Erwin (Chris) Louis Carrow https://www.academia.edu/3065509/Framework_for_Effective_Information_and_Information_System_Security https://www.academia.edu/1885148/Model_Analysis_Methods_and_tools_for_Case_Study_Research_-_generic https://www.academia.edu/225031/InfoSec_Managementhttps://www.linkedin.com/in/ecarrow

Dell SecureWorks 2015 Sales Conference –

Titled - “Eating Your Own Dog Food,” “Ordering off the Menu,” “What Right Looks Like,” or “My Way or the

Highway”

05/01/2023

Most Wanted List for being … “Vendor Unfriendly!”

Sometimes it becomes a professional hobby to just annoy vendors [you have been warned]

I engage in a strong offense, establish imbalance, and require an immediate response…

If you waste my time, it then becomes personal and you will know it!

Typically, I know more than they do and I know their business model …

I know what I want …! Let’s not waste time and effort in what you want…

Challenged by vendors who may know their product, but not their competition’s …

I exercise transparency that kills …2

Know Yourself and Know Your

Enemy!Sun Tzu’s Art of War

& Thirty Six Stratagems

05/01/2023

Unless WE are on the same Team …? It is Warfare! You MUST PROVE Otherwise

3

05/01/2023

1st Set of QuestionsWhat you like when working with Vendors; what you don’t like.

I don’t like vendors - in general (easy)Cold calls get ignored! Unless I initiate, it MUST be relational!

Messaging that resonates with you from vendors; messaging that doesn’t resonate well with you! “FREE” – never hear it!No affordable solution, service, or product, e.g., lack of flexibility

Vendor Onboarding- how you work with a new vendor and any best practices that you like to see; or anything that has been a problem in the past “We don’t needs no stinken vendors” – They need ME?

Security – how to build a business case when you are talking to upper management Partnership – which means together we share the successes and

failures; BRR Factor, End-Ways-Means,

4

05/01/2023

2nd Set of Questions Engaging with 3rd party vendors

-what messages [Quiet], positioning methods resonate [Cow Tow]? -what vendor approaches does are valued [Listen and don’t talk]? what approaches

are non-starters [Telling me something I already know]? -what advice would you give to sales reps who want to engage you to see if there

are areas of challenge in which they and their company can assist [Don’t call me, I will call you – I know what I want and what it should cost]?

InfoSec-centric -how do you go about building business cases to secure InfoSec funding? [BRR

Factor] -what type business cases work and which ones fail?  [BRR Factor / “Shoot from the

Hip”] -real life examples, if available [BRR Factor]

Well-publicized breaches over the past 15 months -starting with Target in DEC ’13, how has the attention level on security from Exec

leadership changed since then? [Gamblers will always be gamblers!] -any examples of senior leadership placing new and/or recurring requests or

requirements on you? [“Mature Boards” are looking for creative ways of building accountability into operational practices with measurable outcomes!]

-how has your job changed? [Hasn’t - educate, educate, … push change from below and out. Very few exceptions. Head in the sand attitude used to mitigate “due-diligence” regarding risk [this works until things explode].

-what messaging to senior leadership have you seen work most effectively? Personality based! Likeability Factor!!! 5

05/01/2023 6

Taking a Different Approach…The “SHIH” of Security Vendor Management:

SHI is the situation, status, state of affairs / cultural, and confrontational impact

SHI is combination and integration of friendly situations, enemy situations, and environmental influences

SHI is trends in affairs / cultural and its integrated impact on the situation

SHI is the sum of all factors that impact performance, capability, efficiencies and outcomes

SHI is the posture, aspect, situation, circumstances, conditions, disposition, configuration, outward shape, force, influence, momentum, authority, strategic advantage, etc.YOU MUST Understand:

Decision-making (input, timelines, risk & ownership)

Essentials (values, principles, priorities, etc.)Business RequirementsEnablers, Governance, & Outcomes

05/01/2023

Decision-making: Input, Time, Risk …

7

05/01/2023

“Essentials” Required Homework

8

Control Objectives for Information and related Technology (COBIT®)

Business Functions and Characteristics

05/01/2023 9

05/01/2023

Enablers, Governance & Outcomes

10

Putting it all together…

05/01/2023 11

05/01/2023

Slide Desk Example

12

Proof of Concept - Product Name, andProduct Functional Category or ServicePresenters:

Targeted “Business Name” / Logo

ALL TEXT IN ITALICS IS EXPECTED TO BE MODIFIED

Introduction, Purpose, and Orientation – (2 MINUTES FOR THIS SLIDE)Guidelines• Total presentation time 20 minutes and limit dialogue and exchange till the final slide• All presentation materials are limited to the 5 page slide deck • The third page slide format may be customize per vendors’ desire or preference• Presentation is a partnership between ‘Business Name’ Representative and Vendor• Maintain font size and format as much as possible• Ensure simplicity and readability, the expectations is that show & tell with basic slide content will

demonstrate products capability• BRR Factor must be exemplified

o Benefit Realization - the Institution, Community, and Other Institutions, e.g., the footprint of impact. What added value will it bring?

o Resource Optimization – Manage Effectively and Efficiently. What will it improve? People – Develop and Manage Relationships; Promote Others Success Resources – Manage, Advise and Provide Technical Tools Time and Effort – Must be capture to determine capability and capacity

o Risk Mitigation – identify and address the risk. Challenges will we experience? Strategic: Affects the entities’ ability to achieve goals and objectives Compliance: Affects compliance with laws and regulations, safety and environmental

issues, litigation, conflicts of interest, etc. Reputational: Affects reputation, public perception, political issues, etc. Financial: Affects loss of assets, technology, etc. Operational: Affects on-going management processes and procedures

Product Name – Functional Category or Service

Practically “Qualify and Quantify” the “Problem and Solution” and how it applies to “Business Name” and Vendor Partnership [Friend or Foe?]

