Ten rules recommended by CISO's for vendors when they meet security executives to discuss new technology.

1. 10 Rules for Vendors – an Overview
by
Gary Hayslip

2. Cybersecurity Division
Gary Hayslip is Deputy Director, Chief Information Security
Officer (CISO) for the City of San Diego, California. As CISO
he is responsible for developing and executing citywide
cyber security strategy and Leading teams focused on
Enterprise Risk Management, Security Engineering,
Application Security, Cyber Security Operations, & Cyber
Security Resiliency. His mission includes creating a “risk
aware” culture that places high value on securing city
information resources and protecting personal information
entrusted to the City of San Diego.
Mr. Hayslip has been honored numerous times for his work in
mentoring new CISO’s and creating innovative unique
cyber-security solutions. In November 2015, Mr. Hayslip was
honored by T.E.N. Inc. and awarded the Information Security
Executive - ISE® "People Choice Award for North America" for
the design and implementation of the City of San Diego’s
“Continuous Monitoring & Cyber Operations” project. He was
honored for taking an innovative approach to partnering
local cyber-security start-up companies with leading cyber-
security technologies.
Prior to joining the City of San Diego, Mr. Hayslip was the Command Information Security Officer of
multiple U.S. Navy commands where he has led operational teams responsible for security
engineering, operations, security compliance and policy, and cyber-security threat management.
Mr. Hayslip maintains an external presence on corporate advisory boards of multiple non-profits
and startup cyber-security companies. Mr. Hayslip has over 25 years of experience in information
security and enterprise risk management and is an author of numerous articles on cybersecurity. In
2016, Mr. Hayslip coauthored the CISO Desk Reference Guide Volume 1, now available on
Amazon and www.cisodrg.com.
LinkedIn: https://www.linkedin.com/in/ghayslip

3. Cybersecurity Division
Ten Rules for Vendors….
1. “Don’t pitch your competition”- I hate it when a vendor knows I have looked at some of their competitors, and then
they spend their time telling me how bad the competition is and how much better they are. Honestly I don’t care, I
contacted you to see how your technology works and if it fits for the issue I am trying to resolve. If you spend all of your
time talking down about another vendor, that tells me you are more concerned about your competitor than my
requirements. Maybe I called the wrong company for a demonstration.
2. “Don’t tell me you solve 100% of ANY problem” - For vendors that like to make grand statements, don’t tell me
that you do 100% of anything. The old adage “100% everything is 0% of anything.” In today’s threat environment, the
only thing I believe that is 100% is eventually that I will have a breach. The rest is all B.S. so don’t waste my time saying
you do 100% coverage, or 100% remediation, or 100% capturing of malware traffic. I don’t know of a single CISO that
believes that anyone does 100% of anything so don’t waste your time trying to sell that to me.

4. Cybersecurity Division
Ten Rules for Vendors….
3. “Don’t make me specialize to use your tool” - Don’t tell me your solution is written in proprietary language and I will
need this module or this application to read the data correctly. I have limited funds and a small team. I need a solution
that will integrate with my current security suite and it’s easy for my staff to implement, manage, and create reports.
Better yet, I like modular solutions that can grow with my organization as we mature. So, don’t hit me with an extra bill
each time I want to add a requirement or use a new service, just incorporate it into one bill that I can budget for and
defend when I go to financial management.
4. “Don’t bring me overcomplicated solutions” - This is a big issue. To all vendors, if the technology that you want to
sell me takes four sales engineers to explain it to me and several hours to demonstrate then it’s way too complicated for
me and I am not interested. I am dealing with issues 24/7, I typically have small teams and not enough funding so I am
not going to dedicate one staff member to just use your solution. True, you can make the case that it’s an awesome
security technology. However, the more complicated and time consuming the technology, the more resources get
consumed in trying to make it work and my teams don’t have that time. Bring me something that is elegant and easy to
use, reports that are intuitive and easy to configure, and it integrates whether through API or scripting with my SIEM and
other toolsets – I would give a body part for this us ability.

