How (and Why) CISOs Evaluate Vendors Before Taking Any First Meeting | May Brooks-Kempler
When a CISO starts evaluating a new product, they start evaluating the people they’re going to work with and only then evaluate the vendor from a technological perspective
Because at the end of the day they do business with people, not just with products.
Building brand awareness and trust is very important. Why would you give access to your financial accounts if there’s no trust?
Brutally honest insights from May Brooks, Deputy CISO and Founder and Chairwoman of the Board of Helena Cybersecurity Awareness.
In this episode, Dani Woolf had a conversation with May about her challenges, goals, what vendors do that piss her off, and the alternatives.
Guest at a Glance
💡 Name: May Brooks
💡 What she does: May is currently Deputy CISO of Wio Bank and Founder and Chairwoman of the Board of Helena Cybersecurity Awareness. May has been in the cybersecurity industry for over 20 years. She got into the business totally by chance when she was in the army. She relocated from Israel to the UAE about six months ago and is now working as a cybersecurity expert and deputy CISO. May is in love with her profession and in love with cybersecurity.
💡 Where to find May: LinkedIn
What does May do from a day-to-day basis as a cybersecurity expert and what is her ultimate goal?
May's role as a cybersecurity expert and Deputy CISO primarily revolves around ensuring the security of the business. Her daily routine begins by understanding the nature of the business, the specific goals it aims to achieve, and the overall business strategy that is in place.
It is from this comprehensive understanding that she creates a cybersecurity strategy. By aligning it with the objectives of the business, May ensures that her cybersecurity measures complement rather than hinder the company's progress.
May's approach is significantly shaped by her experience as a business owner, which grants her unique insights into the world of business. This perspective underpins her work, particularly when conducting risk assessments, a key aspect of her role.
“It's all risk assessment and as a business owner as well (because I'm also a business owner) it gives me sort of a better understanding of the business world.”
In essence, her ultimate goal is to establish and maintain a security framework that aligns with and supports the trajectory of the business, while minimizing risk and ensuring resilience against potential threats.
What is May’s one bleeding neck challenge right now as the deputy CISO of a FinTech company?
May is currently grappling with third-party vulnerabilities. The performance of the company she works for is often contingent on external entities, particularly critical vendors.
The problem amplifies when one of these third parties gets hacked, as it can impede the ability to provide services. This means that May and her company are heavily reliant on these external companies not just functioning as expected, but also maintaining high security standards to prevent breaches.
“It's a leap of faith for sure,” she says.
The interdependence inherent in the ecosystem places May in a precarious position where entrusting third parties with critical functions is a leap of faith. This vulnerability exposes her company to potential disruptions and significant risk.
What is the ultimate goal May’s trying to achieve as a security practitioner?
Aside from her primary responsibilities of understanding, securing, and evaluating the business, May's vision extends far beyond the corporate sphere.
As a security practitioner, her ultimate goal is to propagate cybersecurity awareness until it becomes common knowledge. She strives for a future where everyone possesses the necessary skills and knowledge to protect themselves and their families online.
She recognizes that the human element is often the most critical factor in maintaining security.
For her, cybersecurity isn't solely a technological challenge, but an issue intertwined with the everyday behaviors and habits of people.
That's why she invests significant time and effort into security awareness initiatives, using her expertise to foster a broader understanding of the potential risks and the means to mitigate them.
What challenges did May face in her first days after moving to Abu Dhabi and starting a new role?
Upon moving to Abu Dhabi and embarking on a new role, May was confronted with a slew of challenges.
One of the immediate issues was the influx of vendors and tool providers that reached out as soon as she updated her LinkedIn profile. This deluge of communications was overwhelming, especially when many vendors did not take the time to understand her role and offered services that she herself provides. The more egregious examples included offers to enroll in CSSP courses, even though she's a CSSP instructor and a co-author of a CSSP book.
When it comes to selecting a new service provider or technical vendor, May prioritizes the evaluation of the firm and its personnel.
She values understanding who she will be working with before considering the technological aspect, corporate fit, business alignment, and pricing.
While there are many advanced technologies available, May believes that interpersonal chemistry and compatibility with her company are crucial factors in making a successful business relationship.
To her, business is not conducted solely with products, but primarily with people. This philosophy has shaped her approach to vendor management and partnership selection in her new role, which initially proved challenging but ultimately offered valuable lessons.
What are ways though that May evaluates people within a potential vendor?
May adopts a meticulous and interconnected approach when evaluating individuals within a potential vendor organization.
Her primary tool in this process is the power of the ecosystem. She delves into the company profile, analyzing who works for them.
