Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

What Fast-Talkers Can Teach Us About Vetting Vendors

Here's how to differentiate vendors that can back up their words with solutions and those that cannot.

Joshua Goldfarb, Field CISO

October 17, 2022

3 Min Read
Photo of a slick-looking, untrustworthy car salesman trying to get you into the dealership
Source: Micheko Productions, Inh. Michele Vitucci via Alamy Stock Photo

I recently found myself in a meeting with a fast-talker. I'm sure that most of you know the type and have run across them more than a few times over the course of your careers. These people spout long sentences with big words that have very little meaning. They also seem to have a response for everything (words) yet almost never follow up on or complete anything (action).

While fast-talkers can be frustrating, they can also teach us six valuable lessons about how to vet vendors — separating those that can back up their words with action (solutions) vs. those who can't.

1. Ask for the Data

There is such a thing as objective truth. That truth is based on facts — also known as empirical evidence or data. When a vendor is trying to sell you on something, ask to see the data to back it up. The serious vendors will be able to show you. If a vendor can't back up its claims with data, that raises some serious questions.

2. Request References

In the security and fraud space, trust is huge, and it's built up over time. Vendors that have their customers' trust have undoubtedly worked very hard to attain it. That holds value and should not be taken lightly. Ask your prospective vendor about its client list, and then ask those clients their opinions about the company.

3. Listen for Straightforward Answers

I don't know about you, but when I ask a straightforward question, I expect a straightforward answer. As the adage, often attributed to Albert Einstein, goes: "If you can't explain it simply, you don't understand it well enough." If the vendor's answer becomes a monologue, something is off.

4. Ask for Proof

Vendors often claim that they can do A, B, and C. If those are capabilities I need to address my operational gaps, fantastic. Still, ask them to show you how they do what they say. Vendors that truly have the capability will gladly show you — sometimes in more depth or detail than you cared to see. Vendors that are merely paying lip service to having certain capabilities will likely talk in circles or change the subject. That should clue you in to the likelihood that they probably cannot address your operational gaps.

5. Establish Clear Success Criteria

When engaging with a vendor, it is important to create and document clear success criteria. What are the engagement's objectives? What operational gaps are you looking to address? What does success look like? What metrics will be used to measure it? If during the engagement the success criteria need to be adjusted, what is the process for doing so? These are among the questions that need to be answered before a vendor engagement commences. Vendors that cannot successfully meet the success criteria will most likely push back on them. This can be an indicator that the vendor can't back up their words with actions.

6. Require a Proof of Concept

A proof of concept (PoC) is a common way for vendors to show value and demonstrate to customers that they can back up their words in practice. Any PoC should be governed by and measured objectively against the agreed-on success criteria. If the vendor shies away from a PoC or will not commit or agree to being measured by success criteria, that raises some questions.

It is true that many vendors in the security and fraud space say the same things. However, there are ways for enterprises to hold those vendors accountable to their words. By doing so, businesses can ensure that they get the solutions they need, rather than empty promises.

About the Author

Joshua Goldfarb

Field CISO, F5

Josh Goldfarb is currently Field CISO at F5. Previously, Josh served as VP and CTO of Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team, where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh's blogging and public speaking appearances, he is also a regular contributor to Dark Reading and SecurityWeek.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights