**AMA NOW CLOSED** I'm Scotiabank's Deputy CISO. Ask Me Anything...

Hey War Room!


Rob Knoblauch here. I’m the Deputy CISO and VP of Global Security Systems at Scotiabank. Bravado has asked me to step into the lion's den for their first ever AMA series, so here it goes…


Ask me anything NOW until Tuesday at 10am Eastern. I’ll tune in throughout to answer your burning questions.

🎈 Mentorship
👑 Sales Strategy
🔐 Cybersecurity
164
CuriousFox
WR Officer
85
🦊
Hi welcome to the War Room! Glad you are here.

What is the number 1 question you wish sales reps would ask you, but don't?
RobKnoblauch_CISOScotiabank
Notable Contributor
35
Deputy CISO Scotiabank
Hey, thanks for this question. Had to think about this for a bit, I have never heard a sales representative ask me a really basic question: "What is the easiest way for me to work with you". 
someoneinsales
Tycoon
11
Director of Sales
What is the easiest way for us to work with you? :)
ragnarlothbrok
Politicker
6
Key account manager
*frantically taking notes 
CoorsKing
WR Officer
38
Retired King of the Coors Knights
Hi Rob, thanks for jumping in the WR! How often do you reevaluate security policy? I often find CISOs I sell to are reluctant to evaluate new tools if they don’t meet some predetermined criteria. For you - what normally convinces you to evaluate new tech?
RobKnoblauch_CISOScotiabank
Notable Contributor
12
Deputy CISO Scotiabank
Not specific to my company, but in the form of best practice - regulatory policy tends to drive cyber policy. Also best practices change over time, also changes in technology - SaaS and Cloud being good examples of having to re-tool; and incorporate new policies... it's a significant change in technology. Another example is change in waterfall vs. agile development; it requires a different approach from static code scanning to CI/AD integrated security vulnerability management.... however I find that often the core policies and logical models don't change much over time... one simile to drive the point in banking is back in the wild west it used to be a physical vault, now it's a vault of 1's and 0's... but the same concept of who holds the keys, how is the access control done, etc.. fundamental concepts still applicable today. 

The short answer is often it is regulatory drivers and also real world incidents/examples. Everyone is really concerned about Ransomware, and to prove how this co-exists with regulations - both NIST (USA) and UK Government have issued really impressive guidance on Ransomware resiliency. 
funcoupons
WR Officer
36
👑
Approximately how many cold reach outs do you get per month, and how do you decide which reps to engage with?
RobKnoblauch_CISOScotiabank
Notable Contributor
10
Deputy CISO Scotiabank
Per month or per day? 

Everyday at least 3 people call me to offer me whitepapers on Cloud, AI and other stuff which usually has nothing directly to do with Cyber. 

Probably 5-10 calls a day from various numbers I don't even know.. 

I don't pick up my work (cell) or work (land) line often usually because I am in B2B meetings all day, and in terms of voice messages... right now I have 163 voice messages since June 1st... haven't listened to any of them... 

Everyone important has a contact entry so if there is a random number I don't pick up anymore, if it's Unknown I def. don't pick up because it could be sketchy malware coming at me and I'd rather not.. but honestly the amount of IT tech and sales reps and research associates make my phone basically something that goes off all the time and i pick up when the contact is someone I know. 

It is what it is... I don't whine about it. 
BmajoR
Arsonist
22
Account Executive
Welcome to the lion's den, thanks for taking time to be a part of this. 

