CISO Community Management From the Vendor Perspective

This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors. 

Mike D’Agostino: [0:26]

Welcome, everyone, to another episode of Cybersecurity (Marketing) Unplugged. I’m Mike D’Agostino, general manager with CyberTheory and your host for today’s program. Thank you for joining us. Chief information security officers, CISOs, if you will, is the topic for today’s discussion, as they become modern day rock stars. Maybe rock star isn’t the best association as I think traditionally, people think of rock stars as free spirits, operating outside the traditional norms of everyday people. Perhaps elite sports star is a more appropriate association. They can reap major rewards but are under the most intense pressure and scrutiny in an organization to perform aka keep their company secure. And if they don’t, then sentiments can change in a flash. So to say CISOs are influential within their organizations would be an understatement. Fighting for security budgets on the side. CISOs are the main conduit for conveying risk to executive management, and often have final say in implementing new security related technologies and services. And given their influence, it is obvious why security vendors typically target CISOs with marketing and sales messages. But getting to influencing a CISO is no small task, understandably adverse to vendor interaction given how they are inundated by constant marketing and sales outreach, whether it be via LinkedIn, email, phone, smoke signals, you name it. Fostering favor within CISO communities is a monumental task, but it can be done. One such vendor Cisco has not only created their own global CISO advisory group, but has done so in an environment where they are not traditionally thought of exactly as a security company. But perhaps that has been part of their plan all along and fostering such communities. The closer they are tied to CISO communities, the more they will be seen for security, not just IT company. To help us parse through the gyrations of CISO community management from a vendor perspective, we have our guest for today’s session, Daniel DeSantis. Daniel is no rookie with Cisco, having spent over 12 years with the company in various capacities. At one point to seller himself, he deeply understands the sensitivity and fostering CISO camaraderie. Currently, Daniel is the director of the Americas CISO Advisory Group with Cisco, where he manages a team focused on CISO engagement, aligning Cisco solutions to their priorities. Dan, welcome to the show.

Dan DeSantis: [3:07] Thanks so much for having me. I’m glad to be a part of this. And as I know, you’re well aware I’m particularly passionate about this subject. So it’s great to be here.

Mike D’Agostino: [3:15]

I know you are! That’s exactly why we asked you to join us, couldn’t think of another vendor or another contact with another vendor organization that is so tied into forming the CISO community. So happy to have you on. And just to get us started, please. I don’t know if I did justice. Fill in any gaps. I’m sure I’ve left out on your background and how you’ve gotten into this position where you’re responsible for helping manage CISO engagement for Cisco.

Dan DeSantis: [3:43]

I think you did a great job of capturing it. And I started at Cisco back in 2007. Although I’ve done stints outside of Cisco at other organizations; always in cybersecurity. But the one thing that was always extremely important to me, I think my second week on the job at Cisco was I hosted a dinner at that time. Again, remember, this is 2007. So CISOs hadn’t quite achieved rock star status yet. But we had eight or 10 CISOs and a wonderful dinner. And I think I understood for the first time the challenges that they were dealing with and how I might be able to help them as a cybersecurity vendor. So prior to that I was a technologist. I built service provider networks for about 12 years in Cleveland, Ohio. So thanks for the background there.

Mike D’Agostino: [4:37]

So going back to 2007, you’re almost at the 20-year mark in terms of CISO community engagement. So lots of experience there. Well, first and foremost, I’m sure our guests are eager to hear. In your experience, why are you doing this? What are the main benefits in creating and managing such as CISO community that you put together, specifically from a vendor perspective?

Dan DeSantis: [5:03]

