A CISO's Security Vendor Bill of Rights

Thursday, October 20, 2011

Ron Baklarz



Now I know current economic times are tough. Budgets are tight and security spending is either down or flat. 

I also know that security product and service vendors have to make a buck during these difficult  times as well.  

However, below is a "top ten" list of annoyances I personally have with security vendors and codified in my security vendor "bill of rights":

10.  Please do not consider that we have a business relationship just because I made the mistake of signing up on your website for one of your shameless "whitepaper" studies. 

9.  Please do not consider that we have a business relationship because you found my profile on LinkedIn.

8.  If you are trying to sell me something, please do not try to "link up" with me on LinkedIn. 

7.  If you try to "link up" with me on LinkedIn, I'll ignore you or better yet, I'll indicate that I don't know you and you will earn a LinkedIn demerit.

6.  If you send me an unsolicited email, don't expect that I will contact you.

5.  If you send me an unsolicited email followed by a phone call, don't expect that I will call you back.

4.  You are smart people.  After 3, 4, 5, or more unreturned phone calls, you can probably figure out that I am not interested in your product or service.  QUIT CALLING!

3.  Please do not consider that we have a business relationship just because at the last security conference you gave me your company's logo pen that lights up in the dark and plays Darth Vadar theme music.  I am not that cheaply bought!

2.  Please do not call me and tell me you were referred to me by the president of my company, my CIO, etc.  This "used car salesman" ploy will not work either.

1.  I've been around the block a few times and I know that your new, shiny "gee-whiz-bang" "whatchamacallit" widget probably will not cure all my information security ills.  If I have a problem to solve and you have a solid product or service that fixes the issue, I'll call you...

Possibly Related Articles:
Enterprise Security
Service Provider
Enterprise Security Vendor Management Managed Services CISO Information Security Bill of Rights
Post Rating I Like this!
Brett Scott There can be no doubt that most "security companies" are simpyl brute force marketers. However, I doubt that you take time out of your day to research better security solutions. By failing to even consider new solutions (keeping the old ones that do not work), you are contributing to the stifling of innovation. That is bad for all of us. To argue that truly good solutions will simply rise to the top is naive. Marketing is essential to overcome buyers with horse blinders on. It is necessary since most "security professionals" will never even consider something until it is "mainstream". Innovation always comes from the smaller, un-heard of, players. Please to not add to the massive obstacles that they face everyday.
Ron Baklarz Thanks for the feedback Brett – spoken like a true “security vendor”. I typically follow best practices and SDLC when seeking to make a security product or service procurement. That is to say we start with a problem that needs to be solved, develop requirements, and then put out an RFP. In this manner there is no stifling of innovation and any company can reply to the request.

As far as smaller “unheard of” companies, my experience is that some (not all) have great product ideas but frankly, the buyer winds up paying a premium price for a “beta” or even “alpha” version of the product. As far as considering new products, we all make our ways around the vendor areas at shows and conferences so there are ample opportunities for exposure to new products. I simply do not appreciate being called incessantly because I stopped at a booth. So, what are you selling?
Gwen Krauss What about making comments to a blog post just to get the attention of a CISO, is that considered a no-no as well? Jokes aside (you are not in my territory anyways), as a business development rep that routinely reaches out to CISOs, I have to say if calling and emailing didn't work, we wouldn't be here. So while some CISOs may spurn unsolicited contact, we have many engaging conversations through my outreach efforts, in which both CISO and security vendor gain value from it, which marks the beginning of a relationship. That being said, I agree with some of your points about incessant calling and attempting to connect on LinkedIn when there is no relationship.
Javvad Malik I think the points here are quite valid - but this is not just restricted to security vendors, you could be talking about any product or service vendor and would hold true. It's about overly-pushy sales and marketing tactics being employed.

Seth Godin's 'permission marketing' nails the problem and solution to this quite well.http://sethgodin.typepad.com/seths_blog/2008/01/permission-mark.html
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.