Are there more regulations in considering new tools because you're in finance versus other verticals? 
RobKnoblauch_CISOScotiabank
Notable Contributor
6
Deputy CISO Scotiabank
I think so, different regulations... handling critical infrastructure (or that entire industry) is going through a lot of change in cyber policy and legislation right now. Finance has always been heavily regulated, what makes it interesting is working in a global bank and seeing different levels of regulatory maturity in different areas across the world. Its not consistent but there is advancement regardless, and that is a good thing. I certainly would say the US, UK, Singapore are really advanced in this area and continue to drive innovation. 
ClosingSalesPeople
Praised Answer
19
Sales Consultant
If you’ve considered purchasing a product/solution in the past but didn’t purchase it in the end, why?
RobKnoblauch_CISOScotiabank
Notable Contributor
5
Deputy CISO Scotiabank
Happens all the time, big bake off, PoC's, 6-12 months of eval to end up not purchasing. Biggest reason is the solution didn't do what we needed it to do, second is an existing vendor has created the same functionality in an existing product (happens a lot) and also the eval team (ie: people who will end up running the technology) feel it's not worth the effort (operationally complex) or something better is coming down the road. One example of this particular problem is comparing on-prem solutions to SaaS solutions...  would you run your own email system in-house or use office 365? Ask that question 10 years ago and you would have a different answer. 
poweredbycaffeine
WR Lieutenant
17
☕️
Based on my experience in cyber insurance, our CISO or CIO would get hammered with pitches and cold calls/emails that had nothing to do with them because no one truly takes the time to differentiate between what you do and what the CTO does.

As a CISO, how often do folks reach out to you with content that is truly meant for the CTO or their staff? 
RobKnoblauch_CISOScotiabank
Notable Contributor
5
Deputy CISO Scotiabank
Folks reach out to me everyday with items not for a CISO or a Cyber person. I just say I am not in that role and have a nice day. Bye. I do try to avoid those calls though (I wrote about Cold Calling earlier in the thread). 
poweredbycaffeine
WR Lieutenant
2
☕️
Thanks, Rob!
BasstheBear
Opinionated
16
Business Development Representative
Hi Rob! I work for a security compliance management company and I'd love your perspective on the apparent animosity that security professinals have for salespeople. 

From your perspective is there a cultural reason for this? Is there just a common personality type that usually goes into security that doesn't like sales outreach? 

What do you think the reason is and what do you think salespeople can do to circumvent this initial animosity? 
RobKnoblauch_CISOScotiabank
Notable Contributor
14
Deputy CISO Scotiabank
Security people tend to come from lawful-good backgrounds (military or law enforcement, or auditing, or IT). Sales people in general have a reputation of necessary evil. We know we need to purchase something, we know your job is to get the best price... for yourself... and sometimes it is very obvious. 

Also there is a major habit that once that deal close occurs; we don't see the sales rep until renewal time... it's passed over to a Sales Engineer or an account manager which was introduced through the procurement process... 

Keeping the relationship alive, maintaining your relationships is just as important as scouting out new potential clients. Word of mouth in my community is huge and shouldn't be underrated. 

Point blank I have been in conferences, meetings, birds of a feather sessions with colleagues who do what I do in other companies and when we start comparing tech - if there is something that is new to the other party, the first question is - does it work/is it cool/worth the money and if the answer is yes, the 2nd most popular question is - who can I reach out to (in that organization) - often we recommend the person we have the closest relationship with, and usually it's not the sales rep. 
BasstheBear
Opinionated
2
Business Development Representative
This is absolutely great stuff. Thanks so much Rob. We really appreciate it. You’re a beast.
UserNotFound
Politicker
15
Account Executive
Hi Rob, thanks for agreeing to do this! Often I find that CISOs & CIOs still need final approval from CEO or CFO, do you find that it’s easier to get approval if you bring them into the discovery process early or do you prefer to have a recommendation ready and “sell” internally yourself?
RobKnoblauch_CISOScotiabank
Notable Contributor
4
Deputy CISO Scotiabank
Thanks for this question. In a large organization; no one single person has "all powerful decision making authority". It does start with the security TEAM (the CISO needs the approval of a new solution from the team that will end up supporting it); once you have the security organization's buy in - there are usually partners within the organization (like the network team, if it's network security, or the devops team if it's code scanning, etc.) - the clients of the security team inside the organization. They need to be cool with the technology too. 

Then there is the business side of things, strategic sourcing, procurement, legal, finance - all these groups have an important voice in the procurement process and making sure they are engaged, making sure the transaction's risk is mitigated protects the overall organization. 

