Tuesday 15th June 2021, 16:00 (BST)

The CISO-Cyber Security vendor relationship

  • Negotiating with a vendor – what do you want, what are you willing to concede, and what must you have?
  • Prioritising your security wish lists and communication effectively with new and existing vendors
  • How can vendors improve their communication and services to support building trust over time?

Hello, welcome back to another edition of the award winning tast Talk with me, your host, Jenny Radcliffe. We've got a great show for you today. Later, I'll be inviting an awesome panel to discuss the Sisso event, a relationship. We're going to be joined by Sajid Naseem, who's the CEO of New Jersey Courts and by Tokoroa is the CEO, amongst other things, at Sible Angel. Don't forget that all of you can ask questions or chat in the right of the box to me and to our amazing panellists.

So without further ado and don't forget. Sorry, I knew there was something else. Don't forget that the Taisto. Is going for whoever is the most engaged, the most intelligent comment, the funny Schmock, you will win Attisso. But first, I am delighted to be joined by my guests today. Leader Mullah is the Sisso at Stanford University and is with a job for a number of years. I am delighted to welcome to the show. Welcome to the show, Lisa.

Hi. Thank you very much for having me this morning or this afternoon, wherever you may be this afternoon.

You know, we Brits, we can't deal with the heat. We can't deal with the heat. So, look, welcome to the show. I mean, honestly, what a distinguished career. Many things to talk about today. Well, first of all, maybe you just let all a lovely audience who helped us with our wars. Tell us a little bit about what you do with Stamford's.

Sure. I'm the CEO at Stanford University Residential and Dining Enterprises. We are an auxiliary. Where were the revenue generating arm? At Stanford, where we housed the students, feed the students. We have a hotel. We manage the concessions at the stadium. So we have a wide variety of people within our community everywhere, from custodians to project managers to C Suite. So what's going on with data information security PCI?

It must be massive, a stadium and a hotel. I mean, obviously in the Ivy League, if you like, that surprises me. You have a stadium?

Mm hmm. Yeah, the stadium. We manage the concessions. That's where the football games are and, you know, the basketball game. So it's basically a city within a city. I mean, anything that you can think of that happens at a at the university happens there.

You know, I've got friends who say that university sort of been in some capacity in security and education in the UK. And they've told me that from a perimeter perspective, it's a really hard thing to keep secure to cyber as well.

Yeah, I would say so, because we have so many different roles and so many people touching different things, like we're not like, for example, a tech company where you have basically your engineers or programmers, a lot of people doing kind of the same sorts of things, working within the same applications. We have so many different people using so many different applications, sharing data with one another in different departments. So it really is a big perimeter. It really, really is and must be.

It must be crack. Is that because you because you must be doing that all the time anyway. I just I just think like of all the systems I know that encapsulate it like the ones in education they want to look after that kind of thing seems to me to have the hardest time sleeping. So I mean, even in that job for many years, I mean, you know, in the 20 years you've been established, you've done lots of different jobs.

I want to, but I'm more interested, really, in the fact that you've been in the industry for so long. What sort of changes that you see, good or bad, over that kind of career?

Well, I would say technology, the Internet of Things, data, information and how people do their jobs or in the past, I'll give an example of a custodian. Right. They basically their job is to keep things clean, keep things organised. They deal with chemicals. And it used to be they used to get information on paper. Right. They'd read the paper of how to handle the chemical, how to clean the rooms. Now we've put technology into their hands.

We've given them iPads or iPhones or tablets to read those sheets to get that information. So now they're connected to the network, you know, to get that just in time information. So I think what I've seen is information has moved more quickly. People are getting information faster and they're getting it in their hands and they have information to a lot more things unless it's control of what they can see. So I would say that faster information and this goes to Iot, and I hope that the information that they're getting in a timely manner and is that information that they have access to.

The correct information that they need.

Well, I mean, I can imagine that such a difficult thing to control whilst trying to make sure people are happy and don't feel so restricted. It must be crazy, right? I mean, we've been in this industry a long time, and I'm going to switch a little bit later about a couple of your passions, because the mind as well and you so awesome about these things, you hold a and of non-executive directorships and things like that. But trusteeships.

But I wondered after all this time, are you still to the industry still excite you or do you feel so tired by some of the challenges that go away?

You know, I'm I'm excited about it. I'm passionate about it because I'm more of a people person. Through my career, I came up the people side and technology, you know, that interception has happened. And I want to help educate people of all different roles within organisations. I know we say the people are the weakest link, but I think they're part of the solution, if we will. They need to be educated and aware. And when you bring technology and data and information to how does it affect them in their day to day, they understand, right?

They're not it's not that they're clueless about it. They're just not exposed to it. They just don't understand because they have a job to do. But now technology and data is affecting them. And we just need to be able to talk to them and explain them, understand their role and how we can, you know, technology and what they do succinctly and work together. And I think that will help improve what they're doing and be able to support them and move what they're trying to accomplish moving forward.

I couldn't agree more. And I think I think, you know, I think that phrase the weakest link, it's so counterproductive. It's so helpful because if no one knows anything about security, the human side of things. Yeah. I mean, I've talked called the weakest link questionmark. And it's helpful to get people across what we get, where we're going. But it's unhelpful, isn't it, because it's a criminal. See, people that's what I say on the part of that defence as well.

