Why Mapping Cybersecurity Products to Control Frameworks is a Massive Differentiator | Brian Haugli

Interested in sponsoring an episode like this with your target buyer?

→ Reserve your sponsorship here. ($2,575)

There's a massive disconnect between product/solution providers and the people building cybersecurity programs in the industry.

The programs are built to standards. 

So, what if product companies start building products to meet those standards?

Product vendors should be able to (but often can’t) tell what type of program they are building to and how they meet the controls inside that framework. 

We need to have risk management and to be able to make decisions. 

We need to shape people's thinking around and away from this auditor, pure “black and white” view in order to bring positive changes to the industry.

Brutally honest insights from Brian Haugli, CEO of SideChannel, Former F500 CISO & CSO and Founder of RealCISO.io.

In this episode, Dani Woolf had a conversation with Brian about his challenges, goals, what vendors do that piss him off, and the alternatives.

Guest at a Glance

💡 Name: Brian Haugli

💡 What he does: Brian is currently the CEO at SideChannel

💡 Where to find Brian: LinkedIn

Episode Insights:

Why is a protective mindset a must in the cybersecurity industry?

In this industry, success often comes to those who enjoy solving problems with an open mind. 

Security, in particular, benefits from individuals with a strong protective mindset. 

These people strive to maintain the integrity of systems as they were originally designed. 

Security itself benefits from people who really have a protection mindset. People who want to protect things as they were built,” says Brian. 

What Brian hates most about the cybersecurity industry and what you can do about it:

Brian says, “it's a toss-up between people who sell bullshit and people who have a pure auditor's mindset on how to approach building and addressing risk.”

This is by no means a critique of vendors as a whole, but it's worth noting that some vendors often miss the mark in their product or solution selling strategies. 

A common pitfall comes in the form of vendors either overselling without substance or adopting an overly rigid auditor's mindset when addressing risk management.

Do your homework

Before engaging in a meaningful conversation, vendors need to establish an authentic rapport with potential buyers. 

This involves understanding the buyer’s interests, objectives, and industry challenges that the product or solution can mitigate. 

Do your research. “And if someone is clearly not interested, take the hint, walk away and move on. 

There are millions of other people in the world,” asserts Brain. 

Learn and understand compliance frameworks

A common misconception is that a security program built on frameworks and controls is purely compliance-based. 

Contrarily, these frameworks serve as guides for effective techniques and processes. 

Relying solely on compliance can be a recipe for failure, as it overlooks the importance of the broader methodologies that define successful risk management strategies. 

“I'm not saying you have to do all of them. It's a guide, it's a framework. And a methodology is walking through that framework,” says Brian.

Understand cybersecurity control frameworks, standards, and the process of building programs. 

Instead of just focusing on selling your product, take a step back.

Invest time in learning the roles of a GRC analyst or a CISO. 

While you're not expected to perform these roles, reading a white paper about the programs they're involved in can be informative.

Become familiar with compliance terminology. 

This can save potential clients the task of cross-mapping, making your product more desirable. 

Remember, you're not only selling a product, but you're also providing a solution.

Know your product and have a clear message as to how it aligns to control frameworks

One of the fundamental aspects of successful selling is having a deep understanding of the product and being able to deliver a clear message. 

Unfortunately, some vendors fall short when it comes to articulating how their product aligns with a control framework, particularly when the customer is trying to build a program based on that framework. 

Such gaps in communication often lead to futile discussions.

Brian says,“vendors should be able to talk to me about what their products do, aligning to the program I'm trying to build.”

Don’t get trapped in an auditor’s mindset

While compliance serves as a useful starting point, it's essential to avoid getting trapped in the binary thinking associated with an auditor's mindset. 

Risk management should focus on informed decision-making rather than rigid compliance. 

The industry needs to shift from the strictly "ON" or "OFF" compliance perspective to a more nuanced approach that encourages progress.

“Cybersecurity is pretty freaking cool, it's near magic. And we think we're all pretty cool for what we do in this space and that screws us sometimes,” claims Brian.

 The rest of the world often views us as IT nerds. 

To change this perception, we need to avoid talking like auditors or focusing on KPIs that aren't relevant to the wider audience.

While total compliance seems like an easy solution, it often hinders innovative thinking in mitigating controls or remediation strategies. 

It demands significant effort to articulate why a particular risk couldn't be addressed directly but was instead managed through an alternative strategy. 

“How many vendors don't know what their product actually does against a control framework is mind boggling,” says Brian. 

This disconnect between product vendors and those building programs isn't conducive to progress in the industry.

How can product teams better pair the products and the way that the functions and the features work to the controls?

Product teams can better align their products' functions and features with controls by asking the right questions and investigating thoroughly. 

For instance, they could seek feedback from stakeholders about the impact of their product against a certain standard when fully implemented.

A well-strategized product development plan can make a huge difference. If the product is built in alignment with a popular framework in a particular sector or region, it could help target that space more effectively. 

As a buyer, a vendor providing such alignment information would be the first choice, as it significantly reduces the amount of work and aids in quick decision-making.

Think about this: we are building programs according to standards, so why not have product companies design products that meet those standards? 

This shift in approach could be groundbreaking.

