Have you ever wondered why many security strategies look more like a BINGO card than actual strategy?
Organizations are still rarely proactive about cyber security. Usually something triggers organizations’ decision to invest in cyber security, whether they suffered a breach, they are required to do so by some regulations, their clients demanding it, or they decide to IPO, just to name a few.
When they finally decide to do it, they want to get it done as quick as possible so they can move to the next problem. So how do they usually do it? by throwing some people and money on it and then they push their newly minted CISO to move as fast as possible.
The BINGO card shopping list
With that pressure in place, I’ve seen many CISOs immediately move to creating a strategy that is nothing more than a shopping list as opposed to creating a strategy that is based on threats and risks to the business.
That shopping list is nothing more than filling a BINGO card that is full of silly acronyms created by some industry analysts. We all heard them: ASPM, CSPM, DSPM, CTAM, and the list goes on …
Don’t get me wrong, there is nothing inherently wrong with having categories, but it seems like the industry keeps generating more and more of them for every small product variant, and vendors and CISOs a like keep trying to fill the bingo card instead of being very clear about what problem they are trying to solve.
What problem are you trying to solve?
On 11/21/2024, I posted on LinkedIn and told security vendors “Tell me what problem your solution is solving!”, to my surprise it went viral with over 178,000 views. I also received hundreds of product pitches from enthusiastic vendors who essentially proved my point! All of them could tell me what they do or what BINGO category they fit into, but NONE of them could articulate what problem they solve!
Whether you are a CISO looking to buy a product, a startup founder looking to develop a product, or a vendor selling a product, have a precise and clear vision about what problem you are trying to solve, and then and only then describe how you are going to solve it!
Here is an example, it is not enough to say “We solve the problem of organizations have a lot of vulnerabilities”, this is usually a symptom of a much deeper problem so make sure you get to the root cause.
Getting to the root cause
It was very clear from the responses to my LinkedIn post that people don’t know what problem they are solving nor its root cause. Either people stated a vague generic problem without really qualifying it (“Shift-Left is Broken” – What……?) or just pitched their product (“we automatically generate code fixes for vulnerabilities reported by commercial SAST tools”).
When I worked at Intuit, I remember their philosophy of “We fall in love with their (customers – YL) problems and never our solutions”, or as Brad Smith, Intuit’s former CEO, said “If you never lose sight of the problem, how you attack the solution can remain more flexible, iterative and ultimately, be more likely to succeed”. Unfortunately, too many people fall in love with their own ideas and solutions and completely fail to determine whether this is the right idea or solution for their organization.
If you focus on the problem, one of the ways to get to the root cause is Toyota’s five whys philosophy that was developed by Sakichi Toyoda, the Japanese industrialist, inventor, and founder of Toyota Industries, in the 1930s. It is a problem-solving technique that involves asking “why” five times to get to the root cause of a problem. By repeatedly asking “why,” you can peel back the layers of symptoms to uncover the underlying cause. This technique is simple but effective, and it can be used to solve problems of any size or complexity.
People don’t buy what you do, they buy why you do it
One of my all time favorite TED talks is Simon Sinek’s “How great leaders inspire action“, which later turned into the book “Start with why” These are a MUST watch and read for every vendor and every CISO.
The reason I love it so much is because I strongly believe that the philosophy, where purpose and belief are the main drivers of inspiration and loyalty, should be at the heart of everything we do.
As a CISO, I don’t look for just a vendor, I look for a partner for the journey! Someone that will be with us through thick and thin in the mission to enable secure, compliant and resilient business. So when I buy something, I want to make sure the partner understands the problem they are solving and is deeply committed to solving it.
Conclusion
I created my LinkedIn post originally as a Public Service Announcement (PSA), I did not intend it to be a call to send me sales pitches, however in response to my posted I received hundreds of product pitches and connection requests from vendors.
Almost all pitches proved my original point. Almost everyone tells you what they do, but not what problem they solve! Very very few who attempted to articulate the problem, either pointed to a symptom of the problem but not to a root cause, or provided anything to back their statement.
My advice to the vendors who are looking to sell to CISOs:
- Be crystal clear, what problem do you solve?
- Have even better clarity, why you solve this problem!
- If you are not sure about your problem statement, ask yourself the “So what?” question, and also “Who cares about this problem?”
If I have this problem and it is a priority (and I have budget) at this time, I may engage. If not, please go away until it is a priority (I will let you know). You will save both of us a lot of time and effort.
You can also read my other post Vendors, Stop shooting yourselves in the foot.