SlideShare a Scribd company logo

What Goes Into Onboarding New Cybersecurity Vendors

Execweb
Execweb

The process of onboarding these vendors is far from straightforward. It requires a meticulous approach, combining technical evaluation, due diligence, and strategic alignment to ensure seamless integration and optimal security outcomes.

Business
1 of 31
Download to read offline
EXECWEB Straight from Fortune 500 CISOs What Goes Into Onboarding New Cybersecurity Vendors
Execweb Ambassadors Kenneth Foster Bradley Schaufenbuel VP of IT Governance, Risk & Compliance (Fleetcor) Steve Zalewski Ex-CISO (Levi Strauss) CISO (Paychex) David B. Cross VP & CIO (Oracle) Rick Doten VP Information Security (Centene) Discussion Panelists
Overview This is a Q&A compilation of a webinar organized by Execweb on the topic: Unlocking the Secrets of Enterprise Cybersecurity Vendor Onboarding. This guide empowers CISOs and vendors with essential knowledge and strategies for vendor onboarding. CISOs can gain insights on effort levels, preferred vendors, and brand impact, streamlining the process and ensuring trusted solutions. Vendors can learn about CISO priorities, address concerns, and foster successful partnerships.
Topics of Discussion Buying a POC vs Buying a solution Role of Vendors in the onboarding process Hiring a well-established vs a start-up Brand image of vendor and its impact Going with the preferred seller for fast onboarding 23 01 07 12 17
What is the level of effort required for onboarding a new vendor and does it differ between buying a solution vs conducting a proof-of-concept (POC)? Question 1 1
Rick Doten VP Information Security (Centene) Whether it's a POC or a purchase, we still need to go through a service design. This involves defining the budget, including human resources, and creating a timeline. A project manager is assigned, and it goes to a steering committee for approval at the end of the quarter. Implementation can take a long time, even a POC installation can take up to a year, due to engagement from different groups within the company. Then there are variables such as budget allocation i.e., can this thing wait till the next year? Sometimes the process may go dark for a while and then resurface, requiring a rush to finish it up. That's the reality. The onboarding process, whether for a POC or a purchase, involves service design, budgeting, timeline creation, and stakeholder engagement flexibility. 2
Bradley Schaufenbuel CISO (Paychex) The procurement process varies significantly based on the vendor's interaction, including factors such as the markup in the contract and the speed at which they pass our vendor security review. The duration can range from a few weeks to several months depending on the level of access and data involved in the process. If the POC doesn't have to interface with production systems and sensitive data, we can get it through a lot quicker. However, what's crucial in our organization is internal alignment. With a large IT department of 2200 individuals, implementing a security product involves aligning resources across multiple teams, which can take time. The vendor has no control over this aspect. If the POC doesn't have to interface with production systems and sensitive data, we can get it through a lot quicker. 3
Steve Zalewski Ex-CISO (Lev i Strauss) If no money crosses hands, we can bring the company relatively quickly simply by signing the NDA. When we start talking about the money, then the formal process kicks in. 3-9 months to get through the process, depending upon the skillfulness I have and the redlines put in paperwork by the vendor. The more redlines a vendor puts in, the more time it will to get it approved by the legal. So the vendors who are reluctant to accept what I offer and put redlines in the document have to wait anywhere between 2 to 4 months. The onboarding process can be expedited by signing an NDA, but when money gets involved, it results in extended approval times. 4
David B. Cross VP & CIO (Oracle) Building upon Steve's points, there are two key considerations in differentiating a POC from a full implementation: whether it is in a test environment or a production environment, as this affects the pace of progress. Additionally, the average time for onboarding a new vendor falls within the three to six-month timeframe due to factors such as evaluating the architecture, ensuring compliance, and addressing overall implementation complexities. While a three-month timeframe might be overly optimistic, a realistic estimate would be around six months. Implementation pace varies based on the environment and onboarding new vendors or products takes three to six months, considering various factors. 5
Kenneth Foster VP of IT Governance, Risk & Compl iance (Fleetcor) Alignment between the security team and the vendor is crucial, as security personnel often lack the necessary permissions to freely install software or make changes to their systems. Regardless of whether the POC is conducted in a non-production or production environment, it still poses security risks so there is not much difference for me when it comes to implementing POCs. Security permissions restrict software installation and system changes, making the implementation of POCs similar regardless of the environment. 6
How can vendors proactively streamline the onboarding process for CISOs, ensuring a swift and seamless experience? Question 2 7
Rick Doten VP Information Security (Centene) Vendors need to understand that gaining the support of the CISO or other high-level executives may not be effective. These executives are often part of a committee that evaluates and approves new services or solutions. The end-users will make the final decision. If they find value in the product or service, they will advocate for it and drive adoption within the organization. Thus, vendors should prioritize reaching out to product users and gathering their support. Vendors should prioritize end-user support to drive adoption within organizations, rather than relying solely on high-level executives. 8
David B. Cross VP & CIO (Oracle) Having comprehensive documentation is essential to address the concerns of various stakeholders, such as compliance and audit teams, corporate architecture personnel, and others. By providing a comprehensive package of documentation that answers anticipated questions, the onboarding and decision-making process can be streamlined, minimizing the need for back-and-forth communication. Comprehensive documentation addresses stakeholder concerns, streamlines the onboarding process, and minimizes the need for extensive communication. 9
Bradley Schaufenbuel CISO (Paychex) It is crucial for vendors to invest time in understanding the onboarding process. Many vendors overlook this step and end up facing unexpected phases. By familiarizing themselves with the process from the beginning, vendors can avoid surprises and have a clear understanding of what they will go through. Understand the onboarding process to avoid unexpected phases and gain a clear understanding of what they will encounter. 10
Steve Zalewski Ex-CISO (Lev i Strauss) It's important to note that engaging in POC doesn't automatically imply an immediate purchase. Often, a POC is conducted to evaluate and validate a solution before considering it for the following year's budget. The purpose is to assess factors such as cost, business process impact, and potential challenges. Procurement process is typically faster than the CISO's decision- making process, which involves aligning various stakeholders and assessing reputational risks for both parties involved. A POC doesn't guarantee an immediate purchase, as vendors should recognize the longer decision-making process and involvement of stakeholders. 11
What are the differences in the procurement process when hiring a well-established vendor compared to a start-up? Question 3 12
