Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
How to Get a CISO’s Team on Board and Cultivating Community with Cecil the CISO!
99 Plays5 days ago
This week we sit down with Cecil Pineda to talk about building real community in cybersecurity, vendor relationships that actually work, and how to avoid being that annoying sales person calling every Monday.
George K and George A talk to Cecil about:
🛠️ Why technical operations experience matters for CISOs
☝️ The art of "bothering someone" (yes, there is an art to it!)
💡 His advice for vendors trying to break through
✅ How his team evaluates new tech
Plus we get into what it really takes to build authentic relationships in this industry. Spoiler: It's not about automating thousands of emails!
————
👊⚡️BECOME A SHOW SUPPORTER
https://ko-fi.com/bareknucklesbrasstacks
For as little as $1 a month, you can support the show and get exclusive member benefits, or send a one-time gift!
Your contribution covers our hosting fees, helps us make cool events and swag, and it lets us know that what we're doing is of value to you.
We appreciate you!
Recommended
Transcript
Setting the Stage: Effective Sales Strategies
00:00:00
Speaker
Timing is really important and there's really no good time but you just need to do your homework. um I've seen people talk to my lower level engineers and they do their homework. I think there's work needed at the sales side. They need to do some research. When they do the proper research in a proper way,
00:00:22
Speaker
they'll get to be able to present to us and talk to us and demo with us. And even if the product is really good, they'll even get a POC. They'll get to me and I would i would ask, well, how how did you do it? How did you get end up to my CISO? I did my homework. I researched the company. I researched your team. I know who's doing what and just politely ask for time with them.
Podcast Introduction and Guest Appearance
00:00:55
Speaker
Yo, yo, yo, it's the show. This is Bare Knuckles and Brass Tax, the cybersecurity podcast that tackles all the messy human bits in cyber. That's trust, respect, and all the rest. I'm George Kay with the vendor side. And I'm George A, a Chief Information Security Officer.
00:01:11
Speaker
And today we are talking to the one, the only Cecil, the CISO, Cecil Pineda, who is, if you haven't been paying attention, one of the most prominent CISOs on LinkedIn. He's out of the Dallas area. He's a generally fun dude, if you're lucky to catch him in one of his conference selfies. And also one of the co-founders of CISO XC. So guys everywhere, practitioner, community builder. It's ah it's a wide ranging discussion.
00:01:41
Speaker
i I really what i liked him the most. He's a genuinely kind individual.
CISOs as Business Leaders
00:01:46
Speaker
He's a smart guy. you know this this has This episode really, I think, spoke to a lot about the CISO as a business leader and the actual like business of running a security operation and vendor management and trying to understand how to have successful supplier relationships. This episode, honest to goodness, I think you know obviously our episodes are as wide of an InfoSec audience as possible, but if you're a practitioner who's in mid-stage of your career or you're an InfoSec leader or you're in that leadership role, I think this is the episode for you because Cecil gives us some really good advice and some really genuine pointers on how to get the best interactions and the best of your relationship with your suppliers.
00:02:31
Speaker
100%. We're going to turn it over to Cecil.
Year-End Reflections and Future Plans
00:02:34
Speaker
And you should know listeners that this is the final ah recorded episode for this year 2024. For the next three weeks, we will have some greatest hits and we'll check in with you for the holidays. But we are going to knuckle down and build some more things and then we'll be roaring back in 2025. So enjoy this final conversation of 2024 with Cecil the see so Cecil, welcome to the show. Oh, oh thank you for inviting me.
00:03:09
Speaker
Uh, it's been a while. I've been waiting for the invite for a long time. so Well, you know, good things come to those who wait. Uh, and we're very happy to have you here. So thanks for taking the time.
Cecil's Vendor Interaction Experiences
00:03:21
Speaker
Um, you are on the practitioner side, which means I get the first shot. We're going to get to CISO XE, but I want to give you this space as a practitioner. This is the bare knuckles portion of the show. So let's talk about relationship with vendors. Let's talk about.
