urlscan.io logo urlscan.io
SecurityTrails logo

www.wsj.com Open in urlscan Pro
2600:9000:223c:dc00:3:4b0:de80:93a1  Public Scan

Back to summary
Submitted URL: https://info.templafy.com/e3t/Ctc/LX+113/cJ9Zz04/VVvPk89fJjLSW2ctFvv4t77ztW8JC1R54QfYqrN4sL4cG9gn4DV7Wycr7CgG1PW4SJZ9t3cMK...
Effective URL: https://www.wsj.com/articles/how-cyber-chiefs-cut-through-marketing-noise-11659432600?utm_medium=email&_hsmi=2&_hsen...
Submission: On September 23 via api from IE — Scanned from DE

Form analysis 1 forms found in the DOM

<form autocomplete="off">
  <div id="scrim-from-wrap" class="input-wrap">
    <label for="scrim-from">From</label>
    <textarea id="scrim-from" readonly="readonly" disabled="disabled" type="text" autocomplete="off" autocorrect="off" autocapitalize="none"></textarea>
  </div>
  <div id="scrim-to-wrap" class="input-wrap">
    <label for="scrim-to">To</label>
    <input id="scrim-to" type="text" autocomplete="off" autocorrect="off" autocapitalize="none">
  </div>
  <div class="input-wrap">
    <label for="scrim-message">Message</label>
    <textarea id="scrim-message" class="msg" maxlength="500" type="text" autocomplete="off" autocorrect="off" autocapitalize="none"></textarea>
  </div>
</form>

Text Content

WSJ.COMBANKRUPTCYCENTRAL BANKINGCYBERSECURITYPRIVATE EQUITYSUSTAINABLE
BUSINESSVENTURE CAPITAL

SubscribeSign In
Search
 * Home
 * News
 * Research
 * Newsletters
 * Events

SubscribeSign In
Search
 * Home
 * News
 * Research
 * Newsletters
 * Events

This copy is for your personal, non-commercial use only. To order
presentation-ready copies for distribution to your colleagues, clients or
customers visit https://www.djreprints.com.

https://www.wsj.com/articles/how-cyber-chiefs-cut-through-marketing-noise-11659432600


Share
 * Facebook
 * Twitter
 * LinkedIn

 * WSJ PRO


HOW CYBER CHIEFS CUT THROUGH MARKETING NOISE


IN A CROWDED CYBERSECURITY MARKET, TECH PROVIDERS MAKE BASIC MISTAKES IN TRYING
TO WIN BUSINESS, CISOS SAY

CORPORATE SECURITY CHIEFS CAN FACE A DELUGE OF MARKETING PITCHES FROM
CYBERSECURITY PROVIDERS. HERE, AN AMAZON SECURITY CONFERENCE IN JULY IN BOSTON.

Photo: KIM S. NASH/THE WALL STREET JOURNAL
By
Cheryl Winokur Munk
Aug. 2, 2022 5:30 am ET | WSJ Pro

Print

Text

Your browser does not support the audio tag.
Listen to article
Length 5 minutes
AD
Loading advertisement...
00:00 / 05:20
1x

This feature is powered by text-to-speech technology. Want to see it on more
articles?
Give your feedback below or email audiofeedback@wsj.com.
thumb-stroke-mediumthumb-stroke-medium

Hundreds of cybersecurity companies compete for attention from chief information
security officers through email solicitations, cold calls and tech conferences.

Here are five strategies corporate security chiefs use to weed out unsuitable
cyber providers.

EMAIL FILTERS

“As a CISO, the deluge of marketing and solicitation from cybersecurity startups
was intense,” said Jerry Perullo, a cybersecurity management consultant who was
CISO of New York Stock Exchange owner Intercontinental Exchange Inc. for 20
years until leaving the post in 2021. At one point, he counted all the emails
that had been blocked by filters he had set up to find he received more than 120
solicitations a day.

He had a category defined in his filtering tools for these types of messages,
which his company dubbed “UCE,” or “unsolicited commercial email.” Since these
emails weren’t malicious and often dealt with relevant topics, fine-tuning the
filtering system was important, Mr. Perullo said. One trick was to block any
email he received with the word “whitepaper” in the subject, he said.



WARM INTRODUCTIONS

Anne Marie Zettlemoyer, chief security officer for Palo Alto, Calif.-based
CyCognito Ltd., which provides cyber-risk-assessment tools, said she is more
inclined to read emails with a warm introduction, or those from vendor
representatives who follow up based on the interest she has expressed. Certain
emails she deletes almost immediately.

As vice president of security engineering at Mastercard Inc. until earlier this
summer, she got many generic emails aimed broadly at financial-services
executives, with some that addressed her as “Dear Buyer.” Other automatic
turnoffs were vendor agents who sent calendar invitations without having spoken
to her and those who called her on a nonwork number.