Rick Doten VP Information Security (Centene) When it comes to risk assessment in vendor selection, there are several factors to consider. Firstly, the vendor's long-term viability is evaluated, ensuring they have the capacity to support the organization's needs. Secondly, scalability is important, as the vendor should be capable of growing alongside the organization without compromising service quality. Thirdly, the risk of them being acquired as certain acquisitions may lead to conflicts or restrictions in contractual agreements. A thorough risk assessment is also conducted, which may involve requesting source code escrow for contingency purposes. While the process remains the same, we get more meticulous with gauging new firms' scalability, viability, and risk of them getting acquired. 13
Bradley Schaufenbuel CISO (Paychex) We evaluate whether they have the necessary financial resources to provide support not only in the present but also in the future, such as a year or three years down the line. This is less of a concern when working with major cybersecurity companies, as their financial status is publicly traded and can be reviewed with ease. In contrast, startups often lack sufficient financial data for us to assess their viability. This discrepancy in financial resources and track record is a significant factor we consider when evaluating vendors. Viability is a key consideration in our risk management process, with a particular focus on startups that may face challenges in proving long-term support capabilities. 14
David B. Cross VP & CIO (Oracle) On the other hand, larger vendors with a strong market presence often have established documentation and protocols in place. The procurement and risk assessment processes differ in these cases due to the varying levels of familiarity and available documentation. While startups require more scrutiny and assessment, well-established vendors may already have a more extensive track record and documented security measures, impacting the evaluation process accordingly. Third-party assessment tools help evaluate the risks of smaller companies, while established vendors have documented security measures. 15
Steve Zalewski Ex-CISO (Lev i Strauss) Young companies may offer more affordable solutions, even if they come with certain risks. As a vendor, understanding that your size can be seen as both a strength and a weakness is important. Tailoring your pricing and risk considerations accordingly can help meet the needs of cost-conscious organizations. Furthermore, organizations often turn to young companies to explore alternative approaches and tap into emerging capabilities. For these and similar other reasons, sometimes we are more willing to work with an emerging start-up than an established vendor. Engaging with young companies can offer cost-effective solutions and allow us to leverage their unique strengths to address specific challenges. 16
What factors influence the brand image of a vendor and what is its importance when deciding to work with a vendor? Question 4 17
Kenneth Foster VP of IT Governance, Risk & Compl iance (Fleetcor) As a CISO, I prioritize trust in real-world experiences and the recommendations of professionals within my network over relying solely on industry reports or evaluations. The opinions and firsthand experiences of trusted individuals hold more weight than brand recognition or industry accolades. Reputation is paramount in the cybersecurity community, and even the most highly acclaimed products can be overlooked if they have garnered a negative perception among our network. I prioritize real-world experiences and trusted recommendations from my network over industry reports. 18
Rick Doten VP Information Security (Centene) When it comes to industry reports like Gartner, they hold little value for me personally. I rely on real-world examples and feedback from actual users or trusted sources who have hands-on experience with the products or services. The brand name itself carries minimal weight compared to the actual quality of the tool and the people supporting it. I'm not interested in buying a name; I'm interested in investing in a tool that aligns with my business needs and has a reliable support system behind it. The strength of the relationship with a vendor is of utmost importance. 19
David B. Cross VP & CIO (Oracle) Industry reports provide valuable perspectives that can help broaden our understanding of vendors and their offerings. However, it's important to remember that this is just one piece of the puzzle. The second aspect is the input and experiences of our internal team members who are stakeholders in the decision. Their firsthand experiences, both within our current company and from previous organizations, help us understand the practical implications of working with specific vendors. Lastly, peer recommendations and experiences also play a crucial role to reach a decision. I prefer leveraging industry reports, internal team input, and peer recommendations to build a perception of vendors' brand image. 20
Steve Zalewski Ex-CISO (Lev i Strauss) With the increasing number of vendors vying for our attention, the traditional POC process has become less prevalent. Instead, relationships play a more crucial role in our decision-making. When we have a specific need, we turn to our peers who have recently deployed similar solutions. Their positive experiences with certain vendors can quickly propel those vendors into the final selection stage, even without them actively participating in a competitive POC process. Reputation and word-of-mouth have become vital factors in vendor selection. In some cases, I may even rely on third-party assessments if the vendor has already been pre-qualified through trusted recommendations. CISOs rely more on trusted peer recommendations than traditional POC processes for vendor onboarding. 21
Bradley Schaufenbuel CISO (Paychex) Brand recognition does have some significance in the decision-making process, especially when communicating to the executive team and board. When introducing a new vendor or solution, having a well-known brand name can provide a level of credibility and familiarity that eases the concerns of key stakeholders. A recognized brand name often carries a sense of trust and can help alleviate potential skepticism or doubts. Brand recognition carries significance in the decision- making process, providing credibility, familiarity, and trust when introducing new vendors to key stakeholders. 22
How common is it to utilize preferred resellers to expedite the on-boarding process? Question 5 23
Rick Doten VP Information Security (Centene) While utilizing preferred resellers can sometimes streamline the onboarding process, the involvement of the IT group in tasks such as system setup, credential management, server design, and port configuration can still be a significant factor that determines the overall efficiency of onboarding, potentially outweighing the benefits of using a preferred reseller. It depends! 24
Steve Zalewski Ex-CISO (Lev i Strauss) Having a single point of contact for procurement and legal matters is increasingly becoming a strategic approach, as companies often lack sufficient resources in those areas, and it expedites the deal closure process. Preferred vendors are sought after for smoother paperwork handling, especially when understanding the procurement process and pre- signed NDAs are already in place. Additionally, being aware of deal sizes can be advantageous, as deals under a certain threshold may bypass lengthy procurement or legal processes, allowing for faster execution. Preferred vendors streamline paperwork and expedite deal closure. 25
David B. Cross VP & CIO (Oracle) The decision to utilize preferred vendors for onboarding depends on the specific situation, as in the case of exploring a new specialized area or technology where the internal team lacks experience. In such instances, leveraging preferred vendors for additional Professional Services or system integration can be an optimal choice to ensure smooth deployment and implementation Yes, if I feel that the internal team lacks audit abilities. 26
Execweb www.execweb.com contact@execweb.com Long Island City, NY 11101 @execweb7337 CISO Executive Network

