{"id":14845,"date":"2025-09-24T07:06:19","date_gmt":"2025-09-24T07:06:19","guid":{"rendered":"https:\/\/newestek.com\/?p=14845"},"modified":"2025-09-24T07:06:19","modified_gmt":"2025-09-24T07:06:19","slug":"5-questions-cisos-should-ask-vendors","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14845","title":{"rendered":"5 questions CISOs should ask vendors"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Phone, emails, and LinkedIn messages \u2014 CISOs are flooded with vendors pitching their security products. Outreach attempts can be up to 30 a week. Whether it\u2019s a video call or in-office presentation, when CISOs do engage with a new vendor, a shortlist of key questions will help them assess the suitability of a potential new product.<\/p>\n

Several CISOs shared their top questions drawn from many years in the field and many, many pitch sessions.<\/p>\n

1. Do you know my business?<\/h2>\n

When CISOs ask prospective vendors if they understand their organization\u2019s specific challenges, what they\u2019re really looking for is proof the vendor has done their homework. \u201cI want them to start with solutions for my organization\u2019s business problem, not a feature set or a generic issue faced elsewhere,\u201d says Amit Basu, CISO and CIO at International Seaways.<\/p>\n

With a growing portfolio of solutions, Basu wants to know right away how a new tool matches his needs and doesn\u2019t create tech bloat. \u201cA new product is relevant only if it clearly improves security, preferably replaces one or more existing tools, and addresses a real operational need,\u201d he explains.<\/p>\n

However, he finds too many vendor pitches emphasize \u2018magic\u2019 capabilities rather than showing how the tool solves security problems. \u201cI value clarity and honesty. If a tool solves two use cases well, that\u2019s stronger than a vague claim of solving twenty,\u201d he says.<\/p>\n

Holding both CISO and CIO roles, Basu is focussed on ensuring security is integral in any new technology and never an afterthought.<\/p>\n

\u201cYou cannot sell me a security product which is running on legacy technology that my technology stack won\u2019t be able to support. They must have seamless integration,\u201d he says.<\/p>\n

2. Will it reduce my workload, add value or improve operations?<\/h2>\n

A common starting point is to ask questions about how a new tool will reduce workload, minimize risk, improve resilience or simplify operations.<\/p>\n

Basu wants to know whether the product can consolidate capabilities instead of adding yet another point solution. \u201cWithout that, each tool only secures a narrow slice while driving up cost and adding maintenance burdens,\u201d he tells CSO.<\/p>\n

However, Hydrolix CISO Joshua Scott is wary of the big sell on new tools that create more alerts and increase the workload. \u201cToo often I see products that seem like they\u2019re going to provide value but end up becoming noise generators, like vulnerability discovery tools or other scanning tools, and all it\u2019s doing is creating more work for the team.\u201d<\/p>\n

In some cases, there\u2019s too much technical detail and not enough problem solving. CISOs would be better served with tailored pitches rather than a one-size-fits-all style.<\/p>\n

\u201cThe best pitches are hyper-focused on the problems the organization is trying to solve, not generic or filled with unnecessary details,\u201d says Scott. \u201cAnd the less sides the better. Get straight to the point of how you\u2019re going to show value and how you\u2019re going to reduce work for me.\u201d<\/p>\n

Scott\u2019s questions centre on reducing risk, improving resiliency, assessing business impact, and balancing security with business considerations. This wasn\u2019t always the case, but his approach has matured to become more business-focused. \u201cEarly on, I wasn\u2019t asking those kinds of questions and you can end up with a very technical, shiny new object, but it doesn\u2019t solve a problem \u2014 and that\u2019s what we\u2019ve got to focus on,\u201d Scott says.<\/p>\n

3. What\u2019s the integration and ongoing maintenance burden?<\/h2>\n

Couchbase CISO Vasanth Madhure evaluates new tools by asking about not just license costs, but also implementation, training requirements, and the learning curve for the InfoSec team.<\/p>\n

Before considering adoption, Madhure wants to understand the time and effort required to configure and run the product. \u201cSome products are pretty straightforward, but others require a lot of configuration,\u201d he tells CSO.<\/p>\n

