Selling to the CISO: An open letter to the cybersecurity industry

The cybersecurity market has lost its mind.

It seems like every week a new vendor appears, investors throw money at half-baked ideas, and CISOs get buried in pitches for products that won’t stop the next breach. The noise keeps getting louder while the fundamentals stay ignored.

Most of these products don’t even look impressive in a demo. I sit through presentations and wonder why they exist. They promise to “redefine security” but can’t even explain what problem they’re solving. They’re built for funding rounds, not production. They’re answers to questions nobody asked. Meanwhile, the same core vulnerabilities keep wrecking companies year after year.

Vendors think they’re selling technology. They’re not. They’re trying to sell confidence to people whose jobs depend on managing the impossible. As a CISO, I buy because I’m trying to reduce the odds that something catastrophic happens on my watch. Every decision is a gamble. There is no “safe” option in this field. I buy to reduce personal and organizational risk, knowing there’s no such thing as perfect protection.

Cybersecurity is not a puzzle you solve. It’s a game you play — and it never ends. You make the best moves you can, knowing you’ll never win. Even if I somehow patched every system and closed every gap, the cost of perfection would cripple the company. We could make ourselves completely secure tomorrow if we were willing to stop shipping product, serving customers, and generating revenue. But that isn’t security anymore.

The job is to keep the company running without letting it burn down. That means I don’t just care about uptime. I care about not having the breach that defines the next year of my life. It’s about balance. Too much risk and you’re in the headlines. Too much control and you kill innovation. Every day in this role is a negotiation between the two.

That’s why I buy very selectively. I buy what fits the roadmap, what measurably reduces risk, what integrates cleanly, and what my team can sustain. I buy visibility because you can’t defend what you can’t see. I buy identity because access is where real control lives. I buy automation that makes people faster, not dumber. And I buy tools that make secure-by-design real, not theoretical.

What I don’t buy is hype. I don’t buy tools that overlap with three others. I don’t buy anything that looks good in a slide deck but fails in the real world. I don’t buy complexity that makes the team’s job harder. And I don’t buy from anyone who can’t explain in clear, human language what problem they’re solving and how it actually reduces risk.

It’s all about the fundamentals

The truth is that most organizations don’t need more tools. They need to get the fundamentals right. If you can patch consistently, maintain good access controls, and segment your networks so you aren’t running flat, you’re ahead of most of the market — no shiny tools required. Strong patching alone will eliminate most of the attack surface that vendors keep promising to “detect.” Network segmentation prevents lateral movement. Access control limits blast radius. These aren’t new ideas. They’re old, proven, and neglected because they don’t sound exciting enough for investors.

And that’s the problem. The industry has stopped rewarding what works. It rewards what sells. Venture capital keeps throwing money at “AI-powered” and “autonomous” everything while the basics rot. Vendors chase hype because hype gets funding. CISOs buy hype because we’re desperate for something that will finally make the pain stop. The cycle feeds itself. Everyone’s rational, but the result is insane.

We can’t blame vendors alone. We created the market they’re serving. We bought into the illusion that innovation equals progress. We ignored the fundamentals because they’re hard and unglamorous. We filled our environments with products we couldn’t fully use and called it maturity. We built complexity and called it strategy. Then we act shocked when the same root causes keep taking us down.

Good security still starts with good IT. Always has. Always will. If you don’t know what you own, you can’t protect it. If you don’t patch it, it’s already compromised. If you give excessive access or run a flat network, you’re one compromised credential away from a crisis. The solutions exist. They’re just not exciting. They require patience, process, and persistence, which are the three things this industry avoids because they don’t photograph well at RSA.

Looking for reliability, not revolution

I’m not anti-technology. I rely on it. But I buy it with purpose. I buy tools that make us better at the basics, that help enforce discipline, and that reduce human error. I buy solutions that simplify, not complicate. And I buy from vendors who tell me the truth, even when it’s inconvenient.

The good vendors understand this. They know they’re not selling revolution. They’re selling reliability. They show up prepared. They understand my business, they know where their solution fits, and they’re honest about what it can and can’t do. They know I’m not looking for magic. I’m looking for help managing a problem that never ends.

Investors need to take responsibility, too. Stop funding vaporware. Stop chasing the next acronym. Fund the boring but critical work: visibility, identity, secure configuration, developer enablement, and IT hygiene. That’s what actually keeps companies out of the headlines.

And CISOs, we have to stop pretending we’re victims in this. We’re not. We built this market with our buying habits. We rewarded noise. We chased innovation that didn’t align with our maturity. If we want the industry to change, we have to change how we spend. Buy less. Buy smarter. Invest in people, process, and architecture before you buy another platform. If you can’t patch, if you can’t control access, if your network is still flat, you don’t need another tool. You need discipline.

Security is not a tech problem. It’s an execution problem. And until we fix that, no amount of funding, AI, or new categories will save us.

I’ll keep buying what matters. I’ll buy what reduces real risk and strengthens the foundation. I’ll buy what makes us harder to breach and easier to recover. But everything else, the noise, the hype, the endless stream of tools that don’t fix the real issues, can stay on the shelf (or in your PowerPoint slides).