Aug 13, 2020
All links and images for this episode can be found on CISO
Do security vendors deliver on their claims and heck, are they
even explaining what they do clearly so CISOs actually know what
this post and the Valimail
survey for the basis of our conversation on this week’s episode
which features me, David Spark (@dspark), producer of CISO Series,
Alford (@allanalfordintx), and
guest Lee Parrish
Thanks to this week's podcast sponsor,
the leading independent vendor of breach and attack simulation
solutions, built the industry’s first Security Optimization
Platform for continuous security control validation and improving
security program effectiveness and efficiency. AttackIQ is trusted
by leading organizations worldwide to plan security improvements
and verify that cyberdefenses work as expected, aligned with the
MITRE ATT&CK framework.
On this episode of Defense in Depth, you’ll
- From those surveyed by Valimail survey, a third to a half
didn't believe that vendors did a good job explaining what their
product does, or that the product actually performed, or there was
any way to actually measure that performance.
- Many questioned those numbers because they feel many security
buyers still fall for security vendors' boastful claims. Both can
actually be true.
- Stunned behavior at a trade show is not the indicator of
knowledge and susceptibility to vendor pitches.
- When you're under the gun as a security professional to produce
results you often become victim to security vendor claims because
you want to deliver on demands from the business.
- By nature, CISOs should be skeptical about vendor claims and
information within their own environment.
- There's a battle between those vendors truly trying to deliver
value and those who are using their marketing savvy to sway
- Don't place all the blame on the vendors. CISOs still have
trouble understanding their requirements, risk, and priorities.
Many are guilty of engaging in "random acts of security".
- Claims can often be more trustworthy if the vendor is willing
to explain what they can't do.