I completely agree. And we've got comments already in the chapter, one of our regulars that's professedly Chastity's proff, I think technology plus people equal system. So I like that three words on the Gatsas across Europe. So, I mean, I think I think that's true. And I think. You've you're famous, really, for saying that you say some of your thoughts, a lot of your interviews about security kind of being everybody's problem, and I completely agree with you.

You know, I do on this, but I am I think when we went to work from home en masse, it also became everybody's worry. I mean, I'm joking with you. What keeps you awake at night? But we actually did an episode on unties talk about how do we teach people to be the CEO of their own homes. I mean. Well, you know, on that, when we sent everyone home and expected them to be across these things.

Right. You know, we had a lot of people that are in my organisation that what we would consider essential workers, they were facility managers, property managers, and these are the people that take care of the buildings. And usually they're on site, you know, checking out the pipes broken or are, you know, how what type of shape is the building? But they went home. They were working on their applications, on their laptop. And what we did see was the websites that they were going to because they were looking for a lot of PPD and a lot of other things.

We saw that they were going to a lot of websites that that were not very friendly websites. So it was very interesting because we could see that pattern over years of how and I hate to call the wave, but the wave was going up in March. Even on the Web, you know, you have the pandemic going on. Waves were going up, but they were also going up on websites that people were visiting. And so we were helping educate our users.

OK, now you're on your home network. What do you need to do? What are the tools and solutions that we have in place to make you more secure? So, again, the education and the collaboration tools, you know, there are a lot more collaboration tools where it used to be easier for some of these staff members that were on site. They could just run to the next building and go talk to somebody. Well, now they needed to use collaboration tools on their system, on their on their laptop to be able to have that same conversation so that walking them through how to use those tools, even though we did train them years ago and how to use the tools, they weren't using it.

Right. Training did happen, but they weren't using them. So now they needed to use them.

But like cognitive loads was insane. Right. And that's part of it. You know, and I think this kind of leads me to because you and I could talk I mean, we could easily do a special leaders. So, you know, but I'm one of the things that you speak about a lot of is is the Eyob. Yes. Ayoubi folks, if you know, hey, it's something that I love. I love, love, love them.

So geeky about it. So I saw you talking. This was the Internet of behaviour. And I just you to post that because, you know, just linking it with what you've just said thing such a such a difficult square to circle. If you like children, not the sounds. Everyone's doing different things that everybody frightens. And there's so much information. If you want to just explain a little bit about your view on the Internet of behaviour and then maybe we can talk a bit about how it might have constituted the pandemic.

You know, I'll actually give it an example of myself on the Internet of behaviour and information. I started taking yoga classes online through YouTube. Right. There was something that I needed to get active. I needed to sing. I was not an active YouTube user. I do have a daughter who big YouTube. Right. The kids grew up with YouTube. That's what I want kids to do. What is right. They just can't imagine. They can't imagine, you know, they can't imagine.

Why would I sit and wait for someone to put something on? I might like what? Everything that's ever been filmed. It's right over there. Right. You know, four years ago we bought a big TV and I'm like, great, because I can watch it. No, there's no watching on their tablets or on their computer screens. So I my behaviour changed as I was watching YouTube. I was watching YouTube every morning doing my yoga workout before starting work.

And then the information that I started getting on my email about yoga and all this information started popping up. Right. So just that whole information and data that's out there now about me that I'm a subscriber to a couple of YouTube channels on a couple of fitness channels, and now all of this pops up in the ads. And how is that influencing my behaviour and how much time and I spending looking at that and going down that direction. So that's kind of high level of more of a fitness.

But if you dig a little bit deeper into Eyob and depending what sites and where people go, you can only imagine what information that they're getting, how they're being influenced and taking that time to really think, does this really make sense to me? And should I be going down this path? Right. Is do I want to become a fitness guru? I don't think so.

But that's so hard to start to happen, because the minute that you do anything, you know, the minute you do anything. We went to a place that was a little vacation in the UK just weeks ago. We went to a place where there was. Exhibits, you know, there was animals and things in exhibits. The next thing you know, my husband started getting taxidermy suggestions like this not naturally good because the algorithms completely screwed because he thinks you're some sort of serial killer.

But look, you know, I mean, just words of wisdom because you've been in the role so long and you've seen so much at the industry. And as I say and you know, you're a quasi trustee of Asaka and of your own university that you went to. What would you say to our audience? Has a lot of the people that are tuning into us right now work in a similar way? We've got Zissis and we've got an response, he says.

And I just wondered, you know, 18 months since the pandemic and just give us a little bit of your benefit of that of those years of experience.

You know, I would say, you know, understand, because we talk about security, supporting the business and the organisation and really getting if you have that opportunity to understand the people that make up organisation, what they do and how they work with technology and security and the type of access that they have to really understand, what do they need to do their job and how can we support them in a safe and secure manner?

Absolutely brilliant advice. They're going to do it anyway, whether with it, whether or not. So we might as well get across a leader. It's been amazing to have you as early as today and we could talk to you forever on your next piece of what you do. But thank you for now and thank you. And just to say hello again to our lovely audience who are chatting away on the right hand side of the tab. If you want to take part in the chat, you feel free to ask me or my guests anything you like about the topics we're talking about.