Sure. It’s a great question. You touched on this in your intro; Cisco has been long regarded as an iconic networking provider. But despite billions of dollars investment, and a massive cybersecurity organization, we’re not always seen as a cybersecurity player. So as it relates to Cisco, we need to deal with a misperception issue. And a lot of reason why we’re building community with CISOs is we want to make sure they know that we understand their language, we understand their challenges. And in so doing, we can defeat the misperception that exists about Cisco. That’s a big part of why we have this program here at Cisco is because we do want to make sure that CISOs understand that we can be relevant to them. Outside of that, the more I think we can align our product organization, we can align our sales organization to those challenges that I’ve mentioned, and we’re good here at Cisco, to understanding network and infrastructure leaders’ challenges. But imagine the combination of mapping that to sort of a campaign tied to CISOs are those challenges as well. And so a big reason for this is that I believe that we can be even more relevant to our customers, and certainly our partners, if we’re not only making sure that the stuff that we’re selling them, our strategy, and our investments are resonating with CIOs and CTOs, but they’re also resonating with CISOs. And I think the corollary there isn’t a pause after this is that clearly, especially in some of the bigger organizations now, CISOs are at the board level. They’re very influential individuals. Oftentimes, they have budgets, or they’re influencers. So shame on us if we can’t ultimately build rapport with a decision maker like that.

Mike D’Agostino: [7:05]

Absolutely! I think digital transformation of which Cisco is at the forefront leading the charge there, it’s inevitable – the intersection between IT and security and the CIO, CTO, CISO, all of them sort of converging, so well understood. And here at CyberTheory and our parent company, ISMG, we have lots of different communities that we manage. And I can tell you from firsthand experience, creating engagement within those communities is no small task. So if I turn it back to you, what are you doing from that standpoint? What measures do you take to encourage participation? And I guess, more importantly, you can get people to sign up for communities, but to keep them engaged and interacting with each other after they become members, that’s the challenge. What are some of your strategies for doing so?

Dan DeSantis: [8:05]

Yeah, great question. So, first and foremost, the team that I’ve recruited here at Cisco is comprised of former CISOs, or senior security executives. And I think that’s key to the success of running a program like this is that we can probably have a conversation about which is it and I think defensively come from, but they want to talk to the folks to understand their pain, they want to talk to folks that sat in the chair. So I think when you’re building community, bringing subject matter experts and thought leaders to the table, and I want to be very clear and very respectful, not just former consultants, I see this with a lot of other vendors out there, where they’ll have a team similar to mine. And it’s comprised of folks who have, by the way, very good consultative cybersecurity experience, but they never sat in the chair, they were never a CISO, or a deputy CISO. And so I think that’s super important to maintain engagement and relevance to this community, they tend to trust one another. And they want to hear from other CISOs. So I think other things that we think about, and we do person events, and we do virtual events, this is that we honor the Chatham House Rule, that we make it a safe zone for these CISOs to interact in with their peer group and with other thought leaders. And so we’re very militant, I suppose, about not involving sales in that process. Now, we do of course, convey back to our sales organization and our product organization, some of the messaging that we’ve heard, we don’t share who said it, because, again, we’re adhering to Chatham House, but we’re also making sure that what they’re willing to share, we can feed back into the organization so that we can have a transparent relationship to the extent that those CISOs want and I think that’s important, and I’ll pause after this, over the past two and a half years since creating the program is that we’ve noticed that CISOs want to have a relationship with us. They want to have a transparent relationship with us. So most of them are typically good with “Hey, listen, what’s your product? This is my challenge right now. Let your sales team know this is my challenge right now.” I’m happy if you share that with them. So the community needs to be a community of CISOs. You need to bring CISOs and thought leadership to the table. You need to share best practices and educate them. And you need to make sure they feel like they have a safe environment. I think those are all the recipes for success here.

Mike D’Agostino: [10:39]

That is a great recipe. Appreciate the insight there, on those three points; totally agreed. And we’re not looking for any inside secrets or anything, but maybe show off a little bit. Can you give us an example or to have some successful initiatives, or even point specific activities, that you’ve seen, like help foster that collaboration and knowledge sharing?

Dan DeSantis: [11:05]

Yeah, one of the things that we’re particularly proud of is a program that we’ve worked on with a number of the Information Sharing and Analysis Centers or ISACs. It’s a leadership development program. I think a lot of times when a vendor is driving community building with CISOs, it ends up being extremely self-serving. I want to be very clear, I work for Cisco, I want to represent our security brand. But I believe if I can find a way to invest in a CISO and making them better or a deputy CISO and making them better, then that’s a good way to build loyalty and rapport. So one of the programs that we’re particularly proud of is our work with the Health-ISAC and our work with Retail and Hospitality ISAC around leadership development programs for upcoming executives, and we’ve had deputy CISOs, we’ve had first year CISOs that are learning to build their leadership acumen. And we don’t talk to them about zero trust, we don’t talk to them about technology, we talked to them about how to present to the board. We talk to them about how to build consensus and engage with lines of business and be better communicators. And that’s been a very powerful program for us. And it’s a way to build trust, is they are expecting Cisco to talk about product and we never do. So it took a strong partnership with the ISACs to pull that off and we’ve now built quite a contingent of former students or graduates of the program, and we’re looking to double down and invest more there.

