It helps startups striving to meet the ever-evolving needs of CISOs, who are simultaneously seeking the elusive but paramount buy-in from business users and executives. The CISO role has evolved dramatically in the past few years in response to changes driven by market fluctuations, COVID-19 ramifications, boards' increased cybersecurity awareness, and technology's evolution. As CISOs adjust to their fluid environment, it has become increasingly important to evaluate how these changes impact the relationship between CISOs and their vendors. I discussed these and other trends with a formidable group of CISOs and security entrepreneurs: Mandy Andress, CISO, Elastic; Sounil Yu, CISO and Head of Research, JupiterOne; Frank Kim, CISO-in-Residence, YL Ventures; Yoni Shohet, CEO and co-founder of Valence Security; and Meny Har, CEO and co-founder of Opus Security. Change Is a Constant Keeping up with emerging threats and their potential solutions is vital, and Mandy insists CISOs should hone their curiosity, focus on learning, and be ready to pivot at a moment's notice. Communication Is a Key Skill New threats aren't the only changes that CISOs must contend with. CISOs must be able to coherently communicate, and startups should help them do so. "We need to think about how we tell the story of what we're doing, how it's aligned with and supporting the business startups can help security leaders by translating tech into a picture that makes sense." "Startups should focus on that and address their solution to the exact problem CISOs want to solve. A tool like the Cyber Defense Matrix is a useful mechanism for engaging with vendors, creating a common baseline and fostering communication." "There's a lot more openness to innovation and the startup mentality. There are new, emerging threats and sectors that early-stage startups have specialized expertise in, which can bring value to CISOs. CISOs have their specific issues that larger vendors may not try as hard to resolve. Smaller startups are better poised to address emerging security threats and can provide solutions that are probably more cost-effective, which is crucial in the current market environment." Yoni adds, "With an ever-changing threat landscape, CISOs rightfully demand to be up to date about what they need to protect against now and in the future, and startups are at the forefront of this environment." Frank also notes the human factor as a pivotal element in the relationship between startups and CISOs. "As a CISO, I can pick up the phone and buy whatever product I want, but the keyword in my eyes is collaboration. Certainly, the cost is important, and threat defense is important, but a strong partnership between the vendor and the security team and CISO is a critical factor in the success or failure of deployment." Cost Isn't the Only Priority, but It's a Big One As budget pressures across the market have evolved from rumors to realities, startup founders are refining their focus to accommodate the new CISO mindset and priorities. Frank adds, "It's not only about the cost. CISOs assess the team's ability to execute with the product and want to ensure that there's stakeholder support and business value, so startups must keep these considerations in mind as well." Both Yoni and Meny mention return on investment as a critical selling point for vendors and a strong priority for CISOs. "The CISO has to be able to easily measure the product's ROI and communicate it internally to justify the investment," Yoni says. "At Valence, we knew we had to focus on a broad enough landscape in order to achieve that, so we expanded beyond SaaS security to a more holistic cybersecurity platform, helping CISOs justify their choice by buying one platform with good coverage instead of five." Meny sums it up nicely: "If you can't deliver actionable value immediately, you won't be able to sell." With threats compounding and as CISOs find themselves in the center of global events with political, legal, and technological repercussions such as the SEC's SolarWinds investigation, organizations will be forced to re-examine their approach to security in general. "CISOs aren't yet considered C-level executives," says Frank. "We don't like to be the ones business leaders search for when there's a problem - we want to be at the table when the problem arises. That's still the transition that a lot of organizations are making, not just security leaders, but organizations trying to understand how to best position the CISO for success."
This Cyber News was published on www.darkreading.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000