In the near future, this will likely serve as a major point of differentiation for vendors. 

Those who recognize this and start building and marketing their products this way will stand apart from those who don't.

“I would talk to those vendors first as a buyer, if they had that information because they literally cut down a whole ton of work for me. And I can immediately see if it fits me,” says Brian.

How can marketers, salespeople, product teams, and vendors in general make experiences easier for a buyer?

Marketers, salespeople, product teams, and vendors can enhance a buyer's experience by clearly communicating how their products align with the frameworks and controls of the program they are building.

“I need more than just promises. Provide tangible evidence, show me how your product fills a specific gap. When implementing your product, be prepared to tell me immediately how it supports my needs. Hand me the answers I need to convince an auditor with a binary mindset that I meet the necessary controls,” says Brian.

The goal should be to make the buyer's journey as effortless as possible. 

Compliance frameworks marketers and sales peoples should learn:

Marketers, salespeople, and others involved in the sales process should familiarize themselves with several key frameworks that are prevalent in their industry or the industries of their target customers.

For those based in the US or targeting US-based companies, understanding regulations specific to their space is crucial. 

If you're dealing with publicly traded companies, familiarize yourself with the Securities and Exchange Commission (SEC) rules. 

In the healthcare industry, the Health Insurance Portability and Accountability Act (HIPAA) reigns supreme.

In such regulated spaces, these rules serve as the ultimate guide until all requirements are met.

The Cybersecurity Framework (CSF) sees a lot of adoption outside of the regulated space. 

It's an excellent tool for understanding cybersecurity risk management.

SOC 2 (Service Organization Controls) is another framework that many find useful for building robust programs. 

While it may have its critics, it can serve as the basis for a solid program if used correctly.

For those working with the defense industry or the US Department of Defense, NIST 800-171 and the Cybersecurity Maturity Model Certification (CMMC) are non-negotiable standards.

The Center for Internet Security's (CIS) controls are another excellent resource. 

They're tactical, operational, and offer great layering within them, making them ideal for on-the-ground, server room level activities.

However, larger frameworks such as those from the National Institute of Standards and Technology (NIST) or the International Organization for Standardization (ISO), while good for boardroom-level discussions, may lack the tactical detail found in CIS controls.

By understanding these various frameworks and standards, salespeople and marketers can better match their products and services to the needs and requirements of potential customers. 

This knowledge can make the purchasing decision easier for the buyer, ultimately improving the sales process.

What's the worst thing Brian experienced from a vendor?

The number one thing is just a time suck.

Brian's most negative experience with a vendor was characterized by a significant waste of time. 

Upon leaving the Department of Defense and taking on the role of CISO at a large insurance carrier, Brian was on the hunt for new Value-Added Resellers (VARs) to establish relationships with. 

He was looking forward to a smooth process, as he assumed these professionals would be eager to gain his business.

During a meeting, Brian took the time to meticulously whiteboard his strategy, spending four hours detailing exactly what he needed. 

He practically handed them the roadmap to selling him their services or products. 

However, at the end of this comprehensive session, they disregarded his stated needs and strategy, choosing instead to pitch their own agenda.

This complete disregard for his specific needs and the significant time he invested in explaining his strategy left Brian with a very negative impression of the vendor. 

It was a stark reminder that not all vendors prioritize the client's needs and circumstances, which is crucial for a successful business relationship.

What's one thing a vendor has done that has made Brian feel good?

During the same search for Value-Added Resellers (VARs), Brian had a far more positive experience with a vendor who took a different approach. 

This vendor was patient and focused, taking the time to listen to Brian's needs and objectives. 

He asked insightful questions to understand what Brian wanted to achieve and what type of product he was interested in.

This vendor was keen on understanding Brian's unique needs and situation rather than just pushing products or services he was good at selling. 

By taking this empathetic and consultative approach, the vendor won Brian's business.

People like this vendor, who prioritize understanding their client's needs over simply making a sale, leave a lasting impression. 

These are the individuals Brian would feel confident reaching out to for future business, even after leaving his current role and moving to a new company. 

They've built a relationship based on trust and understanding, proving that they are partners who can add real value in the long term.

Final advice from Brian

If you're considering a career in this industry, it's essential to fasten your seatbelt and truly understand what you're signing up for. 

Don't be in a rush to jump into a new role; instead, invest time in preparation. 

The better equipped you are before you embark on a new role, the more effective you'll be. 

Patience is your friend in this scenario.

Use any available time to grow and learn as much as possible. 

As Brian says, "There's so much more you can learn so when you do get that job, you'll be just kicking so much ass.”

Closing thoughts

Whether you're a vendor, marketer, product team member, or someone dreaming about a career in the cybersecurity industry, it's clear that understanding your clients or your job deeply can set you up for success. 

The key is to listen, learn, and adapt. 

Make it your mission to be the kind of professional who adds value through understanding and addressing real needs, rather than just making sales. 

Prepare yourself adequately, be patient, and when the right opportunity comes, seize it. 

You'll not only be successful in your role, but you'll also contribute to the betterment of the industry at large.

Interested in sponsoring an episode like this with your target buyer?

→ Reserve your sponsorship here. ($2,575)