Usually it's a cast of a lot of people when making a large expense, and rarely does one person have overall authority. There have been technologies that the IT team and Security team love but we couldn't purchase because the contract and conditions we needed in that contract (which come from our regulators) couldn't be realized. 

One great example of this is one of the major 3rd party providers don't provide the right to audit in their contract - which has caused us to walk away even though they are considered a market leader.... 
someoneinsales
Tycoon
13
Director of Sales
How do you research vendors when you are looking to solve a problem (Gartner/Forester? Reseller? Google?) and how do companies get your attention during the research phase of a problem?
RobKnoblauch_CISOScotiabank
Notable Contributor
11
Deputy CISO Scotiabank
Amazing question, and this is exactly how is should be done... Here is a typical process/not specific to Scotiabank:

Regulator or Auditor or Incident or new Best Practice highlights a gap or something we need. 


Step 0: Document your requirements and ensure you identify the key stakeholders to develop and agree on those requirements. Know what you want to buy (which may change as you learn more) before going out shopping.


Step 1: Do we have anything in our existing eco-system that could do this? Many times we buy "microwaves" which are only used for the "popcorn button". We can do other types of cooking with that microwave, but we either haven't licensed it or we simply never thought about using a technology in that way. 

Also, maybe you have a subsidiary or close partner that has this solved already and you grow that solution globally. 

If nothing in existing portfolio; proceed to Step 2.

Step 2: Research. Research. Research. What are your peers doing? What is the market doing? What do your friends who you trust and are way smarter than you doing? What do they recommend? Talk to Gartner, talk to your VAR, figure out who's who in the zoo and come to a short list of solutions you think will do the job. 

Step 3: Have a structured process for evaluating. I've seen horror stories where vendors were excluded that actually would have probably been the best solution, ask your procurement team to assist with a formal RFP/RFI.

Step 4: Issue RFI/RFP to key market players based on your homework, score RFI/RFP - if clear winner goto POC, If no clear winner than maybe a some more homework or bakeoff..

It is difficult for smaller companies to get "on the list"; but if you have a good evaluation team often they will research and find out the upcomers as well as established players. I have many examples where the underdog won the bid and were not on a gartner list. They won simply on having the cheapest and the best. 

someoneinsales
Tycoon
2
Director of Sales
Really appreciate the thought out answer here Rob.
curiousmajor
Executive
0
Inside Sales Rep
Thanks for sharing this insight Rob. This sounds like a very well-structured process. But as Daniel Kahneman (winner of noble in behavioral economics) said decisions are made irrationally and are later justified with data. He extends saying that irrationality is stemming from many micro factors that are at play in the subconscious mind. 

Can you help us understand what are the micro factors that are at play in the overall decision-making process? example-the website is bad so this vendor will not even make the shortlist. or another one is this vendor is not SOC2 compliant so not making the shortlist. etc. 

Any insight into this would be appreciated. Thanks!
benjamsi
2
Director of Business Development
Very insightful, Rob! When you say "have a good evaluation team", who typically makes up that team? 

Second question on tied to this thread...Aside from referrals, what sources of information currently help an evaluation team with learning about new vendor solutions? 
RobKnoblauch_CISOScotiabank
Notable Contributor
0
Deputy CISO Scotiabank
Hello, thanks for the question. There are certainly cognitive biases introduced when working with any team - sometimes a solution is on the list because there is a personal relationship; or an organization has a greater weight in a specific criteria because of recent events (for example, as a reaction to supply chain attacks). 

In order to mitigate the risk of this; just have a strong scoring and evaluation criteria based on requirements. 

SOC2 compliance is a bit different as there are usually regulatory requirements which are addressed by a SoC2 report (in terms of exercising due diligence). 
RobKnoblauch_CISOScotiabank
Notable Contributor
1
Deputy CISO Scotiabank
Thanks for the question. 