Knowing whether updates are automatic or manual is critical, since ongoing maintenance directly affects workload. Madhure values tools that provide clear, actionable reporting and dashboards, particularly those that help track the maturity and progress of the security program.<\/p>\n

He also wants to know if certain features require additional cost because that changes the product\u2019s value and ROI. \u201cWe don\u2019t want to go ahead with the product and then be told we need to purchase an additional enterprise version or another product for a feature to work.\u201d<\/p>\n

When we\u2019re choosing new vendors, Madhure and his team try to come up with a complete list of questions and then compare how well vendors fare. Yet there are still things that this process won\u2019t capture. \u201cWe try to anticipate most of the questions, but there\u2019s always a few we\u2019re not able to identify upfront.\u201d<\/p>\n

4. What is your update cycle and can I be involved in shaping product design?<\/h2>\n

Scott asks vendors about their update cycles, including how frequently they release updates and respond to new threats or changes in the industry. \u201cI want to understand how vendors stay up to date with new frameworks, regulations, and security challenges, especially in fast-changing areas like vulnerability scanning or GRC.\u201d<\/p>\n

Scott also wants to know about integration and whether the tool is fully cloud or has on-premises or hybrid components, especially relevant being a cloud native company. He\u2019s added questions about how the vendor is using AI and how they\u2019re handling data.<\/p>\n

\u201cWe want to ensure that our intellectual property and anything we\u2019re putting in there isn\u2019t being used to train third- and fourth-party vendors,\u201d he says.<\/p>\n

5. Can you provide real-world use cases and validate claims?<\/h2>\n

Seasoned CISOs ask vendors for specific examples about how their tool addressed similar problems to the ones they\u2019re tackling.<\/p>\n

\u201cMapping to established frameworks such as NIST CSF or MITRE ATT&CK is useful, but what matters more is evidence of outcomes \u2014 enhanced protection, reduced detection time, faster response, or lower cost,\u201d Basu says.<\/p>\n

In one memorable pitch, the vendor demonstrated all the features Madhure was looking for and was extremely knowledgeable about the product when answering their questions. \u201cHe was able to answer them or provide direction about how it addressed our pain points. They\u2019d done their market research and knew the types of issues we faced.\u201d<\/p>\n

Scott prefers live demos to be sure the tool isn\u2019t vaporware or let down by a poor interface or clunky functionality. He also asks prospective vendors how other organizations are using their tool and shares questions from his team who will be hands on.<\/p>\n

\u201cCISOs may understand at a high level why it\u2019s going to provide value, but there may be some technical detail we overlooked or something the person on the ground will have a better understanding of,\u201d he says.<\/p>\n

Watch out for these red flags<\/h2>\n

CISOs all admit there are certain red flags that are an immediate turn off in a pitch session. One of the big ones is vague or outlandish claims. \u201cDon\u2019t throw around confusing jargon or make inflated claims about why your solution will solve all my problems so I can sleep well at night,\u201d says Basu.<\/p>\n

Dialing up the panic is a huge turn off for Madhure. \u201cWhen they use the FUD, fear, uncertainty, and doubt, approach that\u2019s a red flag,\u201d he says.<\/p>\n

Referencing a company incident as a sales tactic feels like \u201cambulance chasing\u201d and is unwelcome. \u201cThey never hit the mark and aren\u2019t appropriate as the security community prefers to support each other rather than exploit tough situations,\u201d says Scott.<\/p>\n

Buzzwords are a big no. \u201cWhen vendors use buzzwords in pitches or demos without actually supporting those features, it can be misleading. Because of our technical background, we can see through them,\u201d says Madhure.<\/p>\n

Vendors unwilling to accept feedback on their pitches can signal challenges for working in partnership.<\/p>\n

\u201cThere\u2019s been times I\u2019ve said they should work on their pitch \u2014 keep it a little bit tighter or focused on the actual problem. Some of them take it well, and some of them don\u2019t,\u201d says Scott.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Phone, emails, and LinkedIn messages \u2014 CISOs are flooded with vendors pitching their security products. Outreach attempts can be up to 30 a week. Whether it\u2019s a video call or in-office presentation, when CISOs do engage with a new vendor, a shortlist of key questions will help them assess the suitability of a potential new product. Several CISOs shared their top questions drawn from many… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14845","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14845","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14845"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14845\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14845"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14845"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14845"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}