00:03:39
Speaker
I think that's kind of a little bit of the origin story behind building the community, but like what are your top grievances and how people are trying to interact with you, how they're trying to get into your life, into your budget, and then we'll go from there. I hope we have a couple of hours.
00:03:58
Speaker
ah it's it's It's tough. um I did enjoy a portion of my life, a professional life, being on the vendor side. So I kind of know what they're dealing with, the pressure, the stress.
00:04:14
Speaker
ah But on the other side here, ah sometimes you scratch your head, you know, hey, um you can send an email every week. You can just call me and anytime and I think um a lot of the, especially those who are new in the sales or marketing, they I don't think they know the art yet. you know There's an art of bothering someone. you know there's There's a way. And I've noticed, I know this um ah get phone calls 10 to 12 times a day, and I'll probably answer one of them if I know the number.
00:04:55
Speaker
is that you know um some of them are really good. They have a way of getting into you. And some have special craft, you know simple text message. you know I'm going to answer this one. you know A lot of times, you see a lot of folks that are you know respect respectful of your time, your space. And they gave you they gave you you know just the, hey, ah You're busy. I understand it, but I'll try to bother you again in eight weeks.
Debate: Are Technical Backgrounds Crucial for CISOs?
00:05:30
Speaker
Don't worry. Uh, you won't hurt my feelings. You know, it tends to work. Oh shoot. I got, I got this guy's been very patient. You know, so I'm going to answer his call. Yeah. So, but there are folks that are just always in your face and.
00:05:50
Speaker
I think there's an alarm on, you know, I need to call Cecil every My territory is Dallas. I just need to call Cecil all the time, every time, every Monday. yeah
00:06:06
Speaker
yeah so i guess so I'm really, it's fun to talk to a peer practitioner. I'm excited about it. um I think what I kind of would want to understand from from your perspective and your career history how do you How important do you think it is for folks who have that CISO title to have experienced time in their working-level years in security operations? and I'll tell you why. In in my opinion, and I have nothing against GRC, pure GRC folks. I have nothing against pure policy folks. I have nothing against pure business practice lead folks who jump over to a CISO title.
00:06:46
Speaker
But I find the most effective CISOs are ones that have actually lived the the battle on security operation side or done DFIR and they've they've done the IR thing or done some bit of breach coaching.
00:06:59
Speaker
And I think it should almost be a prerequisite to be able to take on the title because ah big a brass tack, a big beef I have is dealing with CISOs that are absolutely non-technical because I think it absolutely hampers your ability to to effectively build and run the security program. Would you say based on your experience that that statement is true or do you have a counter to that opinion?
Diverse Experiences in Security for CISOs
00:07:28
Speaker
No, I think um I have led many teams now and I've seen many of CISOs today and many of the upcoming CISOs. I have direct reports that are, I would call CISO materials and it's their combination, I think. But I see your point, George. I i see those people who have battle scars they perform better when they you know and they're up there. They know the effort needed to fix a problem. They know all the ins and outs of a you know an incident, or if there's a troubleshooting ah needed,
00:08:14
Speaker
they They have an idea of of how to fix it. ah However, I would say, not all the time, I would say 60, 70, 80% of the time, I would agree to that. i One of my direct reports is has a GRC background and I think it's about the person really. a lot of I've seen people who are just you know, natural born rock stars, you know, give them something and they'll figure it out. um Again, but ah you I won't disagree because every day we deal with threats, we deal with problems and issues. ah One of my direct reports
00:09:02
Speaker
um Um, he's, he's, he's gone through being an administrator or security engineer, went through the ranks and I know when I give him a special project.
00:09:16
Speaker
He doesn't need, he could figure it out by himself.
Community Building and Mentorship in Cybersecurity
00:09:21
Speaker
Yeah. It was curiosity and like initiative, right? Yeah. Yeah. You know, I was both a practitioner from an operation technical side. I also went to work in audit and then I worked as GRC.