She explores if she has any existing connections or shared acquaintances with the people within the potential vendor's firm.
Prior to any initial meeting, May examines the profiles of those she will be interacting with, essentially conducting a preliminary assessment of their backgrounds and roles.
“I rely a lot on the ecosystem. So, I will look into the company profile and I will look into who's there and who's working for them. And do I know them? Do I have recommendations, shared connections? Then, before the first meeting, I will go into the profile of the people I'm supposed to meet and look into that.”
This methodology allows her to gain a comprehensive understanding of the people she might potentially work with, informing her decision-making process.
These strategies are not only effective but are also essential measures that marketing and sales professionals should emulate before any meeting. The process of researching and understanding prospective partners or clients promotes informed interactions and better business decisions, reinforcing the importance of people in successful business relationships.
These tactics are great and necessary steps that any marketing or sales professional should take before any meeting.
A quick checklist of where and how a CISO researches a vendor:
When a CISO, like May, needs to research a vendor, several key steps are undertaken to ensure a comprehensive understanding of the potential partner.
- Company Website: May begins with the company's website. The visibility of the team, particularly through an 'About Us' page, is critical. She prefers to work with vendors who are transparent about their team, reinforcing the idea that in service provision, the people are as important as the product.
- Social Media and Online Presence: LinkedIn is a major resource for her. However, when the potential partnership is strategic, she goes further by exploring other social media platforms like Twitter, Instagram, and Facebook. She even Googles the person she'll be meeting to gather as much information as possible. This may include past interviews or articles about them. Ideally, she invests this time before the first meeting to ascertain if the potential partnership is worth exploring.
- The Ecosystem and Professional Networks: May highly values the opinions and experiences of her professional network. She belongs to various cybersecurity professional groups on platforms like Facebook and WhatsApp, some local to the UAE, some in the UK, Israel, and some global. If she's evaluating a new vendor, she often asks her peers if they have worked with them. The collective knowledge of her network plays a significant role in her evaluation process.
- Employee Reviews: Glassdoor reviews provide valuable insight into the internal workings of a potential vendor. Employee sentiments can often reflect how customers may be treated, making it a crucial consideration.
After gathering information, May conducts a risk assessment.
She meets key personnel within the company, including C-level executives, to understand their perspectives and assess potential risks.
This process forms the basis of a work plan, developed with incremental goals in mind. Starting with basics, she plans for gradual optimization over the years, ensuring a continual pursuit of improvement.
This way, she doesn't rush the process, instead allowing for a steady, measured progression towards the partnership goals.
Are there any differences or anomalies right now in the market that salespeople, marketers, vendors, can learn from or take advantage of to stand out?
The COVID-19 pandemic has brought about significant shifts in the business landscape, affecting how companies operate and interact.
It has led to a paradoxical situation where, on one hand, the world feels smaller and businesses are more open to exploring unfamiliar avenues, and on the other hand, companies are gravitating towards what they know and trust in certain areas.
In light of these changes, there are opportunities for salespeople, marketers, and vendors to stand out in the eyes of professionals like May.
- Creating brand awareness is a key strategy in this context. As the world shrinks digitally, a well-established brand can resonate more effectively with potential partners and customers.
- Integration into the ecosystem is another crucial factor. This involves understanding the industry dynamics, building relationships with various stakeholders, and actively participating in community events. However, this isn't an overnight process – it requires patience and consistent effort.
- Honesty and authenticity go a long way. May appreciates clear, direct communication without any attempt to oversell or unnecessarily push products or services. If she states that something isn't a priority, it is crucial to respect her position and not press further. Any forceful tactics can lead to disinterest or even disengagement.
These insights offer valuable guidance for vendors and marketers looking to establish meaningful connections with professionals like May in the current business environment.
How can a salesperson or marketer understand CISO priorities best? What would be the way to extract that data not under an NDA?
For a salesperson or marketer to truly understand a CISO's priorities, having a solid grasp of the professional landscape is invaluable.
May, for instance, places a lot of trust in and finds it easier to collaborate with salespeople who have undergone training such as CISSP or CISO training. This type of training gives sales professionals a better understanding of the intricacies, challenges, and requirements within the cybersecurity field.
The resultant professional conversations, as opposed to purely business ones, tend to be more informed, relevant, and productive. “It’s easier to have those professional conversations, not just business conversations,” she says.
This is because the salesperson or marketer, equipped with specialized knowledge, is better able to understand and address the CISO's needs and concerns.
In terms of gathering data without violating any non-disclosure agreements, it comes down to open, transparent, and respectful communication.
Asking direct questions about the CISO's current priorities, challenges, and objectives can yield valuable insights. However, it's important to respect boundaries and understand that certain information might not be shared due to confidentiality requirements.