PURSUE VERSUS BEING PURSUED

CISOs often prefer to be in the driver’s seat when it comes to finding vendors.
For Ryan Heckman, assistant director of identity and access management
governance at Principal Financial Group Inc., vendor selection is a continuous
process to ensure his team’s capabilities align with the ever-changing threat
landscape. Mr. Heckman was until late July cybersecurity manager at Iowa-based
convenience store chain Casey’s General Stores Inc. He recalled that during a
recent evaluation of capabilities and needs at Casey’s, he wanted to get a
handle on industry products that could be useful add-ons for the company, so he
did some window shopping at last summer’s Black Hat USA conference. By talking
to vendors about the company’s requirements, he was able to narrow it down to
about a half-dozen options that he could then research on his own and run by
peers.

--------------------------------------------------------------------------------

NEWSLETTER SIGN-UP

WSJ Pro

CYBERSECURITY

Cybersecurity news, analysis and insights from WSJ's global team of reporters
and editors.

PREVIEW
SUBSCRIBE

--------------------------------------------------------------------------------

In the following months, Mr. Heckman’s team of cyber specialists tested various
platforms and assessed each against the known attack vectors at the time. Some
products were found to affect the end-user experience and were quickly
eliminated. Others performed well, requiring additional comparison of
integration and administrative overhead to narrow the field, he said. This
hands-on approach, coupled with open-forum peer discussion with others in retail
led to the final product selection, Mr. Heckman said.

Ellen Benaim, CISO at Templafy ApS, a Denmark-based document-generation
platform, was bombarded with emails after the Log4j bug emerged late last year.
She waited to respond until about two weeks later, when she had secured the
budget and resources to investigate vendors. In the meantime, Ms. Benaim said,
the company addressed its Log4j vulnerabilities on its own, and started looking
for a supplemental tool.

Her vendor research included using CISO forums. One fellow CISO who used an
open-source vulnerability-scanning tool demonstrated it for her and discussed
hiccups the company had experienced with a different solution they used to work
with. “That type of experience is invaluable,” she said. Templafy has since
implemented the tool demonstrated by the other CISO.

PARTNERS, NOT TRANSACTIONS

Once they narrow the pool to one or two contenders, security chiefs said the
final vetting process considers factors such as price and the ability to
customize services and tools, plus the vendor’s own security practices and
financial soundness. Vendors that make the cut are often willing to adapt to fit
a customer’s needs, said Chris Castaldo, CISO at Philadelphia-based tech company
Crossbeam Inc., which helps companies find new business partners and customers.

“You can tell when someone is really passionate about making your problem their
problem to solve,” he said.

SEEK PROFESSIONALISM

One way to weed out vendors is to discount those that come off as cagey, don’t
provide information requested or are just plain sloppy, Ms. Zettlemoyer said.
It’s important for vendors to understand what a customer wants and avoid
careless mistakes, she said. One vendor didn’t personalize a pitch, showing her
materials prepared for another company. “It sounds basic, but [some] vendors
miss the mark,” she said. “With security, there are 3,000 vendors and nobody is
really irreplaceable.”

MORE FROM WSJ PRO CYBERSECURITY



 * After Prison, Hackers Face Tech Restrictions, Limited Job Prospects September
   21, 2022
 * Cybersecurity Investments Are No Longer Optional, Officials Warn September
   21, 2022
 * Companies Should Treat Cyber Threats as Core Business Risk, U.S. Cyber
   Official Says September 20, 2022

Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved.
87990cbe856818d5eddac44c7b1cdeb8




MUST READS FROM CYBERSECURITY

 * NEURODIVERSE CANDIDATES FIND NICHE IN REMOTE CYBERSECURITY JOBS

 * CYBER CHIEFS TRY NEW TRICKS TO ATTRACT TALENT

 * NATO CYBER GAME TESTS DEFENSES AMID WAR IN UKRAINE

 * INDUSTRIAL CYBER FIRMS FORM LOBBYING COALITION AS BIDEN RAMPS UP REGULATION

 * HACKERS STOLE MORE THAN $600 MILLION IN CRYPTO. LAUNDERING IT IS THE TRICKY
   PART.



Close


JERRY PERULLO, A CONSULTANT WHO WAS CISO OF THE NYSE’S PARENT COMPANY FOR 20
YEARS, SAYS ONE TRICK IS TO BLOCK EMAILS WITH “WHITEPAPER” IN THE SUBJECT

In a crowded cybersecurity market, tech providers make basic mistakes in trying
to win business, CISOs say

From
To
Message

SEND

An error has occurred, please try again later.

Thank you

This article has been sent to



BACK TO TOP
Professional Resources
WSJ ConferencesFactivaRisk & Compliance JournalDow Jones Risk & ComplianceDow
Jones NewswiresCFO JournalCIO JournalCMOLogistics
FacebookTwitterPodcasts
Send us your feedback:pronewsletter@dowjones.com
Subscriber Agreement & Terms of UsePrivacy NoticeCookie NoticeManage
CookiesCopyright PolicyData Policy
2022 Dow Jones & Company, Inc.All Rights Reserved

Copyright 2022 Dow Jones & Company, Inc. All Rights Reserved

This copy is for your personal, non-commercial use only. Distribution and use of
this material are governed by our Subscriber Agreement and by copyright law. For
non-personal use or to order multiple copies, please contact Dow Jones Reprints
at 1-800-843-0008 or visit www.djreprints.com.