00:09:39
Speaker
i I did all those things intentionally because I wanted to see all sides. um No offense to my IT audit friends. My first one year stint in IT audit was very interesting because I learned to document, but I almost ah you know lose my sanity because it's a lot of documentation, a lot of reports. Yeah, my man knows auditing.
00:10:08
Speaker
I went through a, because I have like a side job as well in October. So at my day job, I am subject to an FTC audit every second year. So I had to go through a month long FTC audit all the same time at my other job.
00:10:24
Speaker
doing an ISO 27001 audit for a client. So my entire life was compliance audits while trying to run my team, while trying to run my program, as we're going into our budgetary cycle. So I have to provide my budgetary reports to my CIO and my board. And I don't know how I didn't have a st stroke.
00:10:44
Speaker
And I'm so thankful that George didn't tell me to piss off, because I was stressed out every single day. But I think that it's just the life we signed up for, man. We can't complain. Yeah, it is. And you just said, you know, having those different experiences, different building your skills at different levels, I think will help Aeso succeed in his executive work.
CISO XC: Community Focus and Career Placements
00:11:12
Speaker
Yeah. Well, I want to turn the corner here. So Cecil, you're not just a CISO, right? You're also a founder at CISO XC. And I want to just give you a space to talk a little bit about that origin story. Like how did you and Randy and Jamie come together and think like, Oh, we're not busy enough. We should start an executive events company. And like, what's the mission there?
00:11:36
Speaker
I can tell you why. First, you know, ah people think um'm we're all doing the work there. It's really Brandon and Aaron doing all the hard work. 100%. Yes, I did a test of that. We did start that. And after COVID, you know, in Texas, we our COVID restriction year was quite short. Correct. And what we did is um We kind of miss each other collaborating and we started going out for you know walks around the lake. And you know ah the group started small, just two and three, and then we went to go do lunches together. And throughout that weekly meeting, I think many of us were just looking for someone to talk to talk with and exchange ideas.
00:12:26
Speaker
One day we were just eating at one of our favorite place in South Lake and we said, you know we should we should create and we should create a forum for people like us. So we created this checklist. you know I said, you know it should focus on community first. you know And then second, we wanna help you know cybersecurity, you know the profession in general. And third, which is really unique is We want to make sure that we donate some of our revenue to different charities. We started with the big charities, Salvation Army, mean the Red Cross. Now we are helping smaller charities that don't get a lot of attention. so um
00:13:15
Speaker
um I think as of to today, I'm not sure we're probably, um this number's really close. I think we've donated about $360,000. And on Friday, we're gonna add $5,000. We're bringing 50, 70, maybe 100 people to North Texas Food Bank.
00:13:33
Speaker
We're going to donate five thousand and then we have a hundred people helping box meals and groceries for you were here, George. That's awesome. Yeah, I mean, the Dallas community is something quite special. They're like a couple of these cities where you just go in for an event and you can like feel it. You can feel how well people know each other. But when you were going through that checklist, what was it about other events?
00:13:59
Speaker
that you felt was lacking because I i take it that CSO-XC was starting not quite openly in opposition to, but it was starting because you felt something was missing. Yeah, and and we struggled with that because We didn't want to compete with anyone. We want to complement them. And it was hard because when we started doing it, you know, a lot of the event organizers around the area felt that we're competing against them. But I said, you know, no we're together in this community.
00:14:31
Speaker
and we wanted to do many things. One is to give back to community to the community. um Second, we wanted a forum where all the CISOs are you know our open to exchange information, ideas, not sensitive information. you know One of the the best things about CISO XE that many people don't even realize, we have a chat group that I i could tell you, it's a treasure trove of information. Hey, how can I communicate risk? Hey, how can I have my first board presentation? Hey, I am asking for more money, for more budget. Hey, by the way, what mdr who's who's your MDR provider? well how do you What do you like and what you don't like? Those kinds of questions
00:15:21
Speaker
or um We're getting real time, real world experiences about you know products and services, providers. um And not just that, during the event, you know we get to you know
00:15:40
Speaker
You get to do an event for your peers. It feels really good. and know I couldn't explain it when I'm there. I'm nervous every morning when we open the conference. But at the same time, I'm like, wow, all my friends are coming. and They're all supporting. And it just feels good. And you know every after conference, my favorite part, the parties. Right. Yes. Yeah.