Recommended

Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudSimplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudHappiest Minds Technologies
 
Protect Your Firm: Knowledge, Process, Policy and Action
Protect Your Firm: Knowledge, Process, Policy and ActionProtect Your Firm: Knowledge, Process, Policy and Action
Protect Your Firm: Knowledge, Process, Policy and ActionWolters Kluwer Tax & Accounting US
 
Discussion 1Recommend three countermeasures that could enhance.docx
Discussion 1Recommend three countermeasures that could enhance.docxDiscussion 1Recommend three countermeasures that could enhance.docx
Discussion 1Recommend three countermeasures that could enhance.docxelinoraudley582231
 
Securing the Office of Finance in the Cloud -- Separating Fact from Fiction
Securing the Office of Finance in the Cloud -- Separating Fact from FictionSecuring the Office of Finance in the Cloud -- Separating Fact from Fiction
Securing the Office of Finance in the Cloud -- Separating Fact from FictionWorkday
 
Security of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We NeedSecurity of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We Needsimplyme12345
 
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...Positive Hack Days
 
Cybersecurity the new metrics
Cybersecurity the new metricsCybersecurity the new metrics
Cybersecurity the new metricsAbhishek Sood
 
How to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureHow to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureNetwrix Corporation
 

Recommended

Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudSimplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudHappiest Minds Technologies
 
Protect Your Firm: Knowledge, Process, Policy and Action
Protect Your Firm: Knowledge, Process, Policy and ActionProtect Your Firm: Knowledge, Process, Policy and Action
Protect Your Firm: Knowledge, Process, Policy and ActionWolters Kluwer Tax & Accounting US
 
Discussion 1Recommend three countermeasures that could enhance.docx
Discussion 1Recommend three countermeasures that could enhance.docxDiscussion 1Recommend three countermeasures that could enhance.docx
Discussion 1Recommend three countermeasures that could enhance.docxelinoraudley582231
 
Securing the Office of Finance in the Cloud -- Separating Fact from Fiction
Securing the Office of Finance in the Cloud -- Separating Fact from FictionSecuring the Office of Finance in the Cloud -- Separating Fact from Fiction
Securing the Office of Finance in the Cloud -- Separating Fact from FictionWorkday
 
Security of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We NeedSecurity of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We Needsimplyme12345
 
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...Positive Hack Days
 
Cybersecurity the new metrics
Cybersecurity the new metricsCybersecurity the new metrics
Cybersecurity the new metricsAbhishek Sood
 
How to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureHow to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureNetwrix Corporation
 
TierPoint White Paper_With all due diligence_2015
TierPoint White Paper_With all due diligence_2015TierPoint White Paper_With all due diligence_2015
TierPoint White Paper_With all due diligence_2015sllongo3
 
With-All-Due-Diligence20150330
With-All-Due-Diligence20150330With-All-Due-Diligence20150330
With-All-Due-Diligence20150330Jim Kramer
 
Navigating the SOC 2 Certification Maze: What You Need to Know
Navigating the SOC 2 Certification Maze: What You Need to KnowNavigating the SOC 2 Certification Maze: What You Need to Know
Navigating the SOC 2 Certification Maze: What You Need to KnowShyamMishra72
 
Pharmacovigilance Smart Sourcing Strategy: Vendor Selection for Safety & Risk...
Pharmacovigilance Smart Sourcing Strategy: Vendor Selection for Safety & Risk...Pharmacovigilance Smart Sourcing Strategy: Vendor Selection for Safety & Risk...
Pharmacovigilance Smart Sourcing Strategy: Vendor Selection for Safety & Risk...Covance
 
Streamline Compliance and Increase ROI White Paper
Streamline Compliance and Increase ROI White PaperStreamline Compliance and Increase ROI White Paper
Streamline Compliance and Increase ROI White PaperNetIQ
 
Business Intelligence Productionization
Business Intelligence ProductionizationBusiness Intelligence Productionization
Business Intelligence ProductionizationDavid Moore
 
Information Security
Information SecurityInformation Security
Information Securitydivyeshkharade
 
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Happiest Minds Technologies
 
cco solutions.pptx
cco solutions.pptxcco solutions.pptx
cco solutions.pptxradhikagaikwad10
 