And we'll do our best to get to the mall before we finish the show. And right now, I'd like to welcome to the show two more panellists, the all time, one panellist today just due to an emergency. But we have got Sergeyevna Singh. He's the CEO of the New Jersey courts. And tell Carol, who's the Sisso, amongst other things, at Sible Angel. Welcome to the show, gentlemen.

Thank you.

Glad to be here. I think I think we're just waiting on such easy stuff and a few problems with connectivity, as is always the case in technology. Welcome to the show. Let's start with you then, Todds, while we wait to see if we can reconnect it. Great to have you on the show and exciting to have you on the show. I am sure you want to just tell us a little bit about what you do with Sible Angel and then talk to us a little bit about how you got there, because I can't wait to talk about this also.

Excellent. Yeah, so it's ible Angel. First of all, Cybele Angel is a cybersecurity company. We're based actually originated out of Paris and now we're globally and obviously in offices in New York and London. But what we do is we help our clients find their data in the wild. So information that's shared very timely with today and during definitely a pandemic when information shared with partners and third parties, we find a lot of information out there unsecured. And so we look for and scan those areas where data is stored that is shared.

And those access to those data is with you. You know, exposure of credentials are like that. So that Cybele Angel I'm Sisso, but I'm also their VP of operations as we are a fast growing company, expanding quite a bit. But as Geddie, as you said, you can tell from my background, actually, I'm a retired FBI agents, FBI agents, everyone, 20 percent is so it's so exciting. So first of all, from a point of view of whole topic, you can see things from the CSO on the Venza side.

As you look up at this, as you well, you've managed to get the connexion. So s I think close to 20, 20 minutes. But yes. So from a point of view that you see both sides of eight times, right. You see the vendor side. It's kind of like if you like customer face, but you're also sort of used to the customer to. Right?

Yeah, absolutely. It's it's it's a very unique experience and something that gives me a very unique perspective. As you know, I of course, as a cybersecurity committee, we have to protect ourselves as best as best as possible. So we have a lot of our client that other ways that we have to secure. But also from the other point of view of seeing what the clients want and working with other systems, which actually helps me grow in my position as a younger CI.

So as talking to my colleagues all the time about their wants and needs, challenges, risk threats, it's it's actually put me in a very good position. So.

Well, we can't wait to talk to you about our topic later on. So she is welcome.

Thank you. Thank you for having me.

So you are the CEO at the moment for New Jersey Coats. Do you want to tell us a little bit about what that is and what exactly it is that you do there, what challenges you've got at the moment?

Yeah, so, I mean, I. Work for the government, the state of New Jersey, however, the government is a big, vast place. Obviously, it is the federal government of the United States. I work with the state government. The court systems are peculiar in their own way. It almost runs like in some ways, like a corporation. The courts of New Jersey have basically we're a big state and all the courts are underneath the jurisdiction and all of the sort of Supreme Court in New Jersey.

OK, that's not always the case, depending on the states you go to. From a security point of view, that means that there's about seven hundred and fifty sites, physical sites and so on, so forth. And the security of that is under. Yeah, and we have about thirteen thousand employees and about two hundred thousand users that are government users that come into our system, including businesses like attorneys, lawyers basically, and cops all across New Jersey.

So it's a huge operation in terms of its vastness. The one good part about it is that we have direct control over our courts from a networking security perspective, so that that is important. So in terms of centralised policies and in terms of different conversations, there's some control there. That's on the technical side. On a very practical side, a year, year and a half ago, obviously, as the pandemic hit, the courts had never seen remote work.

I mean, I don't wanna say never seen, but essentially their entire operation was coming to a monolithic building. Walking out was the hell was that was the idea. That remotely was the major question. Right. And in terms of serving justice. So you went from walking in where attorneys are paying attention to people's reactions to going remote, where, you know, I was a case out of the UK where we started seeing deep fakes on audio tapes and child custody cases and things like that, meaning the world that was never open to them immediately, instantaneously opened.

So that's the case. There's some law, things that are critical in terms of running a remote operation just in general. But number two, in terms of securing it, is when the court calls remote. One of the major one of the major things in criminal law type stuff is you have the right to confront or face your accuser. Basically, you can't do that remotely. That's not how the laws are written. So there are some real things you couldn't do remotely because they just couldn't.

So we've been we've basically been running a remote court all these, you know, months. And we've had some hybrid approaches where you can maybe the attorney and the accuser in the same room and and then other people are remote and all this kind of stuff has gone on that I think is probably here to stay for the future. But that also means you're dealing with just a very practical measure, as you and I are sitting in. I mean, this camera view is pretty good, but this is a virtual view.

You know, there's all these questions that come when there's a virtual view versus a physical view. Now, I don't want to get to you know you know, I'm not saying we're living in a multi universe with, you know, alternate image or I'm not going to like a physical explanation for this. But the reality, because the reality is we're remote and that has a whole different ball game in terms of accusing somebody of a crime, you know, and that means we're bringing in all the electronic issues that one would deal with in the you know, in, you know, in technology to the court system.

Huge deal. So we've fundamentally changed the way we operate.

That is a huge, big deal. I mean, that gets to the heart of democracy. And yeah, it does sort of even society. Well, you know, I love this stuff. I love him forsight because whenever we get our fabulous guests on, there's always this huge kind of history and the scope of the job really to say when something like that. So thank you so much that I am. And actually we're going to go to our Roskill now, and it sort of touches a little bit.