00:16:08
Speaker
Yes. If you have not been a part of a CISO selfie, then then you got to put that on your list. Yeah. Yeah. I think it's kind of like it's tough because you know when you try to get involved with things, like I have a similar thing in Canada called CyberX.
00:16:25
Speaker
I've been kind of involved with that community for a few years now. I've been trying to build it up, bring people into it. I brought George into it. We've done events together with them. I think part of the job, if you're doing it correctly, is community. And I think it's one of those things that they don't tell you. it's never you know It's never on any CISO job poster where it says have to be a contributing member of a community, have to help with mentorship, have to try to guide. and like All this stuff that we invest a ton of hours in care into, it's not part of our job, but it's part of the job because it's it's almost reached a point now where if you are good at the job, you're expected to be that person.
00:17:07
Speaker
So I think i think the the the hard thing, and I guess for a lot of practitioners who are maybe mid-career and at the point of maybe trying to make the jump to the CSO rank, how much investment does someone have to expect to make in terms of community involvement because you don't get paid for it. And oftentimes you're paying out of pocket to do all these travels and all these cool events that seem awesome. And maybe once in a while you get sponsored, but the reality is this costs time and money, but it's still a critical part of your success.
00:17:38
Speaker
It is. ah For us, it's the feeling, you know, the satisfaction we we we see.
00:17:49
Speaker
I'll give you an example. All of our student volunteers from three years ago all of them three years ago. They all have jobs now. Damn it. We ran out of volunteers. All of our volunteers, you know i mean one of them just texted me. um He just told me, I think, hey, I'm going to start working at Goldman Sachs in the next few days. I owe you more than a Starbucks CISO.
Balancing Community Involvement with Responsibilities
00:18:13
Speaker
Many of the CISOs who have lost their job have found opportunities from the same group.
00:18:21
Speaker
you know it's It's just so it feels so happy to see things like that happen and you know, but But i have you but but the question is though, it's How much the person have to expect to have to do it?
00:18:38
Speaker
Yeah, yeah it's it's a lot. some The good thing here in Dallas, George knows a lot. some so Like Royce, our good friend Royce. yeah man Royce dedicates a lot of time outside of his work. He would go to events, he would bring people, he would ah and we've started collecting um collecting what we call this yeah ah reusable templates for board reporting, for risk assessment, for all of these. We're trying to build a library from our members so we could you know share it to other members. Yeah, and George, it's it's a lot of work for me.
CISO XC Expansion Plans and Challenges
00:19:21
Speaker
um um Of course, I have a family and I have my day job, but after five, after six,
00:19:28
Speaker
what we're doing right now, this is one of those you know community work. it's I feel one day if we stop, you know it just slows down and we'll go back to the old ways, but I think George would attest that I'm really happy with where we are right now, we what how we've grown. I've always wanted us to move to other cities, but Randy, Jamie, or myself, one of us or two of us may have to and leave our current day jobs too to focus on CISO XC. It's crazy. I'm in RSA and Black Hat and people see me and I don't even, some of them I don't even know. Hey, CISO, when are you bringing CISO XC to Atlanta, to Chicago, to Houston? And it's coming.
00:20:21
Speaker
I'll tell Randy or Jamie planning to leave. Nice. All right. We'll leave it there for a second and then we will be right back for brass tacks.
00:20:33
Speaker
um
00:20:38
Speaker
Hey listeners, if you like what we do, the snark, the stories, and the big swings we take, we'd appreciate your support. With the link in the show notes, you can become an official supporter of the show. You can send us a one-time gift or sign up as a member to provide ongoing support. Memberships start for as little as $1 per month. Each membership tier comes with a unique set of benefits, including exclusive discounts to the BKBT swag shop.