SOC 2 for Startups – A Complete Guide
SOC 2 for Startups – A Complete GuideSOC 2 for Startups – A Complete Guide
SOC 2 for Startups – A Complete GuideBrielle Aria
 
Why should I do SOC2?
Why should I do SOC2?Why should I do SOC2?
Why should I do SOC2?VISTA InfoSec
 
Why Is It So Hard to Trust a Blockchain?
Why Is It So Hard to Trust a Blockchain?Why Is It So Hard to Trust a Blockchain?
Why Is It So Hard to Trust a Blockchain?Strategy&, a member of the PwC network
 
Verizon 2014 pci compliance report
Verizon 2014 pci compliance reportVerizon 2014 pci compliance report
Verizon 2014 pci compliance reportBee_Ware
 
Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report- Mark - Fullbright
 
Outsourcing product development introduction
Outsourcing product development introductionOutsourcing product development introduction
Outsourcing product development introductionsuryauk
 
Towards a Trustmark for IoT (April 2018)
Towards a Trustmark for IoT (April 2018)Towards a Trustmark for IoT (April 2018)
Towards a Trustmark for IoT (April 2018)Peter Bihr
 
Sox Compliance Presentation
Sox Compliance PresentationSox Compliance Presentation
Sox Compliance PresentationSkye Rogers
 
B2B Marketing Outsourcing and B2B Sales Outsourcing Companies
B2B Marketing Outsourcing and B2B Sales Outsourcing CompaniesB2B Marketing Outsourcing and B2B Sales Outsourcing Companies
B2B Marketing Outsourcing and B2B Sales Outsourcing CompaniesFulcrum Resources
 
Problem And Purpose Of A Project
Problem And Purpose Of A ProjectProblem And Purpose Of A Project
Problem And Purpose Of A ProjectChristina Valadez
 
Lew Cirne, FS16 Keynote [FutureStack16]
Lew Cirne, FS16 Keynote [FutureStack16] Lew Cirne, FS16 Keynote [FutureStack16]
Lew Cirne, FS16 Keynote [FutureStack16] New Relic
 
Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncr
Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / NcrCall Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncr
Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncrdollysharma2066
 
Catalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfCatalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfOrient Homes
 

More Related Content

Similar to What Goes Into Onboarding New Cybersecurity Vendors

TierPoint White Paper_With all due diligence_2015
TierPoint White Paper_With all due diligence_2015TierPoint White Paper_With all due diligence_2015
TierPoint White Paper_With all due diligence_2015sllongo3
 
With-All-Due-Diligence20150330
With-All-Due-Diligence20150330With-All-Due-Diligence20150330
With-All-Due-Diligence20150330Jim Kramer
 
Navigating the SOC 2 Certification Maze: What You Need to Know
Navigating the SOC 2 Certification Maze: What You Need to KnowNavigating the SOC 2 Certification Maze: What You Need to Know
Navigating the SOC 2 Certification Maze: What You Need to KnowShyamMishra72
 
Pharmacovigilance Smart Sourcing Strategy: Vendor Selection for Safety & Risk...
Pharmacovigilance Smart Sourcing Strategy: Vendor Selection for Safety & Risk...Pharmacovigilance Smart Sourcing Strategy: Vendor Selection for Safety & Risk...
Pharmacovigilance Smart Sourcing Strategy: Vendor Selection for Safety & Risk...Covance
 
Streamline Compliance and Increase ROI White Paper
Streamline Compliance and Increase ROI White PaperStreamline Compliance and Increase ROI White Paper
Streamline Compliance and Increase ROI White PaperNetIQ
 
Business Intelligence Productionization
Business Intelligence ProductionizationBusiness Intelligence Productionization
Business Intelligence ProductionizationDavid Moore
 
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Happiest Minds Technologies
 
SOC 2 for Startups – A Complete Guide
SOC 2 for Startups – A Complete GuideSOC 2 for Startups – A Complete Guide
SOC 2 for Startups – A Complete GuideBrielle Aria
 
Why should I do SOC2?
Why should I do SOC2?Why should I do SOC2?
Why should I do SOC2?VISTA InfoSec
 
Verizon 2014 pci compliance report
Verizon 2014 pci compliance reportVerizon 2014 pci compliance report
Verizon 2014 pci compliance reportBee_Ware
 
Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report- Mark - Fullbright
 
Outsourcing product development introduction
Outsourcing product development introductionOutsourcing product development introduction
Outsourcing product development introductionsuryauk
 
Towards a Trustmark for IoT (April 2018)
Towards a Trustmark for IoT (April 2018)Towards a Trustmark for IoT (April 2018)
Towards a Trustmark for IoT (April 2018)Peter Bihr
 
Sox Compliance Presentation
Sox Compliance PresentationSox Compliance Presentation
Sox Compliance PresentationSkye Rogers
 
B2B Marketing Outsourcing and B2B Sales Outsourcing Companies
B2B Marketing Outsourcing and B2B Sales Outsourcing CompaniesB2B Marketing Outsourcing and B2B Sales Outsourcing Companies
B2B Marketing Outsourcing and B2B Sales Outsourcing CompaniesFulcrum Resources
 
Problem And Purpose Of A Project
Problem And Purpose Of A ProjectProblem And Purpose Of A Project
Problem And Purpose Of A ProjectChristina Valadez
 
Lew Cirne, FS16 Keynote [FutureStack16]
Lew Cirne, FS16 Keynote [FutureStack16] Lew Cirne, FS16 Keynote [FutureStack16]
Lew Cirne, FS16 Keynote [FutureStack16] New Relic
 