I think we can have three separate angles on this, because our article today is from The Guardian, and it's about the fact that Lindsay Cameron, who's our chief executive of the National Cybersecurity Centre here in the UK and this article's on the leaves, of course, of our G7 summit, which saw even the president given that. Our guests are your guests today, driving the beast down Commonwealth roads, I can't imagine what it must have been like to see the beast driving down the road to Cornwall.

For those of you who don't know, they are small roads, hard to take off all the time. Those roads I am. So if that was amusing to all of us in Britain anyway, and seeing them sort of eating pasties and cream cheese and things, it was great. But this this article comes hot on the heels of that. And it's from our chief executive and CSC who says that for the vast majority of UK citizens and businesses of the vast majority of critical national infrastructure providers and government service providers, the primary, Keith, that is not.

States, actors, cyber criminals. Now, I've got to come to Todd first because finally you're allowed to speak somewhat of your opinion on this charge after a long time, I'm sure. Not really able to. So initial thoughts on this.

Initial thoughts, so let's you know, the whole fact of ransomware, right, it's it's not anything new. It's been around forever. Right. OK, so what is the new thing that is taking us to this point? Know, I have an opinion about the maybe the line was crossed with the attack on the pipeline. Right. We're now either going after actually infrastructure in the US that really had a potential impact. Right. The whole thing, though, but that this is not run by state actors is is to me, this is crazy.

I mean, she's still alive today. And she said criminal hackers do not exist in a vacuum, but they are able to facilitate it by six states acting with impunity. I mean, the sad thing is. I mean. Yeah, I mean, yeah, let's let's you know, hey, I spent a long time most my career was national security, long time in cyber counterintelligence, all go hand in hand, get worked a lot of time and terrorism also.

And there is a lot of interesting things going on right now with a lot of declarations here in the US about designation of groups that are doing these types of attacks, which I think will bring in other authorities in the US government. Right. So Title 18 allows the FBI to do certain things. There's other criminal law and federal law that when you designate things as certain designators, it allows other agencies within the US government to actually get involved and to do operations.

So there's some of that. I think a lot of it has to do with the pipeline attack. But from from day one, right. Whether we're saying it's Russia or China or whatever, it's all those countries, they're hackers don't do anything without their governments being fully aware of what is going on. And they if they're not, they're working for the government during the day and at night. They're making some money in their own pockets or they're working for criminal organisations where the money really is nowadays.

So I'll call it what it is because I finally can.

So, I mean, yeah, thank you. I mean, I think that's that's really Agassiz across that. I'm sure most people would disagree. Let's go to Leeds next. I mean, just very quickly, of course, we don't want to talk too much on ransom because we've done it weeks and weeks. But what are your thoughts on this?

I mean, I come from a different, you know, growing up in the eighties and whatnot. And, you know, just what Todd said. I agree with Todd just from others, he says, and other people in security that I've spoken to in energy plants and whatnot, you know, things are happening all the time right there. They're up 24/7 because of attacks that are happening. Just some did not get through. I think this is also the messaging to the people.

This is this this probably was the awakening for some because they couldn't get their gas right. So it affected them. And other ransomware attacks, like solar winds, for example. It didn't really mean a lot to the typical end user. Right. What really what did that mean? How did it affect me? So this actually touched them. So, again, it's I think it's the messaging. And how does it affect the person? Right. You know, we're very much in it.

How does it affect me? Will this actually affected them? So, you know, messaging and how does it affect you wanted to touch you?

I mean, she said tough things. I'm going to come to you, said she in a minute. And just look at all this kind of maybe ties with the White House messages recently. But she said and Cameron called for insurance companies to stop paying out ransoms because these are really members of Pantazis feebs and said the anonymous cryptocurrency is often demanded, such as Bitcoin should not facilitate suspicious transactions. It almost feels naive. You know, it always feels naive.

I mean, sunshades. I mean, we've got a great question from Tony which says, you know, how does this kind of correlate with the recent White House sort of open letters and advisories on zero interest and resilience? What do you think about governments issuing these kind of open letters, these advisories, giving you a position just at the wrong time to lose?

In terms of federal governments and whatnot, so here's the deal, right? I mean, if you look at I mean, I try to look at the ransomware as a threat. That is not so. I mean, there's definitely a technological threat to it. But if you just look at the history of it, you have Microsoft that has vulnerabilities, eternal blue, then digital blue comes out, Lukie to blue, Kadija Blue, all the stuff going on.

And then you have now ransomware, the terms of service in the last few years. So you had back in 17, you had to want to cry. You had the mask attack. You had all kinds, you know, hospital like Todd.

So it's not okay now to look at the modern ransomware attack you're talking about either basically over remote desktop vulnerabilities or actually the way that they get in is through the admin accounts. Right. That's how they get it and then they install it. We actually had an attack last week in New York, New York City Law Department, which, again, some what we hear is based off of somebody getting fish through an admin account, meaning miss practises of treating admin accounts as an example.

Right. So now, no matter what regulation comes out or whatever you want to say and obviously in the solar winds case and some of this other stuff, you had lots of compromises, lots of organisations with whatever you want to say, hygiene, bad hygiene, whatever you want to say. But those are the practical issues that are there. The guidance's, I think, is starting to come out. But the reality of this, I think a lot of this topic is a leadership and management topic of how things work.

