Hundreds of cybersecurity companies vie for attraction from main accusation information officers done email solicitations, acold calls and tech conferences.
Here are 5 strategies firm information chiefs usage to weed retired unsuitable cyber providers.
“As a CISO, the deluge of selling and solicitation from cybersecurity startups was intense,” said Jerry Perullo, a cybersecurity absorption advisor who was CISO of New York Stock Exchange owner Intercontinental Exchange Inc. for 20 years until leaving the station successful 2021. At 1 point, helium counted each the emails that had been blocked by filters helium had acceptable up to find helium received much than 120 solicitations a day.
He had a class defined successful his filtering tools for these types of messages, which his institution dubbed “UCE,” oregon “unsolicited commercialized email.” Since these emails weren’t malicious and often dealt with applicable topics, fine-tuning the filtering strategy was important, Mr. Perullo said. One instrumentality was to artifact immoderate email helium received with the connection “whitepaper” successful the subject, helium said.
Anne Marie Zettlemoyer, main information serviceman for Palo Alto, Calif.-based CyCognito Ltd., which provides cyber-risk-assessment tools, said she is much inclined to work emails with a lukewarm introduction, oregon those from vendor representatives who travel up based connected the involvement she has expressed. Certain emails she deletes astir immediately.
As vice president of information engineering at Mastercard Inc. until earlier this summer, she got galore generic emails aimed broadly astatine financial-services executives, with immoderate that addressed her arsenic “Dear Buyer.” Other automatic turnoffs were vendor agents who sent calendar invitations without having spoken to her and those who called her connected a nonwork number.
Pursue versus being pursued
CISOs often similar to beryllium successful the driver’s spot erstwhile it comes to uncovering vendors. For Ryan Heckman, adjunct manager of individuality and entree absorption governance at Principal Financial Group Inc., vendor enactment is simply a continuous process to guarantee his team’s capabilities align with the ever-changing menace landscape. Mr. Heckman was until precocious July cybersecurity manager astatine Iowa-based convenience store chain Casey’s General Stores Inc. He recalled that during a caller valuation of capabilities and needs astatine Casey’s, helium wanted to get a grip connected manufacture products that could beryllium utile add-ons for the company, truthful helium did immoderate model buying astatine past summer’s Black Hat USA conference. By talking to vendors astir the company’s requirements, helium was capable to constrictive it down to astir a half-dozen options that helium could past probe connected his ain and tally by peers.
In the pursuing months, Mr. Heckman’s squad of cyber specialists tested assorted platforms and assessed each against the known onslaught vectors astatine the time. Some products were recovered to impact the end-user acquisition and were rapidly eliminated. Others performed well, requiring further examination of integration and administrative overhead to constrictive the field, helium said. This hands-on approach, coupled with open-forum adjacent treatment with others successful retail led to the last merchandise selection, Mr. Heckman said.
Ellen Benaim, CISO astatine Templafy ApS, a Denmark-based cloud-based content-management platform, was bombarded with emails aft the Log4j bug emerged precocious past year. She waited to respond until astir 2 weeks later, erstwhile she had secured the fund and resources to analyse vendors. In the meantime, Ms. Benaim said, the institution addressed its Log4j vulnerabilities connected its own, and started looking for a supplemental tool.
Her vendor probe included utilizing CISO forums. One chap CISO who utilized an open-source vulnerability-scanning instrumentality demonstrated it for her and discussed hiccups the institution had experienced with a antithetic solution they utilized to enactment with. “That benignant of acquisition is invaluable,” she said. Templafy has since implemented the instrumentality demonstrated by the different CISO.
Partners, not transactions
Once they constrictive the excavation to 1 oregon 2 contenders, information chiefs said the last vetting process considers factors specified arsenic terms and the quality to customize services and tools, positive the vendor’s ain information practices and fiscal soundness. Vendors that marque the chopped are often consenting to accommodate to acceptable a customer’s needs, said Chris Castaldo, CISO astatine Philadelphia-based tech institution Crossbeam Inc., which helps companies find caller concern partners and customers.
“You tin archer erstwhile idiosyncratic is truly passionate astir making your occupation their occupation to solve,” helium said.
One mode to weed retired vendors is to discount those that travel disconnected arsenic cagey, don’t supply accusation requested oregon are conscionable plain sloppy, Ms. Zettlemoyer said. It’s important for vendors to recognize what a lawsuit wants and debar careless mistakes, she said. One vendor didn’t personalize a pitch, showing her materials prepared for different company. “It sounds basic, but [some] vendors miss the mark,” she said. “With security, determination are 3,000 vendors and cipher is truly irreplaceable.”
More From WSJ Pro Cybersecurity
Write to Cheryl Winokur Munk astatine [email protected]
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8