What CSOs Want from Security Technology Vendors: An Interview with Brian Harrell
For the last few years, the team at Rebel Global Security has explored the importance of global threat awareness among the security technology vendor community.
In these pages in 2023, we discussed how security vendors can enhance their value to Chief Security Officers (CSOs) by understanding the real-world security threats they face every day. By demonstrating fluency in global threats and risks, technology vendors move beyond “selling boxes” and achieve the status of trusted advisor and partner.
To dive into this dynamic further, I sat down with Brian Harrell. Brian is Chief Security Officer for a large energy company and serves on the Board of Directors of the Security Industry Association. He previously served as the 6th Assistant Secretary for Infrastructure Protection at the U.S. Department of Homeland Security. As a thought leader, seasoned executive, and regular purchaser of security technology, Brian is well-positioned to provide insight on what can help vendors stand out with CSOs and other senior security buyers in a crowded market.
The following transcript of our conversation has been edited for succinctness and clarity.
Mark Freedman (MF): Brian, great to see you again. Thanks for taking the time. Can you explain why it is important that security vendors understand the threats and risks you are dealing with as a CSO?
Brian Harrell (BH): Well, it’s most important because vendors are ultimately part of the risk solution when “things go bump in the night.”
Typically, when an incident occurs, the vendor is one of the first calls we make, right after law enforcement, the CEO, and board members. They’ll have unique insights that we’ll need as we recover from an incident, whether that’s cyber or physical. As part of that response, they need to stay up on the tactics, techniques, and procedures (TTPs) deployed by China, Russia, North Korea, Iran, and other adversaries against our critical systems.
It's that knowledge that provides a resource back to the CSO, rather than just up-selling us a bunch of stuff we don't need. Instead, we can focus together on what the threat is and how we reduce it. We can adjust our defenses based on this knowledge, because what impacts you likely impacts me. This is known as “collective defense.”
MF: How does that come into play during the sales process? How does it influence your purchasing decisions when you see the vendor understands the threat environment?
BH: It's absolutely key for most seasoned CSOs. I don't necessarily care what your background is, how many decades of experience you bring, or that you’re a great American. I do care about what threats you’re seeing. What systemic risk have you analyzed? What solution do you have for my current risk equation? Based off that, I can say, “Okay, this is a potential solution and money well spent.”
I will say that investing in national security is not going away anytime soon. We’re looking for technologies that can help address national security risks, including those related to quantum, AI, and domestic terrorism. As we march closer to a potential Chinese invasion of Taiwan, we recognize that it is the electric grid and other critical infrastructures that are going to be significant targets for nation-state adversaries. And so now, under blue sky conditions, is the time to invest in these risk reduction tools.
MF: What is the best way vendors can engage with you or demonstrate their expertise on these types of issues?
BH: I love thought leadership. I would like to see vendors provide some analysis—whether it's in an article, a presentation, or a video—that highlights what the threat is and how I, as a CSO, can mitigate that risk.
Vendors need to be informed solution providers, rather than just organizations filled with empty promises. The private dinners are not very effective. Every single day, I receive invitations to CSO dinners, and I immediately delete them. So, I’d advise vendors to focus more on being part of the solution rather than hosting steak dinners or inviting me to a sporting event.
MF: How would you assess the overall maturity of the security industry on this? What percentage of vendors do you feel have a deep understanding of the security threat environment that's facing you?
BH: I would estimate that 40% of vendors understand the threat environment, while 60% are focused on pure business development. When you look at some of the well-established and mature vendors on the cyber side, I think they understand it. But more broadly and in the physical security space, there’s a gap.
We also see this in how seriously vendors take their own security. We’re dealing with more third-party data breaches today than we ever have. I would suggest to you that every 10 to 12 days or so, we see a new third-party supply chain concern. It is downright frightening.
If you are a security company and you can’t keep yourself secure, how can I trust you? As a security company, the one sure way to go out of business is to have a data breach or major intrusion into your key systems.
MF: What's working well? Can you give an example of a company that's demonstrated that they're working to understand the threats and risks you're facing as a customer?
BH: Well, in full disclosure, I’m a longtime customer, but top of mind is Dragos Industrial Security. The sensor technologies and intelligence that they produce are second to none. They work with a lot of the critical infrastructure companies across the country battling nation-state adversaries. I think they have a really good understanding of what adversaries like China, Russia, Iran, and North Korea are doing, what they’re targeting, and what their tactics are. We are collectively better because of that relationship, and it’s apparent to me that Rob Lee and the Dragos team value risk reduction to the nation over a new business account.