Mike D’Agostino: [12:37]

That’s fantastic. That’s a great approach/offering, almost career advice and advancement through these educational opportunities. Always of interest to professionals. You’ve kind of touched on it a little bit, given a little bit of insight, but you are coming from a vendor organization. So there is a little bit of an agenda there. But how do you balance, the interests of your organization, and what you’re trying to accomplish within your security business units, and the needs and expectations of CISOs in your community without kind of crossing streams so to speak?

Dan DeSantis: [13:21]

It is a balancing act. This is a key word here. At the end of the day, Cisco and our shareholders expect that we continue to build pipeline for our investments in cybersecurity. So, to your point, we are a vendor. We don’t want to be seen that way. We want to be seen as a partner – a strategic partner, a business partner. But so I think a lot of this for me had to do with getting our leadership and thankfully, I have a leadership team here at Cisco that is 100% onboard with understanding that I need to run a team that can maintain some level of agnosticity, if that’s a word, that we can go in and sit down with a CISO and we don’t come across as being heavy handed around pitching Cisco security technology. The leadership here is very much bought into the notion that if you win hearts and minds, then a lot of times what will come with that is investment in the technologies or the solutions that we can offer our customers. My experience, and my team has done in two and a half years roughly, just somewhere north of 300 direct engagements with CISOs or the equivalent. By and large, they want to have a relationship with us. I think it’s important to be transparent with them. We go in and tell them the team that I have is there not quota carrying. We’re here to represent Cisco as a security expert. We’re here to represent how we can help you with your challenges. But we’re not going to give you a pitch on zero trust or we’re not going to give you a pitch on XDR. We have a sales team that can do that. So the best way to think about the balancing mechanism here is outside of making sure that I get the leadership on board at Cisco with this effort is that we portray ourselves to CISOs as bridge builders, no pun intended. Cisco is the bridge. And I think we’re in a powerful position with our customers to say, “Listen, we can add a ton of value on both sides of the aisle – both on the networking infrastructure side, as well as on the security side.” And in many ways we can be a communication device, and we find that a lot of CISOs are interested in that capability.

Mike D’Agostino: [15:38]

No doubt, and you kind of touched on it and look, to put it in context. Most of our audience is going to be cybersecurity marketers, and some sales, but mostly the marketing community, which is these days, incredibly data driven, and ROI driven. So that’s kind of the frame of reference for much of our audience. So you’ve mentioned, I think you said 300 engagements over the past couple of years. I understand everything needs to be working towards contributing to pipeline revenue, and that sort of thing. But are there any like other like specific metrics or indicators that kind of perk your ears up, so to speak, when you’re looking at like was this successful? Or was this engagement effective? Like, how are you trying to measure that?

Dan DeSantis: [16:33]