Similar to What Goes Into Onboarding New Cybersecurity Vendors (20)

TierPoint White Paper_With all due diligence_2015
TierPoint White Paper_With all due diligence_2015TierPoint White Paper_With all due diligence_2015
TierPoint White Paper_With all due diligence_2015
 
With-All-Due-Diligence20150330
With-All-Due-Diligence20150330With-All-Due-Diligence20150330
With-All-Due-Diligence20150330
 
Navigating the SOC 2 Certification Maze: What You Need to Know
Navigating the SOC 2 Certification Maze: What You Need to KnowNavigating the SOC 2 Certification Maze: What You Need to Know
Navigating the SOC 2 Certification Maze: What You Need to Know
 
Pharmacovigilance Smart Sourcing Strategy: Vendor Selection for Safety & Risk...
Pharmacovigilance Smart Sourcing Strategy: Vendor Selection for Safety & Risk...Pharmacovigilance Smart Sourcing Strategy: Vendor Selection for Safety & Risk...
Pharmacovigilance Smart Sourcing Strategy: Vendor Selection for Safety & Risk...
 
Streamline Compliance and Increase ROI White Paper
Streamline Compliance and Increase ROI White PaperStreamline Compliance and Increase ROI White Paper
Streamline Compliance and Increase ROI White Paper
 
Business Intelligence Productionization
Business Intelligence ProductionizationBusiness Intelligence Productionization
Business Intelligence Productionization
 
Information Security
Information SecurityInformation Security
Information Security
 
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
 
cco solutions.pptx
cco solutions.pptxcco solutions.pptx
cco solutions.pptx
 
SOC 2 for Startups – A Complete Guide
SOC 2 for Startups – A Complete GuideSOC 2 for Startups – A Complete Guide
SOC 2 for Startups – A Complete Guide
 
Why should I do SOC2?
Why should I do SOC2?Why should I do SOC2?
Why should I do SOC2?
 
Why Is It So Hard to Trust a Blockchain?
Why Is It So Hard to Trust a Blockchain?Why Is It So Hard to Trust a Blockchain?
Why Is It So Hard to Trust a Blockchain?
 
Verizon 2014 pci compliance report
Verizon 2014 pci compliance reportVerizon 2014 pci compliance report
Verizon 2014 pci compliance report
 
Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report
 
Outsourcing product development introduction
Outsourcing product development introductionOutsourcing product development introduction
Outsourcing product development introduction
 
Towards a Trustmark for IoT (April 2018)
Towards a Trustmark for IoT (April 2018)Towards a Trustmark for IoT (April 2018)
Towards a Trustmark for IoT (April 2018)
 
Sox Compliance Presentation
Sox Compliance PresentationSox Compliance Presentation
Sox Compliance Presentation
 
B2B Marketing Outsourcing and B2B Sales Outsourcing Companies
B2B Marketing Outsourcing and B2B Sales Outsourcing CompaniesB2B Marketing Outsourcing and B2B Sales Outsourcing Companies
B2B Marketing Outsourcing and B2B Sales Outsourcing Companies
 
Problem And Purpose Of A Project
Problem And Purpose Of A ProjectProblem And Purpose Of A Project
Problem And Purpose Of A Project
 
Lew Cirne, FS16 Keynote [FutureStack16]
Lew Cirne, FS16 Keynote [FutureStack16] Lew Cirne, FS16 Keynote [FutureStack16]
Lew Cirne, FS16 Keynote [FutureStack16]
 

Recently uploaded

Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncr
Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / NcrCall Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncr
Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncrdollysharma2066
 
Catalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfCatalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfOrient Homes
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppelCorporation
 
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With RoomVIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Roomdivyansh0kumar0
 
CATALOG cáp điện Goldcup (bảng giá) 1.4.2024.PDF
CATALOG cáp điện Goldcup (bảng giá) 1.4.2024.PDFCATALOG cáp điện Goldcup (bảng giá) 1.4.2024.PDF
CATALOG cáp điện Goldcup (bảng giá) 1.4.2024.PDFOrient Homes
 
Investment analysis and portfolio management
Investment analysis and portfolio managementInvestment analysis and portfolio management
Investment analysis and portfolio managementJunaidKhan750825
 
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingTech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingShawn Pang
 
(8264348440) 🔝 Call Girls In Mahipalpur 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Mahipalpur 🔝 Delhi NCR(8264348440) 🔝 Call Girls In Mahipalpur 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Mahipalpur 🔝 Delhi NCRsoniya singh
 
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsApsara Of India
 
NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...
NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...
NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...Khaled Al Awadi
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...lizamodels9
 
(8264348440) 🔝 Call Girls In Hauz Khas 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Hauz Khas 🔝 Delhi NCR(8264348440) 🔝 Call Girls In Hauz Khas 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Hauz Khas 🔝 Delhi NCRsoniya singh
 
FULL ENJOY - 9953040155 Call Girls in Chhatarpur | Delhi
FULL ENJOY - 9953040155 Call Girls in Chhatarpur | DelhiFULL ENJOY - 9953040155 Call Girls in Chhatarpur | Delhi
FULL ENJOY - 9953040155 Call Girls in Chhatarpur | DelhiMalviyaNagarCallGirl
 
Call Girls In Kishangarh Delhi ❤️8860477959 Good Looking Escorts In 24/7 Delh...
Call Girls In Kishangarh Delhi ❤️8860477959 Good Looking Escorts In 24/7 Delh...Call Girls In Kishangarh Delhi ❤️8860477959 Good Looking Escorts In 24/7 Delh...
Call Girls In Kishangarh Delhi ❤️8860477959 Good Looking Escorts In 24/7 Delh...lizamodels9
 
