As a National Geographic enthusiastic fan, I am always amazed when I see those huge herds of gnus trying to run away from a hungry pack of lionesses. One obvious lesson that I have learned is – you DON’T want to be the slowest one, but you do not need to be the fastest one, as long as you don’t stray away from the herd, you are relatively safe.
The analogy is clear. In today’s cyber security landscape, it does not matter how protected you are, what matters is how protected you are compared to other potential victims, which a potential attacker may be evaluating as we speak. It’s all about how you measure up against other enterprises in your domain.
This rationality leads to some bad decision making. Why? All human beings are born equal, but enterprises are not, as each has its own unique DNA (outlined in most cases by the enterprise’s leadership and specific business environment). If enterprises are not identical, then how come there is very little variance in the way they protect themselves?
Types of CISOs: “The Rebel”
Throughout my career I have met various types of CISOs which I will categorize here:
“The Rebel” or “The Evangelist” – They are the crème de la crème because they REALLY understand security. They intelligently analyze the specific threats of their enterprise and understand their strengths and limitation. They are highly capable of bridging between the inherent motivation of enterprises to make as little changes as they can (especially when security products are concerned) and engage with large players as they seek to engage solely with well-known vendors. “The Evangelist” understands that in order to lead the pack, they need to be agile, flexible, experimental and keep a close eye on the emerging threats and the companies that are mitigating them. Usually this comes with an eccentric personality and tons of charisma, motivating people around them. If you go out for dinner and he picks you up in a high-performance car, drives like crazy, and carries a knife for self-protection (and has the scars to back up his stories), then you have probably stumbled upon one of those CISOs. The main advantage in selling to the “Evangelist” is that when he understands (quickly) the value of your solution, he will make sure that bureaucracy will bend a little, even if you are a newly introduced startup.
“The Follower” – In many cases they are friends of the “Rebels” (remember, they have tons of charisma). Once they see the solution working in the Evangelist’s enterprise, they will seriously examine it, evaluate it, and even deploy it in some cases. They will never steer, but they will always join the ride. One must give them credit for not being fixated and having an open mind. Usually the sale-cycle will be longer compared to the “Evangelist” and require a more methodical evaluation process. There are much more “Followers” in our world than “Evangelists”, so do not make any mistakes here.
“The Copycat” or “The Collector” – They are a large group, playing it safe, adequately following up on what everyone else is doing, even if does not make any sense for their enterprise. In contrast to the “Follower”, they will not REALLY evaluate the solution, but they will verify that the whole evaluation process is carried out to perfection – contradicting? Yes, but let me try to explain with an example. One of my university professors who was confronted with the fact that he is not sensitive to the students’ difficulties, stood in front of this next class, covered his eyes and asked, “Are there any questions? Great, I don’t see any, let’s proceed.” Got it?
Why “The Collector”? Surprisingly enough (or maybe not), as they lack the required level of professionalism, they will buy almost anything. They will have 10s of cyber security products, many of them either overlapping or contradicting. This allows them to give excellent answers to concerned management or board members, reassuring their job security – “John, are we using evasive techniques?” “Well of course, we have just purchased XXX”, “John, I read about this new technology that can predict if someone is likely to be an internal abuser according to the colors of his clothes, should we use it?” “Well of course, we have just purchased YYY!”, “John I was kidding….” In most cases, the purchased solutions are good, but they are not used nor integrated in the correct way. Having excellent ingredients does not promise a tasty cake. Selling to a “Collector” requires a continuous injection of EGO-Boosters, as they expect you to be impressed of all their recent purchases and to praise their level of professionalism.
In summary, it’s a brutal world out there, both for CISOs and vendors alike. Going back to National Geographic, remember all those birds courtship movies, where each male bird tries to appear at its best, showing off his colors, and hoping to be chosen by the female bird? We all want our solutions to be deployed successfully and dominate their market – whether a buyer or a seller, we should always be respectful to each other- we all have our job to do.