5. Cybersecurity Division
Ten Rules for Vendors….
5. “Don’t try to shortcut my procurement cycle” - As a vendor, when you are dealing with governments or large
organizations remember our procurement cycles are not fast. Some organizations are better than others but understand
it takes time. Also, understand when you deal with a CISO for a government agency and they tell you they are working
on the issue for you, don’t go behind his/her back and start harassing their procurement for the purchase order so you
can meet your numbers. To me that immediately kills any relationship and trust we may have had and I will request a
new vendor. Again, government procurement cycles are longer and take time. It’s all about the relationship don’t screw
up a long-term relationship to make a quick buck.
6. “Do be a partner to me, for I value partnerships, not technologies” - As a technology solution provider, if you
want to do business with me as a CISO, I want a relationship. I partner with all of my vendors and expect to speak with
you more than just once a year when it’s time for renewal. I like to work with my vendors and make suggestions to
improve the product and help the customer community. If you’re not interested in that, then don’t bother calling me or
better yet don’t expect me to renew with you.

6. Cybersecurity Division
Ten Rules for Vendors….
7. “Do give me three unique value propositions for using your technology” - Vendors, please understand when
you are talking to a CISO we are dealing with a large number of threats, projects, audits, politics, budget issues,
compliance requirements etc. So for sanity’s sake, keep your pitch simple. Don’t go into the weeds, focus on 2-3 key
value points about what your solution, platform, hardware etc. can do for us to help reduce our stress overload and
provide visibility into the issue you are trying to solve for us.
8. “Do know what problem you are trying to solve” - From the previous statement above, KNOW WHAT
PROBLEM YOU ARE TRYING TO SOLVE! Please know what the problem is, why it’s a problem, why it’s going to get
worse if not remediated, and how you can take that problem and turn it into a good news story for me so I want to work
with you.

7. Cybersecurity Division
Ten Rules for Vendors….
9. “Do automate, it is the future” - Please tell me how I can automate your solution, again with small teams and
limited resources. I am on the lookout for how I can reduce risk to my organization through automation using AI, UBA,
SDN, and other technologies so I can concentrate my teams and our resources on those areas that are impactful to
my stakeholders. If your solution is a standalone technology that must be manually operated, you are five years late.
The threats we currently face are happening so fast that the survival of my networks is based on what I can automate.
10. “Do bring platforms, not individual tools” - My last point I want to make is that as a CISO when I am looking at
technology to assist me with a security gap I tend to look for a solution that is a platform. I don’t like to look at one-offs.
I have enough issues and technology to manage so I would much rather look at a platform solution. Show me
something that helps me solve several security control issues and it is mature enough to grow with me over time. I
know there are companies that have their niche and all they do is one small thing very well. Eventually, someone is
going to add that niche to their platform and even if they don’t do it as well as you it will be enough for you to lose
market share. Just understand I am trying to remediate as many issues as I can with limited funding so I will look for
platforms more often than not to do this effectively.

8. Cybersecurity Division
Final thoughts…
• Some insight into how I source technology when I am researching a requirement.
• As a CISO, I will normally talk to my peers first for ideas on how to remediate an issue.
• I then research solution ideas from the forums of professional organizations.
• I will contact research providers such as Gartner, Forrester or boutique research firms that
specialize in areas I focus on such as TechVision.
• When ready, I will reach out to a trusted partner to bring in a technology that I am interested in
or I will directly contact the company.
• I typically like to be contacted via email first, even though I get huge amounts of
correspondence, I try to let vendors know if they are in a technology that I might have a need
for and, if so, I will request a meeting.
• Most CISOs have limited time and are dealing with numerous issues across their organization,
cold calling one of us will normally get your number blocked and we will definitely not reach
back out to you.
• Cold calls to me are interruptions, you are breaking up the flow of my day and interfering with
what I am trying to accomplish. I would much rather talk to you at a professional event or via
email from one of my trusted partners.

9. Path to Success
Questions, Rants, Discussions?
Gary Hayslip
Deputy Director
Chief Information Security Officer
@ghayslip
https://www.linkedin.com/in/ghayslip