So as an example, one of the things I did when the pandemic hit here, we've been taking our security seriously for a long time, clearly knowing that we're like, you know, things can be bad for anybody. Right? So the first thing when the pandemic hit, what we did, we spend more money in security. And I'm not saying the money is an equal equal for doing good security guard.

It helps.

And that was leadership that was dedicated to doing that while they were cutting money from other places, they were dedicating to other people. The point is that somebody is buying you, basically buying you. They're not just buying some buzzwords. You're saying in some nifty documentation. Right. So I would really say that the topic these days is or always has been is the leadership and management over your people. I'll give you another example of that that's related to this.

We've seen the Verizon breach report that comes out every year, 30, 40 percent of that is misconfiguration. Right. Meaning you couldn't follow the CIA's benchmark, essentially. Right. What does that mean? Somebody wasn't managing the people, right? That's what it really means to not have the ransomware basically getting bad relationships that are going on inside of organisations, because if you can get to the first the unpatched system, then to the admin account, then to the backup, that means somebody wasn't paying attention.

I mean, this one can run and run. And, you know, we know that everybody cares about it. Everyone's concerned about it because it's going to keep going. I mean, I really feel towards the end of twenty, all the twenty twenty one was going to be less eventful in many ways. And, you know, in security, we were wrong. So there we go. So thank you for your insights on that. Guys, I'm going to take us to our topic now.

And just to say to sedges, I feel like I can see like some fabulous skyline, like the New York skyline or something in reflectors in your glasses, which sounds very much like I'm pretty good. Yes. Thank you. So let's get on to the topic of the day, which is one that I really know sort of sets everybody in the community sort of on edge, which is this whole idea of the sea. So, so, so vendor relationship and how that really panning out.

And I think I can't say I'm going to come to talk fast and sort of go around because I thought this used to be sort of on is kind of joked about almost in the community as a very sort of inherently adversarial relationship. I mean, that's the way it's like traditionally we're all bothered by vendors trying to sell us magic solutions from your position, which is pretty unique because you sort of see both sides of it. Have we progressed as an industry on this one?

OK, so two and a half years ago, I was in the government where everybody in Chicago wanted to hear from me. Right. And now I come to a vendor and no one wants to hear from me. Right. So I wouldn't say it's that that. So I'm fairly new to the relationship, but it is know the times can be difficult, right? I know there's a ton of noise and me wearing multiple hats at this company, believe me, my inbox every morning and my LinkedIn and everything else is just chock full of because everybody thinks, oh, he's got the title, he has money, he wants to buy stuff.

Frustrating. Part of that is a lot of times it's stuff that I would never need or it's actually competitor selling me the same thing that we actually offer. So no one's actually putting any thought behind it, which kind of makes me giggle and actually pass up to us. And I said, you guys better be paying attention. Right? You should be putting more thought behind this. I think a lot of it is also on the vendor and whether it's the sales teams or even when they sign in the client is it's a lot of it has to do with relationships.

Right. And I bring that from a definitely from my other days, as I think it's yes, we're we're in the business of providing something. But we also have to answer the mail at the end of the day. And if we're not able to answer and help companies with what they're doing, then I think that is part of our problem is the vendor really needs to be listening also. Besides, just as I call spraying and praying, you know, send out a thousand e-mails and maybe five people respond back, you know, kind of like when that happens, it's like fiction.

I was just going to say it's just that I feel like I'm being I'm being fishermen lazy. You must you must be on every list 20 days in the business. What's your view on how this slave ships plays then?

Yeah, the you know, is those emails are getting more creative. One was like oh like regarding. Oh like like it was almost like it was a reply back to me being out of the office with their information. I was like, whoa, ok, is this fishing or not fishing or but you know, with the vendors it's a big part of the relationship is understanding our art, what we do and help us with a solution like understand our story.

This is what we're trying to accomplish. Does your solution fit or not? So come with a solution and not having me try to get what we do into what you're selling. And so I think it starts with that initial call. There have been more Zimm calls now with some vendors, and I felt ambushed one time because there's about seven people on the call with me. And I thought it was just an intro, like I thought it was just going to be the person that I was sharing the email with, that we were going to talk.

They were going to understand what what I was looking for. They were going to tell me about their product and kind of go from there instead. It was seven a.m. call all basically like, well, what do you do? And I felt like I was running it. And when I had questions and like, I'd really like to, you know, can you maybe give me a screenshot or show me what you none of that. It was kind of just this of us talking in and I'm like, OK.

And they're like sending emails like this. Now, after that, when can we meet? What can we do this week? We do this one. Can we close it? It's like, no, we're not moving any farther, but it's understanding what we do in building that relationship that that's important. Listen to my story and tell me how your product fits. And if it doesn't fit, then we can both walk away and not waste anybody else's time.

Right. Then move on.

Surjeet, how about yourself? You you are bombarded by vendors you don't want or. How's it work?

Yeah, I mean, so I mean, here's the thing, right? And we're all working in a place where the vendors got to do business. I got to do business. We cannot work without vendors. They cannot work without us. Right. So we have some sort of symbiotic relationship there. So the question is, how do we fit the thing? I'll give you an example. What does basically work? If you have a vendor that sells you stuff and just disappears on you?