14

DO NOT PRESENT THE ENTIRE VENDOR CATALOGUE OR YOU WILL BE ASKED TO STOP!

Focus on -- Strategic, Tactical, and Operational Business and Technical functional Objectives, Critical Tasks, Expectations, and Outcomes must be clearly communicated (3 MINUTES FOR THIS SLIDE) What does the “partnership” REALLY LOOK LIKE? Are you a part of the team or the Enemy attempting to exploit my assets?

Objectives: The product or service provides information and information system needs – what, why, how, when, etc."Vision Statement" [WHY] – Answer the question: “Why is the product / service important or what does it significantly contribute to the success and well-being of ‘Business Name’?” Focuses on the alignment with Business Name values [Strategic]. "Mission(s) Statement" [WHAT] - Goal(s) that support the Vision for the product / service, e.g., the product / service scope of impact / footprints throughout ‘Business Name’ or the unit / department. The intended impact of activities throughout ‘Business Name’ or the unit / department (general not particulars). This statement does identifies the goal(s) and intent used (decision-making principles that guide or direct methodology) to support value delivery. [Tactical]. Business / Technical functional tasks that support your mission(s) [HOW] - what the product or service will do for ‘Business Name’ or Unit / department’s successful. This step should include the decision-making prioritization process and how those decisions drive ‘Business Name’, the Unit / department’s business practices. These typically are expressed as specific tasks based upon "service and support - rules and requirements" associated with the mission(s) - KPI’s Quantify measurable outcomes! [Operational]. Business / Technical owner’ roles and responsibilities [WHO] – what personnel are involved in the various key tasks, their role and responsibilities, to whom or what type of workflow would it support for notification, maintenance reporting, etc… , and whether it is interdependent with other product / service, internal or external entities to the technical unit / department (business function matrix) [Operational].

Free-flow Slide for Vendor to describe Case Use and Work Flow

Each Product or Service offering has unique characteristics – this slide is to support the vender's needs that exceed the guidelines already provided. (5 MINUTES FOR THIS SLIDE)

Ensure you address any interdependent and / or infrastructure context and associated requirements. You must contextualize your product or solution with relevance as it relates to ‘Business Name’. If you have not communicated effectively so that the audience believes that you understand the business / technical requirements it is a “lose lose” for the product or service being proposed

15

(5 MINUTES FOR THIS SLIDE)

Value Chain Management (VCM) – ensure you address the business / technical ownership needs and requirementsEnterprise Risk Management (ERM) – ensure you quantify how it impacts the big picture down to the particularsTotal Cost of Ownership (TCO) should not be a question and anything negotiable MUST be quantifiedhttps://www.academia.edu/3065509/Framework_for_Effective_Information_and_Information_System_Security https://www.academia.edu/1885148/Model_Analysis_Methods_and_tools_for_Case_Study_Research_-_generichttps://www.academia.edu/225031/InfoSec_Managementhttps://www.academia.edu/7267860/Information_Security_Strategy_-_Recall_White_Paperhttps://kennesaw.academia.edu/ecarrow

You MUST be able to explain succinctly --Present a methodology for the Product or Services’ implementation and what it should achieve (Ends, Ways, and Means):

ConsiderationsObjectives• Benefit, Resources, and Risk (Ends)

Process (Ways)• Expectations• Outcomes• Effective Practices from the Product or Service MUST ensure that:

o Expectations are meto Performance is measuredo Resources are managedo Risks are quantified and mitigated

Types of resources involved (Means):Information produced and utilized by various Business Name Business / Technical owners from various systems• Types of information (classification• What type of information, on which information systems, are to be accessed by which users?• People who use or interact with the Information will include:Other resources that may not be IT related. Solution should identify / Address (Ends, Ways, and Means):Risk Management Process Control Types: “Technical controls” are not always the answerImplementations will always be based upon industry standards, requirements, and practicesBuild list of high level objectives and outcomes to address risks associated with measurable outcomes

Product or Service Proposed Solution Problem statement Solution statement Total Cost of Ownership

(TCO) Licensing Environment and Resource

Requirements Professional Services Training Sustainment and Maintenance

Requirements Integration Automation,

Ticketing, and Tracking / Reporting

Ticketing / Wiki Cloud Traditional Data Center Other Service / Product

Integration

High-level Project Implementation Plan requirements and Outcomes

Should Identify Objectives, Critical Tasks, Expectations, Measurable Outcomes, and Timelines

16

Product or Service Summary, Decision-points, and DiscussionSummary Decision-points

17

BRR Factor Restatement (5 MINUTES FOR THIS SLIDE) If the discussion goes beyond 10 minutes after you have summarized and restated the discussion-points you presented, then you have not done your job!

05/01/2023

I AM DONE – Q&A(if desired)

18

"Life is like a box of chocolates. You never know what you're gonna get till you take a bite!"