00:21:05
Speaker
So really, for less than you'd pay for one cup of coffee per month, you can support the show. Use the link in the show notes. It covers our hosting fees, helps us make cool swag, and it lets us know that what we're doing is of value to you. Many thanks to recent supporters Jessica, Jason, and Maria. We'd love to have yours too.
00:21:33
Speaker
OK, Cecil, so the word community has started to get used a lot on the vendor side. I've noticed that.
Advice for Vendors: Engaging Communities
00:21:42
Speaker
Yeah. um And so I am curious. You know, what is your brass tax advice to vendors who want to engage with CISO XC or these other communities? I know you also run, for example, the ah the mountain biking around Dallas, so like there's obviously a sales pressure, like get in, build those relationships, right? But you're also trying to build something that's a little bit of a firewall against what you were talking about. yeah So like, how do you set expectations with the vendor sponsors? Like this is how you should do this.
00:22:17
Speaker
This is how you show it. I'll be honest, I still struggle to find that fine line. you know that you know i A lot of them, you know I consider them friends. At the same time, they have a job. We have a job. and I know sometimes, hey, I want to join your ride one of these days. But you know that, hey, can I get a meeting next week, Cecil?
00:22:44
Speaker
And it it really depends, it's really the approach, the timing is part of that. And probably some, you know, I just met someone today for a quick lunch and, you know, gave me a a menu of services that is similar to 90% of other companies that were approaching me every day. And I always tell, I i told the gentleman today, I said, hey,
00:23:12
Speaker
big, probably a a niche that you could pitch to me, or probably ask me the gaps that or places I need help. Maybe we can, you know, match it. But if you're selling me the ocean, everyone is selling, you know, everything. I think um you have to find that, you know,
00:23:37
Speaker
it is it I find it really interesting because some sales folks, especially those with years of experience, the veterans, I will call them, they have a way to get into your calendar. They have a way to get to my EA. I don't advertise my executive assistant, but somehow, some way, they were able to find her.
00:24:02
Speaker
you know and i i I really like their resourcefulness, but as so as long as they're respectful, um you know, i I will talk to them. During the events, you know, I always tell them, you know, those part of organizing an event, you promise them a list of emails and attendee lists. And as part of the deal, however, I always tell them that If you just send a blast of emails to all these folks, no one's gonna read them. Yes, 100%. I told them to make sure that, you know, make it personal. Timing is really important and there's really no good time, but you just need to do your homework. um I've seen people
00:24:52
Speaker
talk to my lower level engineers, and they do their homework. I think there's work needed at the sales side. They need to do some research. When they do the proper research in a proper way, they'll get to to be able to present to us and talk to us and demo with us. And even if the product is really good, they'll even get a POC, you know, opportunity or a POV.
The Art of Relationship-Building in Sales
00:25:18
Speaker
So its there's an art. and
00:25:23
Speaker
There's some guys there, they just know how to work the system. They'll get to me and I would i would ask, well, how how did you do it? How did you get end up to my CISO? I did my homework, I researched the company, I researched your team, I know who's doing what, and just politely ask for time with them.
00:25:47
Speaker
yeah I mean, that's, but that's, you say that like it's easy, which know George would argue that it is, but, but under time pressure, I think that it's like, there's a lot of energy and effort that goes into that. And I think if you're operating like at this crazy clip, those are the people who are trying to call you every Monday. Yeah. Yeah. By in numbers. You know, there's a guy that for five years I ignored him.
00:26:12
Speaker
But he was calling every, there's no schedule. He would randomly touch base and he would not even, there's no sales pressure at all. After five years, I said, you know, you're selling a great tech. It's really good, you know?