What, in May’s eyes, stands out from a brand perspective?
In May's perspective, two things significantly make a brand stand out: meaningful engagement with the community and the creation of trust.
She cites two companies - a Wizer and Rise Up, an Israeli FinTech startup - that exemplify these principles.
The former, even though technically a competitor, has gained her respect through their impactful community engagement.
By inviting her and others in the cybersecurity community to participate in their webinars, they've managed to build brand awareness while fostering professional relationships.
Rise Up, on the other hand, understood that entering their market required not only brand awareness but also trust-building. Given that they were asking customers to grant access to sensitive financial information, establishing trust was a paramount concern.
A standout tactic adopted by Rise Up was their use of live podcasts, hosting cybersecurity experts and addressing audience queries in real time. Their approach demonstrated transparency and responsiveness, particularly when they openly acknowledged any questions they couldn't immediately answer. Following up on these inquiries later on further solidified their commitment to their audience.
May's observations highlight that impactful brand-building doesn't have to be expensive. Rather, it should focus on fostering trust and engaging meaningfully with the target community.
A strong, trustworthy brand can often make the difference when customers are deciding between similar products or services, underlining the importance of these strategies.
What are some cardinal rules security vendors, marketers, sales teams, what's above, below and between are breaking these days?
From May's perspective, there are a few cardinal rules that vendors, marketers, and sales teams in the security sector seem to be breaching currently. These lapses primarily revolve around respecting buyer privacy and maintaining professional integrity.
- Unsolicited contact, particularly phone calls, is a major violation. Despite the fact that contact information might be readily available online, it doesn't grant a free pass to reach out unexpectedly, especially without a prior relationship. Such behavior can be irritating and potentially damaging to a potential customer relationship.
- Disparaging competitors is a tactic that is both unprofessional and off-putting. May believes in emphasizing one's own strengths rather than underscoring a competitor's weaknesses. To her, collaboration is more important than competition, as demonstrated by her willingness to participate in webinars even with firms technically considered competitors. It is all about proving your value through your actions rather than by downgrading others.
- The cybersecurity community is closely-knit, and actions and attitudes reverberate across its members. It’s essential to remember that the security field is about people as much as it is about technology. Maintaining respect, honesty, and professionalism goes a long way in establishing and preserving positive relationships within this community.
These insights serve as a reminder that even in the technologically-driven field of cybersecurity, human relations, respect, and professional decorum remain central to successful business interactions.
What's one thing a vendor has done that made May feel really good?
A gesture that has resonated positively with May from a vendor is attentive listening and action. When a vendor not only hears her concerns but also makes genuine efforts to address them, it creates a lasting positive impression.
Listening is more than merely an act of courtesy; it's the first step towards understanding a customer's needs, frustrations, and aspirations.
However, the real value lies in translating that understanding into actions, even if those actions may not yield immediate results. Attempting to make improvements based on her feedback demonstrates a vendor's commitment to customer satisfaction and problem-solving.
May appreciates these attempts to make her happier, even if they don't always work out.
She emphasizes the power of this approach, and the lasting impact it can have on a potential business relationship. The vendor might not secure her business immediately, but they have certainly left a favorable imprint in her mind.
This insight underscores the importance of genuine customer-centricity for vendors.
By actively listening to customers and striving to address their issues, vendors can build stronger, more meaningful relationships that could potentially translate into business opportunities in the future.
It's a reminder that sometimes, the 'soft' aspects of business relationships can be just as influential as the 'hard' ones.
What does May hate most about the cybersecurity industry?
While May cherishes the close-knit nature of the cybersecurity community, it also poses challenges that she dislikes.
The small size of the community implies that secrets are difficult to keep, a paradoxical issue in a sector devoted to privacy and information security. The community's innate curiosity often leads to quick discovery of any concealed information, which can be a double-edged sword.
Simultaneously, May returns to the aspect she values most about her industry: vendors and service providers going above and beyond to meet their clients' needs.
She particularly appreciates when they offer a little extra – whether it's time, effort, or even a tangible freebie. This aligns with her customer-first approach, where she seeks to treat her clients with the same consideration and attentiveness she values as a customer.
In May's perspective, the key to successful relationships in the cybersecurity industry is the ability to listen, empathize, and adapt.
Being overly rigid in one's approach can hinder open dialogue and mutual understanding, which are vital for fostering successful business relationships. This serves as a valuable reminder for vendors and service providers to remain flexible and receptive to their clients' needs.
Subscribe to Audience 1st
Get notified every time an episode drops to better understand your audience and turn them into loyal customers.