A new survey being conducted CISO-level survey by Merritt Group and T.E.N. (publishing in April) asks CISOs how they buy InfoSec products, what influences their buy decisions and how they learn about products.
Interestingly, none of the questions ask about the CSO's most important influencers: the hands-on engineers, architects and admins that provide feedback to the C-level about tools and platforms they like and those that don't work for them.
Waste of Time
Often, selling directly to a C-level is a waste of time for both the seller and the C-level, says Sonny Sarai, SANS analyst and GIAC advisor who has worked on evaluations and procurements.
"A CISO and the vendor may get through all the stages of procurement, but once the tool gets to evaluation, it is determined that the tool is unsuitable for the everyday needs of the organization," Sarai says. "This determination is usually made by the architects and engineers who configure and use the tools."
Not to mention, there aren't enough InfoSec C-levels to go around. For example, 44% of organizations don't have a top executive focused solely on InfoSec, according to CIO magazine's 2019 State of the CIO Survey. For large organizations with $5B or more in revenues, that number actually gets worse: 74% don't have a dedicated top security executive.
My guess for this disparity is that the largest organizations probably have multiple security directors or CISOs running their own fiefdoms within the organization. However, a Bitglass study (rather than a survey) of actual business practices shows that only 38% of the Fortune 500 have designated CISOs.
Heads on the Block
Over the years in this industry, some things never change. This failure to recognize the lower-level IT influencer is one of them. Another thing that doesn't change is the C-level aversion to vendor sales and marketing.
Many of my C-level friends and associates say they dodge vendors whenever they can because the tools they're pitching are irrelevant or redundant. A salesperson should know this before bothering the C-level.
InfoSec executives also say they're hard on their vendors because, if a tool doesn't work, it's their head on the chopping block. This is another reason why executives rely on their hands-on influencers when making their buying decisions.
"The decision maker/influencer/SME divide can lead to trouble," explains Stephen Northcutt, founding president of the SANS Technology Institute (STI) and the SANS GIAC Certifications program. "As an executive I know to listen to my smart people. As long as I believe the solution is directionally correct, I am going to rely on my smart people to make final recommendations."
Shameless SANS Promotion
To find out what security tools and platforms organizations are spending on (and why), tune in to our upcoming webcast where SANS will release results of the SANS Spends and Trends survey: Jan. 29 at 1 p.m. EST.