Good Evaluation Team, from a cyber solutions perspective:

1. The Cyber Team (as they will end up running it). 
2. Procurement Team/Strategic Sourcing (business/financial aspects)
3. Legal (contracts)
4. Client-side or Business Partner (say we are buying a firewall, your network team needs to have a voice). 

(that would be the minimum). Basically bring in representation of anyone who has to live/deal/maintain/use the solution so collectively you can make a decision and go forward. The largest team I have led for an RFP was around 70 people. 

In terms of sources of information... constant reading... conferences.. but here is a trick not many people know about... check it out: 

www.dailyrotation.com (sometimes a bit flaky) 
and www.freshnews.org

Cheers 
someoneinsales
Tycoon
0
Director of Sales
Bookmarked!
1nbatopshotfan
Politicker
1
Sales
Co-sign on this question. 
paddy
WR Officer
13
Director of Business Development
Sorry for my other question, Rob. I didn't take my meds this morning. In all seriousness, what are CISO's doing to prevent more ransomware attacks as they are seemingly becoming more prevalent with rogue actors on the global stage?
UserNotFound
Politicker
1
Account Executive
Follow-up to this. How important is end user behavior modification to you versus an automated tool to mitigate end user behavior? 
RobKnoblauch_CISOScotiabank
Notable Contributor
2
Deputy CISO Scotiabank
I think when security professionals say "users are the last line of defence" it highlights someone who doesn't really understand the security architecture/ecosystem. An example; ABS braking on cars. The idea behind this is that if you are in a skid, the ABS will kick in and stop the wheels from locking - keeping your car straight - usually right into the backend of the car infront of you... its a system that creates "guardrails" to prevent negative behavior. 

Create security solutions that prevent users from making mistakes, create "guardrails" to limit the potential damage a person can create. If someone clicks on a phishing link, there should be technology stopping the pain from what happens while and after the user goes to the malicious website. 
RobKnoblauch_CISOScotiabank
Notable Contributor
1
Deputy CISO Scotiabank
Thanks for the question, generally CISO's mandate is to protect the organization from all internal and external threats. Ransomware attacks are far from new, some of the media headlines recently are new as big targets are falling victim to this type of cyber attack.... there is a lot more best practice documentation from leading governments and better partnerships in the market to combat this type of threat. 

Monetization of attacks is the key trends, whether it be Ransomware, DDoS for Ransom, Data Theft and Extortion requests... hackers are no longer interested in just disrupting operations, there is very little payout... it's about monetizing and making bank on victim's security holes. 
highlyinadvisable
Opinionated
8
SaLeS dEvELoPmEnT rEpReSeNtAtiVe
What are things salespeople do that you find particularly annoying? Are we too bro-ey? Do too many people reach out to you unprepared? etc.
RobKnoblauch_CISOScotiabank
Notable Contributor
12
Deputy CISO Scotiabank
Good question. Really important one actually. Be respectful to women and inclusive. The "bro" culture is an updated version of "old boys club". There are many women in my company who are key decision makes, for example buying anything cyber related requires the nod (and evangelizing) from our leader of Cyber - that person is a woman, and she kicks a$$. There have been occasions where point blank she has said to me "this rep treats me like a stupid lady", and when that happens - I ask for a new sales rep. Point blank. It's 2021, we don't tolerate that kind of behaviour. 

Many sales reps reach out to me completely unprepared. I don't know why googling "target client name cyber security" isn't a standard practice. You get links from Linkedin on key people, articles from conferences and other weird stuff on the internet related to that company - do some homework. 

Again I am not a sales rep, but I think there is a tool out there called "Rainking" and somewhere in there must be my name and role, and I imagine sales reps just get the list and start dialing one after the other... I don't understand this, you aren't selling me a $40 dollar item... you are selling something that usually is expensive and has a 5+ year life span... put effort into the initial relationship and show that you care and have a vested interest in my company and struggles... because after we close, I will have a vested interest in your company. 
LegacySales
Politicker
7
Account Executive
Hello Rob, 

Since your organization alone has the power to make an individuals career and 5x the valuation of their tiny company, do you still have "relationships" that you regularly buy from? 