Call Girls Miyapur 7001305949 all area service COD available Any Time
Call Girls Miyapur 7001305949 all area service COD available Any TimeCall Girls Miyapur 7001305949 all area service COD available Any Time
Call Girls Miyapur 7001305949 all area service COD available Any Timedelhimodelshub1
 
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In.../:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...lizamodels9
 
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...lizamodels9
 
Call Girls In ⇛⇛Chhatarpur⇚⇚. Brings Offer Delhi Contact Us 8377877756
Call Girls In ⇛⇛Chhatarpur⇚⇚. Brings Offer Delhi Contact Us 8377877756Call Girls In ⇛⇛Chhatarpur⇚⇚. Brings Offer Delhi Contact Us 8377877756
Call Girls In ⇛⇛Chhatarpur⇚⇚. Brings Offer Delhi Contact Us 8377877756dollysharma2066
 

Recently uploaded (20)

Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncr
Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / NcrCall Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncr
Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncr
 
Catalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfCatalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdf
 
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCREnjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
 
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With RoomVIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
 
CATALOG cáp điện Goldcup (bảng giá) 1.4.2024.PDF
CATALOG cáp điện Goldcup (bảng giá) 1.4.2024.PDFCATALOG cáp điện Goldcup (bảng giá) 1.4.2024.PDF
CATALOG cáp điện Goldcup (bảng giá) 1.4.2024.PDF
 
Investment analysis and portfolio management
Investment analysis and portfolio managementInvestment analysis and portfolio management
Investment analysis and portfolio management
 
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingTech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
 
(8264348440) 🔝 Call Girls In Mahipalpur 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Mahipalpur 🔝 Delhi NCR(8264348440) 🔝 Call Girls In Mahipalpur 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Mahipalpur 🔝 Delhi NCR
 
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
 
NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...
NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...
NewBase 22 April 2024 Energy News issue - 1718 by Khaled Al Awadi (AutoRe...
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
 
(8264348440) 🔝 Call Girls In Hauz Khas 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Hauz Khas 🔝 Delhi NCR(8264348440) 🔝 Call Girls In Hauz Khas 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Hauz Khas 🔝 Delhi NCR
 
FULL ENJOY - 9953040155 Call Girls in Chhatarpur | Delhi
FULL ENJOY - 9953040155 Call Girls in Chhatarpur | DelhiFULL ENJOY - 9953040155 Call Girls in Chhatarpur | Delhi
FULL ENJOY - 9953040155 Call Girls in Chhatarpur | Delhi
 
Call Girls In Kishangarh Delhi ❤️8860477959 Good Looking Escorts In 24/7 Delh...
Call Girls In Kishangarh Delhi ❤️8860477959 Good Looking Escorts In 24/7 Delh...Call Girls In Kishangarh Delhi ❤️8860477959 Good Looking Escorts In 24/7 Delh...
Call Girls In Kishangarh Delhi ❤️8860477959 Good Looking Escorts In 24/7 Delh...
 
Call Girls Miyapur 7001305949 all area service COD available Any Time
Call Girls Miyapur 7001305949 all area service COD available Any TimeCall Girls Miyapur 7001305949 all area service COD available Any Time
Call Girls Miyapur 7001305949 all area service COD available Any Time
 
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In.../:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
 
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
 
Best Practices for Implementing an External Recruiting Partnership
Best Practices for Implementing an External Recruiting PartnershipBest Practices for Implementing an External Recruiting Partnership
Best Practices for Implementing an External Recruiting Partnership
 
Call Girls In ⇛⇛Chhatarpur⇚⇚. Brings Offer Delhi Contact Us 8377877756
Call Girls In ⇛⇛Chhatarpur⇚⇚. Brings Offer Delhi Contact Us 8377877756Call Girls In ⇛⇛Chhatarpur⇚⇚. Brings Offer Delhi Contact Us 8377877756
Call Girls In ⇛⇛Chhatarpur⇚⇚. Brings Offer Delhi Contact Us 8377877756
 