Looks really bad, right? You're not going to be really be thinking about them. And then there's vendors that are calling you 24 hours a day. You're like, I dude, I don't have that much time to deal with this. Right. So you have that extreme. And then the second thing is then there's some vendors that will set up a meeting with you every week to check in and so on and so forth. If you can size that meeting to times and what things that you want, that could really be beneficial in a way, because, you know, because times, you know, then you catch them at that specific time to get something.

If you're doing some complicated network security project and you are now like every week meeting with them at that time makes some sense. Right? Maybe. Right. So I would really say to the vendors that I would do work towards, you know, not just selling stuff, but maintaining stuff, because next time the cycle comes around, I might just drop you for somebody else.

Yeah, I mean, let's can I just do a little reminder? Thank you for that, guys. I just do this and gals guys, I got to say, they have so far to go. And if we do want to hear from you today. So our audience today, you are very quiet for a while. I mean, I'm sure that's just because you listen to our awesome panel, but we could do some more comments and questions. Otherwise, I'm not going to be able to be able to take one today.

So let's get some questions and comments from the audience for our fabulous panel. Lots the interesting angles on things from the panel. Let's hear from you. I am you know, I feel like whenever we talk about this, as I sort of said yesterday, know, I'm from a procurement background and I and I teach this. One of the things that I always worry about is that I don't know what the system is and just technical people generally, you know, this degree level courses and how to manage and vendors and vendor relationships.

And I'm just wondering from the audience as well as from the panel, I mean, do you think that it's part of the role that were not ready for a lot of the time, that no one really tells us that, you know, this a way that we prioritise vendors as a way we prioritise requirements and maybe come to lead office, because I know that you did a short stint, a short stint in procurement.

What's your what's your view on that? Because, I mean, it is a big deal. Not all vendors are created equal. And these were customers, right?

Right. Well, I've actually built a relationship with our procurement vendor management team because they're the experts, right? They deal with vendors all the time. And I know, you know, our procurement manager, she'll be like, send them my way. If I get information, send them her way and then we'll walk through the requirements of what we're looking at so she can be working with them. And then and then not just bombarding me like work through the process, because she's the expert.

She's the speed on that. And so she's taught me a little bit, you know, secrets that she does and how she deals with vendors and just that process. And when we get to a contract, you know, what we're asking for is what what are they what are they providing? You know, really getting what we want. And like said, you just mentioned one of some of the successful vendors that I see now that we have you know, they're not running away.

We've actually have quarterly meetings with them and we're talking about the roadmap and sharing our information that they've actually now have incorporated because we are where the users you know, we're the consumers of this. We are using their product. And this is how it's being used in the real world. Right. So giving that feedback, I was with a call with another vendor the other day and they're up with a new product. And it wasn't it was techno speak in in the console.

And I said you may not have a technical person like that. Doesn't mean using that technical speak to your average end user or your intern. It may not make sense to them. So it needs to make sense. So they need that change to make it more use the usability right for who's going to be on that console, who's going to be the end user. So I've seen that open up a little bit more with vendors that that we that we now have is that relationship management is understanding where we're coming from, understanding where they're coming from, so we can get to a better solution.

It matters so much, I think, doesn't it? It matters to, you know, some customers. I mean, I know you're not going to call this, but I know some customers that are easy to deal with and are open to suggestions and others are not. And we've got a great coming here from John to use a regular audience member. Hi, John. So says I'm not a vendor, but it's really common for me to see infosec leaders on LinkedIn talk about how they know which product they want.

And that's not just how it works. Feels a bit unfair. And the vendors, although putting it on one's accounts, would invite in the CALDA is poor form. I mean, that is that's like you to remember when you two dropped all their songs into our jeans and suddenly you found. I like you, but I felt that was a bit amazing. What are your thoughts on that? Is it a bit unfair in the van to sometimes, I think, trying to get it?

Yeah. Yeah, it's it's it is really. There's a lot of noise out there. Right. I think about the first time I want to ask a couple of years ago, and I've only I've got to say before as as a speaker, the government. Right. So it's it's different. But that first time as a vendor, you will come down that that escalator, if anybody's been out there with Moscone Centre and you see just the vast sea of vendors and you're like, oh, my God, how is how are we somebody how is someone going to find us to go, hey, that's who I need.

So there has to be a conversation. Right. And part of it is also to get to the second point. Right. The different techniques to get the attention. And then I really don't like the actually had to today where I'm like, where do these calendar flights come in? So I don't know this. And that's not really a poor form. But people are getting very creative and having the conversation. And I know even in our company is.

So it is. Yeah, it's that whole balance between how do you find potentially what you don't know that's out there, that maybe this is a different technology that's out there, that that does something versus the, you know, the big vendors that have been out there forever. And are they. You know, are they changing their ways to address today's challenges? I mean, that's that's part of the whole thing. And it's either boy, if I knew the answer boy, I wouldn't you know, I'd be writing books on that.

But that's it is a huge challenge. And sometimes, yeah, we run into that. Hey, all that we can recreate that, you know, took eight years to develop this. I highly doubt it. Or, you know, I'll let you know when I'm looking for that. And it's it's hard. There's just so many different technologies that are out there and different vendors and getting through to the ones that are, you know, probably can answer what you what you absolutely need is is not easy without without having a lot of those discussions.