Well, so I will tell you. While we’re not quota carrying, we have meticulous trackers of our engagements. I’ve got a wonderful team supporting me. We document all of our activities, we have performance metrics that are tied to customer engagement, and perhaps more importantly, reengagement. I’ve seen other attempts at building organizations like mine. And oftentimes, they’re not measured. And we are very careful here, we’re not using quota as a device for measurement. We’re looking at if you want to unpack it, relevance. If I can get to a CISO and I can maintain a relationship with a CISO, what’s going to happen organically through that, and in some instances, you have to play the long game here. And I know sometimes that makes folks in marketing, very nervous. I’m going to say something controversial, you cannot tie hosting a CISO dinner, or community building to a marketing qualified lead, or an MQL. That’s the right term, and believe me, for those who are in marketing or advertising, I know this is agonizing to hear, but CISOs smell that. They sense that. It’s in their gut. They know that if we have an agenda, and we’re looking for an MQL, or a lead to come out of that. Now, here’s what I can tell you. Categorically, leads, of course, come out of those interactions. And so the key to success here is to make sure that you have the tracking apparatus on the back end of this that isn’t so heavy handed, like did we send a follow up? Did we send this glossy or this thing? Or do we schedule a proof of concept or a demonstration because that CISO mentioned that one of their initiatives is an identity project or what have you? I can promise you that if somebody in marketing or sales immediately follows up after a CISO dinner, and that CISO had shared that identity is a big project that they’re undertaking, and they got a request to participate in a demo or a proof of concept, that CISO would never come back to another dinner. They just wouldn’t. Because they’re like, you’re a wolf in sheep’s clothing. But on the back end, of course, I’m documenting. We’re going back to the sales team and saying – listen, this is what we heard, and let’s help you with a strategy now that we know this is top of mind for that CISO to go at it in a way that is a bit more subtle. And of course, we track this all through Salesforce and other tracking tools on the backend. Measure is extremely important. So I’m not sure if that answered your questions. But we know we can correlate hosting such events, direct CISO engagement with pipeline creation. And I have many examples of that. But it’s just you got to be very subtle on how you do that in front of the customer.

Mike D’Agostino: [19:33]

That was an awesome answer. I want to frame some of your quotes there. You just gave the blueprint for how to manage a successful CISO roundtable. We manage a lot of those through our parent company ISMG. And you’d be surprised how much education we have to do to set expectations in terms of what you are there for from a vendor perspective, and you’ve summed it up beautifully. Appreciate that. But one more question here is sort of future looking. You get so many interactions with CISOs in various capacities. What are one or two items that you’re seeing, top of mind, heading into the rest of this year?

Dan DeSantis: [20:25]

I just want to make sure I got the question right, so, like future challenges for building community, or specifically what we’re seeing from CISOs?

Mike D’Agostino: [20:31]

More on the ladder. So what are you seeing in terms of the important talking points for CISOs? What are they most concerned with you think?

Dan DeSantis: [20:42]

It’s funny, you asked. I just interviewed the other day of a Fortune 500. And her comment to me was what do you want me to start with my list? A lot of what we’re hearing from CISOs, and this is vexing for product companies, are areas where you cannot necessarily help them with a product, you have to be willing to have a conversation and bring thought leadership to the table. Things like third-party risk. Third-party risk continues to be a top-of-mind issue, all the CISOs that we’re talking about. They’re very cognizant of the fact that they may have their house in order, they may have an amazing security program with all the right stakeholders on board. But the reality is that they’re only as strong as their weakest link. And if they’re dependent on a supply chain partner that has a poor security program or an immature security program, then that can represent a substantial threat to their business, and cause this business disruption. That’s a big one. I saw this come and go a bit. Just so two other things I’ll mention that are top of mind, we saw a fair bit of, I think concern about the legal exposure for a CISO, a lot of this owing to what happened to the gentleman at Uber. And that’s a very polarizing conversation. But I think there’s a lot of CISOs now that are looking at insurance. They’re having conversations with their general counsel, they’re looking at retaining personal lawyers to make sure that they don’t assume any personal risk if something goes awry. The last thing I’ll mention is in the boilers, again, there’s a litany of things. Once again, a resurgence of this topic, in recent times is generative AI. That’s become the new hot topic. Everybody wants to talk about generative AI and the democratization of AI. There is no perfect solution for this. It’s a multifaceted problem. How do I use it for to make my security posture better? How are the bad guys using it? And how do I police it? How do I put guardrails around this so that my intellectual property or PII doesn’t get leaked out? And so that’s a teaser there’s a bunch of other stuff I can probably go on and on about, but hopefully that gives you some insights.

Mike D’Agostino: [22:56]

That was fantastic. And you touched on the term of the moment – AI. I wasn’t going to bring it up. But thank you for doing so. Definitely part of the conversation here, as we look to close out 2023. Dan, appreciate the insight. Congratulations again on such a great CISO community program that you put together over there for Cisco. Looking forward to seeing what the group continues to do in the future. I’m sure we’ll be crossing paths again. So for everybody in our audience, thank you again, and have a good rest of the day.