What Goes Into Onboarding New Cybersecurity Vendors

  • 1. EXECWEB Straight from Fortune 500 CISOs What Goes Into Onboarding New Cybersecurity Vendors
  • 2. Execweb Ambassadors Kenneth Foster Bradley Schaufenbuel VP of IT Governance, Risk & Compliance (Fleetcor) Steve Zalewski Ex-CISO (Levi Strauss) CISO (Paychex) David B. Cross VP & CIO (Oracle) Rick Doten VP Information Security (Centene) Discussion Panelists
  • 3. Overview This is a Q&A compilation of a webinar organized by Execweb on the topic: Unlocking the Secrets of Enterprise Cybersecurity Vendor Onboarding. This guide empowers CISOs and vendors with essential knowledge and strategies for vendor onboarding. CISOs can gain insights on effort levels, preferred vendors, and brand impact, streamlining the process and ensuring trusted solutions. Vendors can learn about CISO priorities, address concerns, and foster successful partnerships.
  • 4. Topics of Discussion Buying a POC vs Buying a solution Role of Vendors in the onboarding process Hiring a well-established vs a start-up Brand image of vendor and its impact Going with the preferred seller for fast onboarding 23 01 07 12 17
  • 5. What is the level of effort required for onboarding a new vendor and does it differ between buying a solution vs conducting a proof-of-concept (POC)? Question 1 1
  • 6. Rick Doten VP Information Security (Centene) Whether it's a POC or a purchase, we still need to go through a service design. This involves defining the budget, including human resources, and creating a timeline. A project manager is assigned, and it goes to a steering committee for approval at the end of the quarter. Implementation can take a long time, even a POC installation can take up to a year, due to engagement from different groups within the company. Then there are variables such as budget allocation i.e., can this thing wait till the next year? Sometimes the process may go dark for a while and then resurface, requiring a rush to finish it up. That's the reality. The onboarding process, whether for a POC or a purchase, involves service design, budgeting, timeline creation, and stakeholder engagement flexibility. 2
  • 7. Bradley Schaufenbuel CISO (Paychex) The procurement process varies significantly based on the vendor's interaction, including factors such as the markup in the contract and the speed at which they pass our vendor security review. The duration can range from a few weeks to several months depending on the level of access and data involved in the process. If the POC doesn't have to interface with production systems and sensitive data, we can get it through a lot quicker. However, what's crucial in our organization is internal alignment. With a large IT department of 2200 individuals, implementing a security product involves aligning resources across multiple teams, which can take time. The vendor has no control over this aspect. If the POC doesn't have to interface with production systems and sensitive data, we can get it through a lot quicker. 3
  • 8. Steve Zalewski Ex-CISO (Lev i Strauss) If no money crosses hands, we can bring the company relatively quickly simply by signing the NDA. When we start talking about the money, then the formal process kicks in. 3-9 months to get through the process, depending upon the skillfulness I have and the redlines put in paperwork by the vendor. The more redlines a vendor puts in, the more time it will to get it approved by the legal. So the vendors who are reluctant to accept what I offer and put redlines in the document have to wait anywhere between 2 to 4 months. The onboarding process can be expedited by signing an NDA, but when money gets involved, it results in extended approval times. 4
  • 9. David B. Cross VP & CIO (Oracle) Building upon Steve's points, there are two key considerations in differentiating a POC from a full implementation: whether it is in a test environment or a production environment, as this affects the pace of progress. Additionally, the average time for onboarding a new vendor falls within the three to six-month timeframe due to factors such as evaluating the architecture, ensuring compliance, and addressing overall implementation complexities. While a three-month timeframe might be overly optimistic, a realistic estimate would be around six months. Implementation pace varies based on the environment and onboarding new vendors or products takes three to six months, considering various factors. 5
  • 10. Kenneth Foster VP of IT Governance, Risk & Compl iance (Fleetcor) Alignment between the security team and the vendor is crucial, as security personnel often lack the necessary permissions to freely install software or make changes to their systems. Regardless of whether the POC is conducted in a non-production or production environment, it still poses security risks so there is not much difference for me when it comes to implementing POCs. Security permissions restrict software installation and system changes, making the implementation of POCs similar regardless of the environment. 6
  • 11. How can vendors proactively streamline the onboarding process for CISOs, ensuring a swift and seamless experience? Question 2 7
  • 12. Rick Doten VP Information Security (Centene) Vendors need to understand that gaining the support of the CISO or other high-level executives may not be effective. These executives are often part of a committee that evaluates and approves new services or solutions. The end-users will make the final decision. If they find value in the product or service, they will advocate for it and drive adoption within the organization. Thus, vendors should prioritize reaching out to product users and gathering their support. Vendors should prioritize end-user support to drive adoption within organizations, rather than relying solely on high-level executives. 8
  • 13. David B. Cross VP & CIO (Oracle) Having comprehensive documentation is essential to address the concerns of various stakeholders, such as compliance and audit teams, corporate architecture personnel, and others. By providing a comprehensive package of documentation that answers anticipated questions, the onboarding and decision-making process can be streamlined, minimizing the need for back-and-forth communication. Comprehensive documentation addresses stakeholder concerns, streamlines the onboarding process, and minimizes the need for extensive communication. 9
  • 14. Bradley Schaufenbuel CISO (Paychex) It is crucial for vendors to invest time in understanding the onboarding process. Many vendors overlook this step and end up facing unexpected phases. By familiarizing themselves with the process from the beginning, vendors can avoid surprises and have a clear understanding of what they will go through. Understand the onboarding process to avoid unexpected phases and gain a clear understanding of what they will encounter. 10
  • 15. Steve Zalewski Ex-CISO (Lev i Strauss) It's important to note that engaging in POC doesn't automatically imply an immediate purchase. Often, a POC is conducted to evaluate and validate a solution before considering it for the following year's budget. The purpose is to assess factors such as cost, business process impact, and potential challenges. Procurement process is typically faster than the CISO's decision- making process, which involves aligning various stakeholders and assessing reputational risks for both parties involved. A POC doesn't guarantee an immediate purchase, as vendors should recognize the longer decision-making process and involvement of stakeholders. 11
  • 16. What are the differences in the procurement process when hiring a well-established vendor compared to a start-up? Question 3 12