No, it's not. I mean, Suchi, what does God look like for you? What's this a great Vende approach like for you?

Yeah. So I mean, it's a combination of what's being said. But I mean my I mean, I think, you know, I mean, obviously psychologically everybody buys things for different reasons. There was a report out of Gartner. It's probably true on a yearly basis that CEOs are very unhappy with CEOs and technical people, that they just buy toys. And I get it. You know, I take my kid there to Toys R US, which is defunct now, and they just want to buy everything on the on thing there.

So, again, buying is, you know, psychologically satisfying in some way. Right. But then then there's different people for different things. Right. So what I look for I mean, what I look for I mean, it depends on the area that I'm looking for. Sometimes I'm just trying to get something done. And I know something is an industry leader and I just don't have time to I just need to plug that problem. Right. Simple as that.

Then then the other thing is that I'm getting into a strategic, more strategic. I don't see a relationship, but more things, I just need more from the vendor, like in terms of the analyst, in terms of what they're giving, bringing to the table, you know, and, you know, lack of arrogance, lack of I'm looking for some very humane things from them to be able to do that. And, you know, that's where the relationship start.

So, you know, sometimes you can have a vendor that's like huge and you heard of them all of a sudden the person they give you really sucks. You know, the person was terrible. I'm like, dude, I'm not buying X company. I'm buying that analysts or I'm buying that person. Right. So to me, it's those very human things, like, is this person dedicated? I'm working 24 hours a day. I haven't slept in five years.

So are you giving me the same thing back? And if you're on PTO all the time and I have a different relationship, then give me the analyst that isn't right. So very like factors like that to me play a huge role in my mind in terms of picking the the right vendor. That's related to almost like the same thing. When you say that you don't leave a job, you leave your manager. I mean, you could be where people leave people jobs.

And it's true in the Venza relationship, we've got some great that's some great conversations. We've got some great comments coming up on air. We've got John, who is a regular on the show, John Naysay, and one of the people on the right choose the to say Ventus, don't bother. This is a little bit hard from lies. Say, when do you send and these are quick fire because we're just about time's up. But just very quickly, perhaps let's go to lead you on this one.

Once you see so see value invention, partner relationships, how is it best to approach a leader with a product that's new that, you know, how is the best approach, the relationship?

I actually like it when I understand the person and not that sales pitch, not that they're ripping off their script, but getting for me to know who they are a little bit and why they believe in their product and and go off script. I think that's the best way. That's when I have that conversation.

So it's not in. But I mean, I'm thinking we've got to give them a little doorway into even got them give you that kind of little bit of a CV. And Danniella what's most are shared if they go the if they can't take our heads, if people don't answer your click on the second or fifth time, we don't want to talk to you or it's handling the message. You've got a great question coming in from Jhansi. Just I think to finish this before I get you a very quick final thoughts, ladies and gentlemen, about how often said this to me is a brilliant question, John, because we all talk about being people orientated to a certain degree with knowledge.

The job can't be so without good communication with Johns's question. And I'm going to come to talk face how often? Do they feed back to potential vendors on the use of language or marketing coffee? How often do we tell them why we don't respond to it?

Wow, it is a great question. And it's part of our, you know, the challenge and the challenges that we have as a as a vendor. Right. I'll speak from the vendor point of view is that, you know, we need to listen as much as we possibly can. We need to share and we do that. You know, like I said, we use the quarterly. How much is too much? How much you want to hear from the vendor, how much you want to be, you know, hear from the vendor and make sure that there's that human touch and capability.

So our use of technology mixed with a human touch and ability to to interact. But we share that road that we absolutely do share our roadmap with our our customers because we want to stay up on what their challenges are. Right. If not, we're just going to get we're not going to be around very long time and ignore you. Right. Like they said, Saji Alisa Jades, what was it take for you to give some feedback on that approach?

On on what, Jenny?

On their approach to use of Johns's question was, you know what? How often to be feedback to vendors on how they approaches? I mean, what would what to do?

Yeah, yeah. I mean I mean, I guess it's going to it's going to depend. I mean, there's I mean, selling is probably a very complicated topic. That's why certainly I'm not good at it and you guys are better than me. So I'm not good at selling stuff. But but but I think it's it's a very like I mean, there's introverts, there's extroverts, there's life experience, there's all this stuff that's going on when you're selling something.

So it's really complicated. I think on some level, like me, I'm just tired and haven't slept. So, you know, talk to me, let them give me more specific information.

So I would say that's really clever because that's it's often said in the person and that's what we'd say in good communication. I would certainly say read through the pages and try and work out what they want and give them.

Yeah, there's like people that can understand me at all and there's some people that get me like this. So what's the difference? They're paying attention. I would imagine so. I think. Yeah, well, I mean, it's true. So, you know, we are about at the end of all time. This is an amazing panels. I'd really love to see you guys on this topic at such different backgrounds and points of view. It's been amazing.

Let's just get just one or two sentences because we really are at the edge of just our final thoughts on this. Friends, a relationship maybe if I get to leave office. What are your final thoughts on all of this?

I know what you want to get. Understand what what you're looking for, what solution that you need in your organisation, you know? Yeah, really. That was it. And then reach out to those vendors say I say is somebody I mean, you know, I run my own company. And I would say if I got if I got a customer, potential customer, just know what they want. Very difficult for me to make them happy, you know?