00:26:32
Speaker
Since then, I trust a lot of the you know recommendations. yeah yeah When he calls, I would answer the phone because you know he was respectful. He was doing a great job selling to me and to my team. and He is, you know, and we don't like gray areas. And, you know, he's always, you know, I would say above board when he talks to my team and, you know, I just want to make sure that you're okay with this. I'm going to talk to your DLP person. I want to make sure that, you know, you're aware. And there's some folks that they just know how to do it.
Psychology in Sales: Building Trust
00:27:14
Speaker
Nice. hey i If I'm on the other side, I don't really know how to do it. Yeah, like I think a problem I have is like I get sellers now who contact me literally three to six months after an event, just like, hey, you showed up to our booth at this blah, blah, blah. And like, ah first of all, I didn't, like, I would have remembered, but like, they got my number on a list from that registry. And it's like, you contact you like two to three quarters later or even further. And it's like, how do you, you missed your window, right? Like, and and again, there's just, there's a, because I think of the sales pressure and the lack of education on,
00:27:56
Speaker
I guess fucking how to be a human being um and how to communicate like one. We have a lot of bad toxic sellers that are not intentionally bad people. They just don't know how to convey a genuine conversation. yeah And if I can't trust you to have a basic conversation, I'm not going to trust you with a purchase order for critical software that might either get my organization compromised or get me fired or blah, blah, blah. There's a certain level of business risk that CISOs take on and every purchase, everything, a major acquisition that or sorry, a procurement that I go to my board with.
00:28:33
Speaker
I'm assigning my name to that saying I vouch for the quality of this software and this purchase. I've done my due diligence. Please give me the money. I don't think I don't I really feel like they don't understand that. I think that that's like a fresh perspective, which is like, if I can't trust you in my first conversation, like that vibe is going to stretch all the way to you trying to get budget for it, right?
00:28:58
Speaker
And I don't know your educational background, Cecil, but for me, I had a double degree in politics and psychology. And in psychology, they teach you a lot about um primacy and recency effect, right? Your first and last interactions with someone and the impression that that leaves.
Engagement Strategies for Vendors with CISOs
00:29:13
Speaker
And I think we need to go back to the psychological basics of human behavior, not for the sake of manipulation, but for the sake of actually having good interactions. So I think for for me, like my my ask to you is,
00:29:28
Speaker
When a seller wants to cold approach you, what is your, I don't say preferred method because cold approach sucks, but what is the highest probability of success for a cold approach for a seller trying to sell to a C-cell like you?
00:29:47
Speaker
ah Unfortunately, almost less than 2% chance there. but But it's not always, again, you know, I've met some of them. The only reason why I said less than 2% because there's so many of them, you know, ah but there's like, there's ways.
00:30:09
Speaker
they need to do their homework, they need to, you know, LinkedIn is there, you know, they'll really, it's easy to find people that work for me there. And um when a seller is trying to sell me something that maybe I already have, or probably in my roadmap, he's not done his homework. You know, I work in the healthcare care space,
00:30:38
Speaker
Obviously, there's healthcare regulations. ah you know Data security is probably number one on my list. I hope they they get that. but and and One day, they're goingnna start you know someone what the other was like, someone's asking me if I'm interested to hear a demo about Nutanix or VMware. and hey, it's that's a that's more infrastructure, you know, yeah, match, match it. And he yes, the magic it he has to do his research. um And there are dozens of people that, you know,
00:31:22
Speaker
there's When I was on the other side, George, you know sometimes, hey, Cecil, you're connected to one of these persons. The salespeople asked me, hey, okay, let me work. you know Half the time, it works. Hey, can you introduce me to your boss? you know I just need 10 minutes and i want I want to introduce myself and bring my salespeople. If you do those, there's so many connections and I think those connections really help.
00:31:48
Speaker
A few days ago, this is not related to a sales, but it's I could easily point it back. I was interviewing a candidate, and this candidate said, he he he has all the knowledge and experience I'm looking for, but what really stood out was, hey, Cecil, I've read all your work online.
00:32:13
Speaker
um I've been following you for three years now. ah All your articles, at least these two, I love them. He started, you know, human psychology was like, wow, okay. He got my attention. You know, when he got my attention, and I said,
00:32:32
Speaker
human nature tells us, oh, I kind of start liking this guy already. well He still has to go through other interviews. Well, I think also what you're saying there is building that relationship. so Yeah. I can come at you as founder of CISO XE. I go to Randy and just say like, Hey, can you introduce me to somebody? And it's like, okay, that might take you half a step because there's a warm intro, you know them. If they have taken the time over the last year to build that relationship and you see, so are like, I do not need this technology now, but I just talked to my friend.
00:33:09
Speaker
you know, Jamie, yeah, it was saying that they have a gap in this. but I mean, that level of relationship building can take you far. It just takes a little bit of a longer point of view, right? You have to sort of see that web.
CISOs in Business Development
00:33:25
Speaker
Yeah, how far it extends for sure. Yesterday, I had a meeting with my team and they mentioned a product. Hey, we might we we should look at this.
00:33:37
Speaker
I remember Randy telling me that he's using the product. And Randy said, hey, yeah, yeah um gave me his 30,000 foot view of the product. You know what to happened? George, I actually called the sales guy. Oh. Yeah, just imagine. That's like a dream. yeah Yeah, and I called the sales guy. I said, hey, I want you to work with my team to schedule a call to do a demo.
00:34:04
Speaker
Just imagine it worked because they have happy customers and you know that network really you know really worked for them. you know dave They've been around. They've been marketing. they've been I've seen their booths at RSA and Black Hat. I've seen them sponsor or some events. I said, hey, yeah let me call this guy. He probably was surprised. I called him.
00:34:31
Speaker
Yeah, that I mean, you cannot buy, you cannot buy a contact like that. But you brought up RSA, you're everywhere, man. It's, you know, it's the famous sees a selfie. So ah George probably has a follow up here. But my question to you, which is similar to something he's asked before is how are you engaging with those shows now, right? Like, so much of these conferences takes place, not even on the show for where the bulk of the money is being spent. So I guess I'm looking for How do you like to engage? Because a vendor needs to know, like, where should I place my bets? Like, i should I spend 3 million on the booth? Or should well I? yeah In the last couple of major events, Black Hat and RSA, I think I stepped on the floor for two hours. on
00:35:19
Speaker
i mo I spent most of my time attending customer advisory boards, special meetings, you know all these ah ah executives pitching doing a private pitch on their suite. And I would say more than half of them are are very interesting. na There's a lot of new tech, but ah I think a lot of the more technical folks spend more time on the floor.
00:35:47
Speaker
I've seen most CISOs do not yeah not really don't ever step on the floor, but they don't spend as much time. Many years ago, you would see them roaming around, but I think those suites are you know ah the private conversation.
00:36:06
Speaker
I don't know about you man, but like most of the time I know the companies I want to check out. yeah I might if there's time do like a quick floor walk and like the startup village or whatever it is. But like I've been so impressed with startup village at Black Hat and RSA that it's to me, it's not even worth it. I, and I said this to George afterwards, like I would rather set up meetings one on one.
00:36:30
Speaker
with whoever I want to meet with. yeah right Most of the time I'm checking in with my current suppliers because those are the people I care about. And if there's prospects that I'm interested in, I don't want to be in the trade show floor. I don't want to get your stupid bullshit demo while you're fast-fooding me through like a lineup of like, you know, 20 other potential buyers. I want you to pay attention to me. If I'm going to give you my attention, I want that same. And, you know, it reached a point I would say that With George and I, I was just like, man, I don't even want to buy the ticket next year. I had more value and more fun meeting on the sidelines with other people ah mosco off and off campus. And I found more value doing that. I honestly thought the ticket itself was a waste of money. It was a waste of time. And I think that's kind of where the sentiment is. You know what I agree?
00:37:22
Speaker
No, I agree. And the last one I probably spent an hour on the floor. I only went to the people I, you know, or the the tech that I really want to see. I learned a lot from those private sessions. A lot of, you know, they, you know, gave me um their vision of their product, you know, long-term, short-term.
00:37:43
Speaker
um It's just, you know, for many years I enjoyed walking on those floor, collecting a bunch of t-shirts. I still have all of them in my closet. My wife hates them because I have 300 t-shirts. But yeah, you're right. It's it's the the the more intimate gathering are are more valuable for see-sales.
00:38:05
Speaker
Yeah, what I'm just going to say, George, you're really missing out on the chance to win that signed F1 helmet. So it's really your loss. Oh my god. Yeah, I just i think i think you know that that kind of goes back to...
00:38:20
Speaker
Really, the the the main point of this is how do we have real value-based conversations? Because I think at the end of the day, it's not that guys like you and I, Cecil, don't want to spend money. It's not that we don't want to see the new technology. It's just that you know we have priorities and we have needs.
00:38:40
Speaker
and I feel like, and this is actually, all the onus is on the C-cell, right? And I think we have to take responsibility for our own vendor due diligence and management. And i've been I've been kind of critical of practitioner leaders for this because there are guys who kick tires and waste seller's times and show up to the free events, but never actually have an intent to buy anything. And I think that's bullshit too.
00:39:03
Speaker
I think, you know for me, i'm I'm more the type of person that I don't like getting sold to. like It happens once in a while and it's great and it works out. But for the most part, I know my needs. I know my priorities. I know my my my technology categories that are up for purchase this year. I'm going to do the research and connect with people and I'll take the initiative. yeah I just wish, you know and maybe you're the same way and I'd love to get your take on vendor management.
00:39:33
Speaker
It's on us to take the initiative and lead our conversations. I think if we just sit around and wait to be approached, most of the time we're going to get bullshit. if we're If we're the ones doing the approaching, we kind of drive the conversation. And I find that when I end up approaching, I have good experiences, whether I end up buying or not, or whether we go through a POC and it doesn't work out.
Allocating Time for Innovation
00:39:59
Speaker
The fact that I took the initiative, I led the conversation.
00:40:03
Speaker
yeah I found I was able to control it and keep it on the terms that I wanted to keep it on. Do you think that CISOs, the modern day CISO, need to be as much business development and vendor managers um a lot more than maybe they used to be? i i i I'm just looking at my engagement. I would say 60-70% of my engagement where I initiated them.
00:40:29
Speaker
or my team recommended them. Oh, yeah, wow. That's interesting. However, there you know we kind of give an opportunity for especially those new tech we wanted to see. you know we we We have a ah mix of um ah ah proven tech. And then at the same time, we open the door for, hey, what are those other things that are out there? Yesterday, ah a startup actually,
00:40:58
Speaker
I don't know if they're in series A already, but I gave them an opportunity in front of the 20 something people in my team to look at their technology. So, you know, um I didn't stay for long, but ah the feedback from the hey, interesting tech, but probably a few more months, they'll they'll be ready for prime time. Nice. Yeah. I mean, it's interesting that you can like allocate some of that time and energy. Like, yes, I got to get the proven stuff in the stack, but I need to also hear from the newbies. We created a session called technology Monday. So every Monday, we kind of invite this up and coming tech, you know, something that we may want to see, you know, down the road. That's tomorrow. Yeah, yeah you set that expectation. We're not buying tomorrow. Yeah, yeah.
Closing Remarks and Episode Conclusion
00:41:45
Speaker
Nice. Well, Cecil, thank you very much for taking the time away from ah your family and what you could find in the refrigerator to sit with us and share your thoughts. Cheers, brother. Thank you so much.
00:42:03
Speaker
If you liked what you heard, be sure to share it with friends and subscribe wherever you get your podcasts for a weekly ballistic payload of snark, insights, and laughs. New episodes of Bare Knuckles and Brass Tax drop every Monday. If you're already subscribed, thank you for your support and your swagger. We'll catch you next week, but until then, stay real.