In my role leading cloud security integrations, I speak with dozens of CISOs every month. Before joining the product side, I spent seven years in security operations and architecture roles. This unique vantage point—having stood on both sides of the fence—has given me uncommon insight into the growing disconnect between security vendors and the leaders they aim to serve.
Last week, I watched a CISO colleague close his laptop during our meeting, apologizing as he showed me his phone: 6 missed calls and 17 new emails, all from vendors—all received during our 45-minute conversation.
"This is actually a light day," he sighed.
What I've Heard Across Hundreds of CISO Conversations
Having conducted over 400 customer interviews with security leaders in the past two years alone, certain themes emerge consistently—regardless of company size, industry, or security maturity:
The Unsustainable Daily Reality
The typical CISO schedule I've documented through these conversations:
- 6:00-7:30 AM: "Quiet time" to catch up on security news, emerging threats, and critical emails before meetings begin
- 8:00-5:00 PM: Back-to-back meetings spanning executive briefings, team management, incident reviews, compliance requirements, risk committee presentations, and the occasional vendor who made it through the gauntlet
- 5:00-8:00 PM: The actual work that couldn't happen during meeting hours—strategy development, architecture reviews, policy writing, and more
As one CISO at a mid-sized fintech told me: "I have exactly zero minutes in my day to evaluate security tools that don't address an immediate, burning need. Yet I receive outreach for 30-40 new ones daily."
Another leader at a healthcare organization tracked her vendor communications for a month: 1,249 emails, 87 LinkedIn messages, and 46 phone calls—representing over 300 different vendors.
The Fundamental Misalignments
Through my interviews, I've identified several critical disconnects that security leaders consistently highlight:
1. The Operational Reality Gap
"Vendors sell to the security program I wish I had, not the one I actually have," explained a CISO at a retail organization.
Security leaders repeatedly tell me that vendors dramatically underestimate the operational complexity of implementing new tools. Their security teams are typically:
- Understaffed by 15-40% compared to industry benchmarks
- Managing alert fatigue across existing tools
- Handling integration challenges between current systems
- Struggling with talent retention and knowledge transfer
As one CISO memorably put it: "I don't need another dashboard to check. I need fewer dashboards with better information."
2. The Maturity Mismatch
"Vendors assume we've already solved the basics," a newly-appointed CISO at a growing startup told me. "They're selling me a rocket ship when I'm still building the launchpad."
Through my conversations, I've observed that:
- Early-stage companies need foundational controls and basic visibility
- Mid-stage organizations need operational efficiency and automation
- Mature enterprises need specialized capabilities and ecosystem integration
Yet vendors frequently pitch advanced capabilities to organizations still building fundamentals—or basic solutions to sophisticated security organizations.
3. The Follow-Up Fatigue
"If I don't respond to your first three messages, sending seven more won't change my mind," complained a CISO at a manufacturing company.
The persistence tactics that sales organizations believe demonstrate tenacity are perceived very differently by security leaders:
- Vendor perspective: "I'm being helpfully persistent"
- CISO perspective: "You're ignoring my implicit boundaries"
As one security leader told me: "I now have a personal policy—if a vendor contacts me more than twice without a response, they go on my 'never do business with' list."
Bridging The Divide: Lessons From the Middle Ground
Working at the intersection of vendor and practitioner worlds has taught me valuable lessons about how both sides can better navigate this relationship:
For My Vendor Colleagues:
1. Solve Real Problems, Not Theoretical Ones
When we built our cloud security integration framework, we spent three months interviewing security teams before writing a single line of code. We discovered their actual pain points were fundamentally different from what our initial assumptions suggested.
Security leaders repeatedly tell me they value vendors who:
- Address specific operational challenges, not abstract risks
- Reduce overall complexity rather than adding another point solution
- Demonstrate understanding of their resource constraints
- Recognize the practical limitations of their existing environments
2. Respect The Purchasing Journey
The most successful vendor relationships I've observed follow this pattern:
- Education first: Providing genuinely valuable insights without expecting immediate returns
- Problem validation: Confirming that the organization actually experiences the problem you solve
- Proof of concept: Demonstrating value in the customer's specific environment
- Successful implementation: Ensuring the solution works in production
- Expanded relationship: Growing based on demonstrated success
Attempting to short-circuit this process rarely succeeds and often damages relationships.