RobKnoblauch_CISOScotiabank
Notable Contributor
1
Deputy CISO Scotiabank
Thanks for the question, we have VAR relationships that often benefit both us and the startup/small company in terms of liability and other contractual items. 
RedLightning
Politicker
7
Mid-Market AE
In evaluation processes, what has pushed a vendor over the top? What has caused a vendor to lose? 

Specifically, what things has the sales rep done that have impacted deals positively or negatively?

When Scotiabank is evaluating software of any kind, when (if ever) does your team get brought in to discuss security related aspects?

Thanks for hopping in here, Rob!
RobKnoblauch_CISOScotiabank
Notable Contributor
8
Deputy CISO Scotiabank
Thanks for the question; I will provide a positive impact on a deal; and also will describe a negative behavior. 

Positive: Have a referral that knows your client/target. There are so many companies that have pitched to me and if they did a teeny bit of linkedin research they could see that an existing client of theirs, who is a friend/relationship of mine and bring that up. People in the cyber profession are encouraged to share ideas/best practices/threat intelligence and this is one way where we can talk to our own people about your awesome solution. 

Negative: Running the goalie. This is where you are going above the person who you are doing business with (to their boss), or even their bosses boss - or getting your CEO to write to my CTO.... let the team do their thing... it does more harm than good and if you have a strong relationship with a CTO/CISO/eval team - it will come up and we will wonder why are you reaching out the top of the house on an item which probably at the top of the house, isn't a top of the house concern. 
RedLightning
Politicker
0
Mid-Market AE
Thanks Rob!
Chep
WR Officer
7
Bitcoin Adoption Specialist
What advice do you have for someone looking to work their way up to the c-suite? What daily habits and practices did you find successful for yourself and what habits/ practices did you stop because you found they weren't benefiting you?
RobKnoblauch_CISOScotiabank
Notable Contributor
5
Deputy CISO Scotiabank
Great question, my advice which isn't unique is treat everyone equally. I spend as much time "managing upwards" as I do "managing downwards". Understanding that a lot of people are smarter than you, and taking time to listen and get input and collaborative feedback. Being open to change.. often I have come into a conversation with an idea and how to do something, and changing my mind 180 based on feedback from my team. The c-suite leaders, at least from what I have experienced - is that they are open to feedback, not arrogant and willing to adjust course based on new information. 

Another key point I want to make is the journey between individual contributor to leader... many of us start as analysts and we have a lot of control over our workload/world... as you grow, leadership opportunities come up - some people make the leap and love being in management, some not so much.. and that's OK. I also think it's OK to be content with your role, not everyone should be a CISO (or wants to be). 

There have been many times in my career, even recently that I have turned down CISO roles because I don't think I would be awesome enough and there are better people than me that would rock it harder than I could, or I don't think culturally there is a fit. 
SmoothBrain
6
Federal Sales
Rob - glad to have you here, and RIP your LinkedIn/email inbox after this :)

My question: We tend to see, especially in large enterprises like Scotiabank, that there is a layer of friction between development and security teams, especially as orgs shift to a DevSecOps methodology. What does a perfect world look like where Sec and Dev play nicely together? Does the buzzword "Shift-Left" mean anything to you?
RobKnoblauch_CISOScotiabank
Notable Contributor
5
Deputy CISO Scotiabank
Yeah, shift-left came up a lot in 2019 before corona hit... and it makes sense.. the OG version of this is baking in security into the design, and not bolting it on as an afterthought. In this new devops world; as a developer - I want instant results, I dont want to hand in my code, have it run through a scanner, come back with holes, rinse and repeat... ugh. Give me real-time, as I submit code or as I write code - guide me. Cyber Security code quality should be treated as other QA functions (non-functional and functional testing). Bake it in, the developer discussion with security staff should be only when some hole exists and can't be fixed through traditional means. 
SmoothBrain
0
Federal Sales
Thank you very much, Rob! This is incredibly helpful, as are your other answers. Thanks again for taking some time to share some insight
CMitch
6
SDR
Hey RobKnob! Thanks for stepping up! What's your perspective on sending links/content in cold outreach? Especially to security professionals.  Is there a way we can send links/content that doesn't "look sketchy"?
RobKnoblauch_CISOScotiabank
Notable Contributor
5
Deputy CISO Scotiabank
Hey, thanks for the question... 

Unsolicted email with links - have you heard of phishing? Honestly I feel for marketing teams that have to somehow get a user to go to a website through an unsolicited email.... considering people like me train everyone to NOT DO THAT!! 

IDK.. .don't use links... or at least use email links after an cold call relationship has been established? 
HindsightHarry
Praised Answer
6
Account Executive
How much is bravado paying you for this?
RobKnoblauch_CISOScotiabank
Notable Contributor
22
Deputy CISO Scotiabank
Lol, I heard of a magical no-call distribution list that is respected by sales representatives in every country. It's like a cold calling exception spreadsheet of the sales reps gods. I want to be in that spreadsheet. Corp promised. 
sahil
Notable Contributor
8
Deepak Chopra of Sales
Billions of dogecoin
martymar
5
Enterprise Account Executive
What is a compelling reason or two that you would consider a newer technology (SASE comes to mind these days)? For example, do you need to see someone else get hacked, do you need to see other banks adopt this tech first, do you want to get something installed for your personal resume before your peers....what drives you in a new direction as a CISO?
RobKnoblauch_CISOScotiabank
Notable Contributor
4
Deputy CISO Scotiabank
Thanks for this question, there are multiple reasons to consider a new technology...  the most glaring method is incidents. One example would be Distributed Denial of Service Mitigation services... it wasn't until Anonymous, LulzSec, Ion Cannon caused offline outages that companies take notice. The adage is nothing like a good fire to garner interest. Ideally if the fire is not your own. 

There are technologies that will have a pioneer client which will influence the market, it has for sure happened in my career a few times - sometimes from a peer, a few I've driven into the market myself.. to be honest for me at least, I don't even consider that in my person resume (First person to implement x doesn't really matter to me?). 

What drives new technology or investment is the boring practice of looking at your controls, your policies and aligning them for maturity evaluation. NIST comes in handy:

Put all your tech into categories of Identify, Protect, Detect, Respond and Recover - rate your maturity of processes, benchmark how you feel, how your stakeholders feel (there are companies that do this benchmarking as a service) and then look at your regs - see what gaps come out of all that and then focus your investment on priority based on risk. 

Not very exciting is it? 
Ibiza
4
Business development
Hi from Barcelona Rob! welcome! How would u create the need for cybersecurity services for a SMB or startups  with small budgets (spain we prefer to spend money in team building events...) 
RobKnoblauch_CISOScotiabank
Notable Contributor
0
Deputy CISO Scotiabank
Hello! If I understand the question correctly, how would I get buy-in or funding for cyber security being a start-up with a small budget....

Well, using incidents and examples of companies of a similar size/nature and the impacts of those cyber breaches on those companies would create awareness.. and generate a discussion. Maybe you are cool with crapola security until the risk is too great? 
DutchBuckholz
4
Account Manager
What is the best vendor sales process you've ever been through?  And also the worst for shits and gigs. 
RobKnoblauch_CISOScotiabank
Notable Contributor
2
Deputy CISO Scotiabank
Best: 

1. Issue RFP 
2. Get responses
3. Clear winner
4. Company is easy to deal with contractually 
5. Procure
6. Implement
7. Operationalize
8. Ongoing Maintenance 

Worst

1. New Hot Technology Emerges on the Scene! 
2. Why do we need to do this? 
3. This is a waste of time but fine we will PoC it. 
4. It's not good technology 
5. How can we get them to leave us alone? 


cyberkub
Good Citizen
4
BDR
Hi Rob, we've actually spoken on the phone before, but I didn't deliver enough value to set up a next step demo...

With this in mind, what does a "good" sales call look like to you? Any advice?
RobKnoblauch_CISOScotiabank
Notable Contributor
8
Deputy CISO Scotiabank
Hey dude, I hope I was nice to you. A good sales call usually would come in the form of a VAR (someone who I already have in my network, a value added reseller) introducing me to you/you to me and talking about what you are doing in my client space/market. It shows that you have some solid business in my neighbourhood and it's been vetted before it comes to me... 
SADNES5
Politicker
4
down voters are marketing spies
How do you measure efficiency and relevancy of the security controls that are already in place at Scotiabank? 

How does Scotiabank "tender" for services when established partners can't meet obligations or need to re look at pricing? 
RobKnoblauch_CISOScotiabank
Notable Contributor
3
Deputy CISO Scotiabank
Thanks for this quesiton, any large company in the financial world will often have multiple "lines of defence". Such as your security operations team being the first line of defence, a risk management team (2nd line) doing thematic reviews of 1st line controls. Then we have auditors (considered a third line) doing audits on 1st and 2nd...  in total if you think about the board, and customers - there is like 5 lines of defense measuring effectiveness, efficiency, maturity of controls. 

I can't answer specifically for Scotiabank (for any of these questions) but i can say that there is a lot of value in VAR networks because a lot of VAR's have established contracts which net-new companies often struggle in developing with favourable terms for both parties. 
NeanderthalToNerd
Valued Contributor
4
Account Manager
Thanks for lending your time Rob. 

In your opinion, what's the most effective way for cybersec vendors to build a relationship from scratch with big orgs (10,000 plus employees)? 
RobKnoblauch_CISOScotiabank
Notable Contributor
4
Deputy CISO Scotiabank
There are a few ways which I think are under-utilized, and with some homework it may be valuable..

1. Really big enterprises usually have relationships with 3rd party vendors/VAR's that sell multiple security solutions. Consulting companies also on occasion fit into this space. Leverage that network!! Even if your solution is awesome, it will mean I need to figure out how to contractually buy it - if you can leverage an existing legal relationship with a big org... half of your work is cut out for you.

2. Make friends with VC firms that are partners of that Big organization...  

If I had to put it high level, pretend there is an attractive member of the opposite (or same, #inclusivity) - what are your chances of going up to him/her directly vs. having someone who is a trusted friend introduce you? 


NeanderthalToNerd
Valued Contributor
0
Account Manager
Thanks Rob, this is money!
613Security
Good Citizen
3
SDR
Hey there Rob, thanks for doing this.

When you decide to do an evaluation of tooling - is that based on pre-determined times on the fiscal calendar that align with security initiatives or is it triggered by an event based on either new technology presented to you, security breaches in the news, etc.?
RobKnoblauch_CISOScotiabank
Notable Contributor
1
Deputy CISO Scotiabank
Thanks, I would say it's a blend - some purchases could be driven by a condition in the market that requires a rapid response. Some technology purchases are based on a predefined roadmap or renewal. Generally most organizations have budgets and try to plan in advance the spends. 
salesisalliknow
Old School Bravo
3
Head OF SDR
Can you speak to your view on Direct Mail (Gifts, Giftcards etc) and Video Messages (in email or social?) Is this something CISO's generally have a prepsective on or is a personal preference. 
RobKnoblauch_CISOScotiabank
Notable Contributor
1
Deputy CISO Scotiabank
The majority of bank employees I know have provisions that we can't accept gifts or "bribes" or what is construed as potential bribes/currying favour. Your solution should stand on it's own merit without trying to pay me 100$ in amazon gift certificates to listen. 

However having said that, many colleagues I work with outside banking go to meetings for that 100$ gift certificate and to learn about a solution... 

My personal preference is to not accept the gift/100$... 
coldcaller
Fire Starter
3
BDR
Hi Rob! TYSM for doing this. 

We deal specifically with Security Questionnaires so here goes:

How does your org deal with security questionnaires and the onslaught of questions from internal & external stakeholders on your security posture?
RobKnoblauch_CISOScotiabank
Notable Contributor
1
Deputy CISO Scotiabank
I imagine the same way sales organizations deal with RFP/RFI's... most international companies have to answer the same question, in different ways and in different languages and usually have built up a database of answers after doing it often enough. 


jwillcox
Old School Bravo
2
Regional Sales Manager
As a CISO, how do you prioritize which tools to purchase in what order? I find that most everyone has the "essentials" ie: endpoint, firewalls, and gateway covered, but then how do you determine where to go from there? 
jwillcox
Old School Bravo
0
Regional Sales Manager
@RobKnoblauch_CISOScotiabank bumping, as I've really enjoyed your prior replies and would find a lot of value in your perspective here. 
RobKnoblauch_CISOScotiabank
Notable Contributor
1
Deputy CISO Scotiabank
Hey sorry for the delay in response, 

Prioritization should be based on security capability and maturity; the tool is the means to address the risk that is identified. 

There are two major ways to go about figuring out "what you need".

1. Formal benchmarking and evaluation of security capabilities and maturity based on an industry accepted framework (NIST, ISO 27001) and also incorporating regulatory policy that drives requirements/must haves. 

2. Scenario based approach - pretend you got ransomware, nation state attacker, insider threat - go through the process - would you be able to protect against it? detect it? handle it? what is the cost or downside of these breaches occuring - and then prioritize based on that analysis. Ask the leadership team what are the biggest risks that can cause the most damage? 
jwillcox
Old School Bravo
0
Regional Sales Manager
Very much appreciate it @RobKnoblauch_CISOScotiabank ! We often approach folks who have the right pieces (palo, crowdstrike, proofpoint, okta etc.) and want to help them tie them all together. As a security pro - do you have an opinion on SIEM?
violasyd
2
Small Enterprise Acquisition AE
Do you see value in ramping up security training in alignment with rolling out new security tools and strategies? Is upskilling on the mind of other CISOs?
RobKnoblauch_CISOScotiabank
Notable Contributor
0
Deputy CISO Scotiabank
Thanks for the question, I think with every new technology introduced there is a need to upskill. Attracting and retaining talent is a key foundation to have an amazing security posture (people, process and technology) so continuous investment in people is just as important as investing in other areas.
violasyd
0
Small Enterprise Acquisition AE
Thank you!!!
Upper_Class_SaaS
Politicker
2
Account Executive
How do new vendors get into your security budget? 
RobKnoblauch_CISOScotiabank
Notable Contributor
0
Deputy CISO Scotiabank
Thanks, it's not actually a proper question - it's not about vendors getting into my budget... it's about a gap which I have to fix and thus find a solution that requires me to spend my planned budget on. 
Upper_Class_SaaS
Politicker
0
Account Executive
Rob - thank you for your response. Is there any approach you appreciate as a CISO that salespeople take to help identify the gap/s you may have?
salesisalliknow
Old School Bravo
2
Head OF SDR
What's your take on CISO's who work for companies with an outbound sales team who certainly make cold calls; but won't take them themselves? 
RobKnoblauch_CISOScotiabank
Notable Contributor
0
Deputy CISO Scotiabank
I have never worked on the sales side, always have been on the client side... I have never had a CISO of a company cold call me if that answers your question? 
37
Members only
Deal Story
SADNES5 closed a deal for $1.8M to the CEO, Executive Leadership departments
So, TWO ENTIRE YEARS IN THE MAKING, we had a very messy agreement with a current long term customer, looking for some new options. They are providing heaps of local economic recovery during the pandemi...
Say congrats!
Ca
Ma
Fe
+25
12

You negotiated till No Regret Price with Finance dept and he moved forward the quote to Purchase dept. Now purchase team asking for more discount else not processing forward ? How to tackle this ?

Question
10
33
Members only
Deal Story
signandrecline closed a deal for $25k to the Product Development, CTO departments
About 6 weeks sales cycle. I went through the Aspireship AE course, and made sure we had the guy from below the line (Product Manager) and above the line (CTO) on the calls to cover pain points for bot...
Say congrats!
Ma
Ca
Cy
+31