Let's go to Sasha.

Next leader. Right. That's your name. Correct. OK, I just want to make sure I get it right. But these are realities. That is correct. You got to know what you want. Right. And that's important. And sometimes I see, like, people come in to a meeting and they're like not knowing what they want and they're asking the vendor for stuff. I'm like, dude, like, get a clue. You're right, because you're wasting everybody else's time when you don't know what you want and it's OK to have exploratory discussion.

Don't have it with me either. Right. So and that's OK or do some research. So I think that that's an important factor. And in terms of vendors, one of the things that annoys me, so let's put it that way, is if the vendor comes in basically telling me what to do, like, dude, you're not paying attention to anything that I'm facing over here. I got, like, people not following marks. I got ransomware attacks.

I got, like, a million things. You're giving me everything. This is perfect. Do it this way and everybody else does it this way. You know what? You still didn't tell me what? I want to hear how I should do it. You know what I'm saying? How I like you know, you're talking about every other, like, woman or every other person that talk about me. And that's a problem because I think they need to understand what you're dealing with.

And this is a matter of how the approach this is a critical piece of it. I can immediately turn off vendors in a second the moment that they pick the wrong approach, because psychologically they're not helping me, you know?

Yeah, absolutely. Todds, we need to finish. Right, more or less. What's about object meeting objectives that the customer objective. What's your final thoughts on this one?

Final thoughts? I agree completely. But here's the other thing. When you do run up against a vendor, be open with communication about your needs. Right. And say, listen, it's there are humans there on the other side. They're trying to make a living. Just say, listen, this is my challenge. This, this and this is your is can you can you meet that challenge? And if I can, let's have a conversation. If not, no hard feelings.

We'll talk to you some other time.

Yeah, but, Todd, the flip side of that is when you do that, they keep calling you for something else. OK, now.

So I know. Think so. I carry I can take it, you know, I can only get your point is valid that the that the people who are purchasing should be respectful towards the vendor because, you know, they're spending time putting in all that. I think that. Is well taken.

Yeah, not absolutely a vendor that needs to listen and say, listen, they're not in the mood or they're not they don't have that need right now. Let's move on to the other ten thousand companies that are out there.

Absolutely. And I think what we're seeing here is that there's a balance on both sides of you both to better on both sides. I think sometimes that those approaches and certainly try to solve some of those mutual challenges. We are out of time and could have gone on for much longer before today. I wonder what the taste of to Jonte because of some cracking comments. And that was a brilliant question. So thank you, John T.. We will be on to you to receive your taste.

But for now, let me say thank you to my fabulous panel to lead to similar to Suchi Nazeem and to talk Carol untaxable angel, without whom we wouldn't have had the show because they've been our fantastic sponsors for today. And to you, the Taisuke audience, who have helped us get our award for best of podcast. Thank you very much. We'll see you again on Thursday for the show.

Could we save everybody? Thank you.

Your host:

Jenny Radcliffe

Jenny Radcliffe, also known as “The People Hacker,” is a world renowned Social Engineer, hired to bypass security systems through a no-tech mixture of psychology, con-artistry, cunning and guile. 

Jenny is a sought after keynote speaker, panelist and moderator at major conferences and corporate events, both in-person and online,  is a  TEDX contributor and is host of her own multiple award winning podcast series.


Leda Muller, Chief Information Security Officer, Stanford University

Leadership in Cyber Security, Information Technology, Start Ups and Non-Profits. In-depth experience driving results as a program and department leader. Adept at managing performance of teams, projects, and programs in collaboration with senior leaders and in line with organizational goals. Excel at training and mentoring users and teams, fostering relationships, and strategically solving problems.
Proven ability to develop, collaborate and network with staff, faculty, end users, vendors, volunteers and donors. Strong leadership, collaboration and interpersonal skills. Solid strategic mindset—both short-term and long-range–including past creation and development of strategy to leaders.
Exceptional customer relationship skills, combined with the ability to coordinate the efforts of many to meet organizational milestones and goals

Sajeed Naseem, Chief Information Security Officer, New Jersey Courts

Sajed Naseem (“Saj”) is the Chief Information Security Officer (CISO) of New Jersey Courts. He has over 20 years of experience with information security and IT across many industries. As the CISO of the New Jersey Courts, he has focused on Cybersecurity Readiness & Performance, Information Governance, and Network Security. Sajed holds Masters degrees from St. John’s University and Columbia University. He routinely speaks at cybersecurity conferences nationally, in Europe, and with the New Jersey Bar Association. Sajed is also an Adjunct Professor at St. John’s University in Information Security since 2010 and a native of New York City.

Todd Carroll, Chief Information Security Officer, CybelAngel

Accomplished executive management professional in both the private and public sector. Helping grow a SaaS Cybersecurity company in the US in revenue and size. Had over 28 years in law enforcement and national security with a wide range of experience and expertise in cyber, counterintelligence, counterterrorism, intelligence and violent crime investigations. Able to provide leadership and strategic vision focused on cyber and physical security, threat intelligence, risk analysis, compliance, insider threat identification and mitigation strategies.

© 2021, Lyonsdown Limited. teiss® is a registered trademark of Lyonsdown Ltd • Registered number: 05832927 • VAT registration number: 830519543

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]