3. Demonstrate Authentic Expertise
"I can tell within five minutes whether a vendor understands security or is just reciting marketing talking points," one CISO told me.
The vendors who earn respect:
- Share substantive research without gating it behind forms
- Acknowledge the limitations of their solutions
- Offer genuine insights beyond their product boundaries
- Connect customers with relevant peers for candid discussions
- Admit when they're not the right fit
For My Security Leader Colleagues:
1. Create Structured Engagement Paths
The most effective security organizations I've worked with have implemented systematic approaches to vendor management:
- Published evaluation criteria that vendors can review before reaching out
- Designated evaluation periods for specific security capabilities
- Clear intake processes that set expectations for engagement
- Team members assigned to specific technology areas
One CISO I work with created a simple public-facing page describing their security priorities, evaluation schedule, and preferred contact methods. "It cut irrelevant outreach by 60%," she reported.
2. Provide Constructive Feedback
"Vendors can't improve if they don't know what they're doing wrong," observed a financial services security leader.
The most effective feedback I've seen security leaders provide:
- Explains specifically why a solution isn't a fit
- Identifies which requirements weren't met
- Suggests improvements that would make reconsideration possible
- Sets clear expectations about future engagement
3. Share Your Context
In product discovery interviews, I've found the most productive conversations occur when security leaders openly share:
- Their team's current composition and capabilities
- Which tools are already in their environment
- Specific challenges they're trying to address
- Constraints (budget, headcount, time) they operate under
This context dramatically improves the relevance of vendor offerings.
A Personal Reflection: Standing Between Two Worlds
Having transitioned from security practitioner to product manager, I've gained uncomfortable insights into both perspectives.
As a practitioner, I dismissed countless vendor emails without a second thought. Now, I understand the pressures driving that outreach—the quarterly targets, the investor expectations, the competitive pressures.
As a product person, I've felt the frustration of knowing our solution could genuinely help an organization, but being unable to break through communication barriers to demonstrate that value.
The truth is that both security leaders and vendors want essentially the same thing: stronger security postures for organizations. Yet the mechanics of how we interact often work against this shared goal.
Moving Forward: A Practitioner's Plea
Based on hundreds of conversations with security leaders, I believe several changes would dramatically improve the ecosystem:
For Vendors:
- Invest in understanding before selling: Spend time truly comprehending the operational realities security teams face
- Quality over quantity: Focus on finding the right fit rather than maximizing meeting counts
- Consolidate, don't complicate: Seek integration and simplification opportunities, not feature expansion
- Respect time boundaries: Recognize that every minute spent with you is a minute not spent on security operations
For Security Leaders:
- Communicate your needs clearly: Help the market understand your actual challenges
- Establish structured processes: Create systems that channel vendor engagement productively
- Share your feedback: Help improve solutions by explaining what works and what doesn't
- Make time for innovation: Set aside specific periods to explore emerging approaches
The Ecosystem We Need
In my conversations with CISOs across industries, one sentiment emerges consistently: they want partners, not just vendors.
Partners who understand their specific challenges. Who respect their time constraints. Who acknowledge their operational realities. Who solve real problems rather than creating new ones.
As someone who now bridges both worlds, I believe creating this ecosystem is possible—but only if we fundamentally rethink how security vendors and practitioners engage with each other.
The stakes are too high to continue with business as usual. Our shared adversaries don't care about our misaligned incentives or communication challenges. They're counting on them.
It's time we fixed this broken system, together.
Jonathan Haas is a product leader focused on cloud and security integrations. Previously, Jonathan spent seven years in security operations and architecture roles at financial services and consumer tech companies. This perspective is based on over 400 CISO interviews conducted for product discovery and customer research over the past two years.