  • 17. Rick Doten VP Information Security (Centene) When it comes to risk assessment in vendor selection, there are several factors to consider. Firstly, the vendor's long-term viability is evaluated, ensuring they have the capacity to support the organization's needs. Secondly, scalability is important, as the vendor should be capable of growing alongside the organization without compromising service quality. Thirdly, the risk of them being acquired as certain acquisitions may lead to conflicts or restrictions in contractual agreements. A thorough risk assessment is also conducted, which may involve requesting source code escrow for contingency purposes. While the process remains the same, we get more meticulous with gauging new firms' scalability, viability, and risk of them getting acquired. 13
  • 18. Bradley Schaufenbuel CISO (Paychex) We evaluate whether they have the necessary financial resources to provide support not only in the present but also in the future, such as a year or three years down the line. This is less of a concern when working with major cybersecurity companies, as their financial status is publicly traded and can be reviewed with ease. In contrast, startups often lack sufficient financial data for us to assess their viability. This discrepancy in financial resources and track record is a significant factor we consider when evaluating vendors. Viability is a key consideration in our risk management process, with a particular focus on startups that may face challenges in proving long-term support capabilities. 14
  • 19. David B. Cross VP & CIO (Oracle) On the other hand, larger vendors with a strong market presence often have established documentation and protocols in place. The procurement and risk assessment processes differ in these cases due to the varying levels of familiarity and available documentation. While startups require more scrutiny and assessment, well-established vendors may already have a more extensive track record and documented security measures, impacting the evaluation process accordingly. Third-party assessment tools help evaluate the risks of smaller companies, while established vendors have documented security measures. 15
  • 20. Steve Zalewski Ex-CISO (Lev i Strauss) Young companies may offer more affordable solutions, even if they come with certain risks. As a vendor, understanding that your size can be seen as both a strength and a weakness is important. Tailoring your pricing and risk considerations accordingly can help meet the needs of cost-conscious organizations. Furthermore, organizations often turn to young companies to explore alternative approaches and tap into emerging capabilities. For these and similar other reasons, sometimes we are more willing to work with an emerging start-up than an established vendor. Engaging with young companies can offer cost-effective solutions and allow us to leverage their unique strengths to address specific challenges. 16
  • 21. What factors influence the brand image of a vendor and what is its importance when deciding to work with a vendor? Question 4 17
  • 22. Kenneth Foster VP of IT Governance, Risk & Compl iance (Fleetcor) As a CISO, I prioritize trust in real-world experiences and the recommendations of professionals within my network over relying solely on industry reports or evaluations. The opinions and firsthand experiences of trusted individuals hold more weight than brand recognition or industry accolades. Reputation is paramount in the cybersecurity community, and even the most highly acclaimed products can be overlooked if they have garnered a negative perception among our network. I prioritize real-world experiences and trusted recommendations from my network over industry reports. 18
  • 23. Rick Doten VP Information Security (Centene) When it comes to industry reports like Gartner, they hold little value for me personally. I rely on real-world examples and feedback from actual users or trusted sources who have hands-on experience with the products or services. The brand name itself carries minimal weight compared to the actual quality of the tool and the people supporting it. I'm not interested in buying a name; I'm interested in investing in a tool that aligns with my business needs and has a reliable support system behind it. The strength of the relationship with a vendor is of utmost importance. 19
  • 24. David B. Cross VP & CIO (Oracle) Industry reports provide valuable perspectives that can help broaden our understanding of vendors and their offerings. However, it's important to remember that this is just one piece of the puzzle. The second aspect is the input and experiences of our internal team members who are stakeholders in the decision. Their firsthand experiences, both within our current company and from previous organizations, help us understand the practical implications of working with specific vendors. Lastly, peer recommendations and experiences also play a crucial role to reach a decision. I prefer leveraging industry reports, internal team input, and peer recommendations to build a perception of vendors' brand image. 20
  • 25. Steve Zalewski Ex-CISO (Lev i Strauss) With the increasing number of vendors vying for our attention, the traditional POC process has become less prevalent. Instead, relationships play a more crucial role in our decision-making. When we have a specific need, we turn to our peers who have recently deployed similar solutions. Their positive experiences with certain vendors can quickly propel those vendors into the final selection stage, even without them actively participating in a competitive POC process. Reputation and word-of-mouth have become vital factors in vendor selection. In some cases, I may even rely on third-party assessments if the vendor has already been pre-qualified through trusted recommendations. CISOs rely more on trusted peer recommendations than traditional POC processes for vendor onboarding. 21
  • 26. Bradley Schaufenbuel CISO (Paychex) Brand recognition does have some significance in the decision-making process, especially when communicating to the executive team and board. When introducing a new vendor or solution, having a well-known brand name can provide a level of credibility and familiarity that eases the concerns of key stakeholders. A recognized brand name often carries a sense of trust and can help alleviate potential skepticism or doubts. Brand recognition carries significance in the decision- making process, providing credibility, familiarity, and trust when introducing new vendors to key stakeholders. 22
  • 27. How common is it to utilize preferred resellers to expedite the on-boarding process? Question 5 23
  • 28. Rick Doten VP Information Security (Centene) While utilizing preferred resellers can sometimes streamline the onboarding process, the involvement of the IT group in tasks such as system setup, credential management, server design, and port configuration can still be a significant factor that determines the overall efficiency of onboarding, potentially outweighing the benefits of using a preferred reseller. It depends! 24
  • 29. Steve Zalewski Ex-CISO (Lev i Strauss) Having a single point of contact for procurement and legal matters is increasingly becoming a strategic approach, as companies often lack sufficient resources in those areas, and it expedites the deal closure process. Preferred vendors are sought after for smoother paperwork handling, especially when understanding the procurement process and pre- signed NDAs are already in place. Additionally, being aware of deal sizes can be advantageous, as deals under a certain threshold may bypass lengthy procurement or legal processes, allowing for faster execution. Preferred vendors streamline paperwork and expedite deal closure. 25
  • 30. David B. Cross VP & CIO (Oracle) The decision to utilize preferred vendors for onboarding depends on the specific situation, as in the case of exploring a new specialized area or technology where the internal team lacks experience. In such instances, leveraging preferred vendors for additional Professional Services or system integration can be an optimal choice to ensure smooth deployment and implementation Yes, if I feel that the internal team lacks audit abilities. 26
  • 31. Execweb www.execweb.com contact@execweb.com Long Island City, NY 11101 @execweb7337 CISO Executive Network