Phone, emails, and LinkedIn messages — CISOs are flooded with vendors pitching their security products. Outreach attempts can be up to 30 a week. Whether it’s a video call or in-office presentation, when CISOs do engage with a new vendor, a shortlist of key questions will help them assess the suitability of a potential new product.
Several CISOs shared their top questions drawn from many years in the field and many, many pitch sessions.
1. Do you know my business?
When CISOs ask prospective vendors if they understand their organization’s specific challenges, what they’re really looking for is proof the vendor has done their homework. “I want them to start with solutions for my organization’s business problem, not a feature set or a generic issue faced elsewhere,” says Amit Basu, CISO and CIO at International Seaways.
With a growing portfolio of solutions, Basu wants to know right away how a new tool matches his needs and doesn’t create tech bloat. “A new product is relevant only if it clearly improves security, preferably replaces one or more existing tools, and addresses a real operational need,” he explains.
However, he finds too many vendor pitches emphasize ‘magic’ capabilities rather than showing how the tool solves security problems. “I value clarity and honesty. If a tool solves two use cases well, that’s stronger than a vague claim of solving twenty,” he says.
Holding both CISO and CIO roles, Basu is focussed on ensuring security is integral in any new technology and never an afterthought.
“You cannot sell me a security product which is running on legacy technology that my technology stack won’t be able to support. They must have seamless integration,” he says.
2. Will it reduce my workload, add value or improve operations?
A common starting point is to ask questions about how a new tool will reduce workload, minimize risk, improve resilience or simplify operations.
Basu wants to know whether the product can consolidate capabilities instead of adding yet another point solution. “Without that, each tool only secures a narrow slice while driving up cost and adding maintenance burdens,” he tells CSO.
However, Hydrolix CISO Joshua Scott is wary of the big sell on new tools that create more alerts and increase the workload. “Too often I see products that seem like they’re going to provide value but end up becoming noise generators, like vulnerability discovery tools or other scanning tools, and all it’s doing is creating more work for the team.”
In some cases, there’s too much technical detail and not enough problem solving. CISOs would be better served with tailored pitches rather than a one-size-fits-all style.
“The best pitches are hyper-focused on the problems the organization is trying to solve, not generic or filled with unnecessary details,” says Scott. “And the less sides the better. Get straight to the point of how you’re going to show value and how you’re going to reduce work for me.”
Scott’s questions centre on reducing risk, improving resiliency, assessing business impact, and balancing security with business considerations. This wasn’t always the case, but his approach has matured to become more business-focused. “Early on, I wasn’t asking those kinds of questions and you can end up with a very technical, shiny new object, but it doesn’t solve a problem — and that’s what we’ve got to focus on,” Scott says.
3. What’s the integration and ongoing maintenance burden?
Couchbase CISO Vasanth Madhure evaluates new tools by asking about not just license costs, but also implementation, training requirements, and the learning curve for the InfoSec team.
Before considering adoption, Madhure wants to understand the time and effort required to configure and run the product. “Some products are pretty straightforward, but others require a lot of configuration,” he tells CSO.
Knowing whether updates are automatic or manual is critical, since ongoing maintenance directly affects workload. Madhure values tools that provide clear, actionable reporting and dashboards, particularly those that help track the maturity and progress of the security program.
He also wants to know if certain features require additional cost because that changes the product’s value and ROI. “We don’t want to go ahead with the product and then be told we need to purchase an additional enterprise version or another product for a feature to work.”
When we’re choosing new vendors, Madhure and his team try to come up with a complete list of questions and then compare how well vendors fare. Yet there are still things that this process won’t capture. “We try to anticipate most of the questions, but there’s always a few we’re not able to identify upfront.”
4. What is your update cycle and can I be involved in shaping product design?
Scott asks vendors about their update cycles, including how frequently they release updates and respond to new threats or changes in the industry. “I want to understand how vendors stay up to date with new frameworks, regulations, and security challenges, especially in fast-changing areas like vulnerability scanning or GRC.”
Scott also wants to know about integration and whether the tool is fully cloud or has on-premises or hybrid components, especially relevant being a cloud native company. He’s added questions about how the vendor is using AI and how they’re handling data.
“We want to ensure that our intellectual property and anything we’re putting in there isn’t being used to train third- and fourth-party vendors,” he says.
5. Can you provide real-world use cases and validate claims?
Seasoned CISOs ask vendors for specific examples about how their tool addressed similar problems to the ones they’re tackling.
“Mapping to established frameworks such as NIST CSF or MITRE ATT&CK is useful, but what matters more is evidence of outcomes — enhanced protection, reduced detection time, faster response, or lower cost,” Basu says.
In one memorable pitch, the vendor demonstrated all the features Madhure was looking for and was extremely knowledgeable about the product when answering their questions. “He was able to answer them or provide direction about how it addressed our pain points. They’d done their market research and knew the types of issues we faced.”
Scott prefers live demos to be sure the tool isn’t vaporware or let down by a poor interface or clunky functionality. He also asks prospective vendors how other organizations are using their tool and shares questions from his team who will be hands on.
“CISOs may understand at a high level why it’s going to provide value, but there may be some technical detail we overlooked or something the person on the ground will have a better understanding of,” he says.
Watch out for these red flags
CISOs all admit there are certain red flags that are an immediate turn off in a pitch session. One of the big ones is vague or outlandish claims. “Don’t throw around confusing jargon or make inflated claims about why your solution will solve all my problems so I can sleep well at night,” says Basu.
Dialing up the panic is a huge turn off for Madhure. “When they use the FUD, fear, uncertainty, and doubt, approach that’s a red flag,” he says.
Referencing a company incident as a sales tactic feels like “ambulance chasing” and is unwelcome. “They never hit the mark and aren’t appropriate as the security community prefers to support each other rather than exploit tough situations,” says Scott.
Buzzwords are a big no. “When vendors use buzzwords in pitches or demos without actually supporting those features, it can be misleading. Because of our technical background, we can see through them,” says Madhure.
Vendors unwilling to accept feedback on their pitches can signal challenges for working in partnership.
“There’s been times I’ve said they should work on their pitch — keep it a little bit tighter or focused on the actual problem. Some of them take it well, and some of them don’t,” says Scott.
No Responses