lifecycle processes, from purchase to end-of-life, ensuring your technology is secure, compliant, and optimized. Oomnitza provides an agentless solution that does not require our customers to rip or replace their current technology. This approach allows our customers to get more value out of their current tools while closing the gap between the technology being used and the departments using them.
In today’s reality of working from anywhere with zero trust, the traditional approaches of IT asset inventory management and siloed tools does not scale. To protect the competitive advantage of your technology you need an agentless platform like Oomnitza to consolidate and normalize data from existing siloed tools such as device management, SaaS, SSO, cloud, purchasing, and security, to provide a key business process system for all technology in an enterprise.