What do CISOs really want from cybersecurity vendors? Denis Yakimov of Equiti Group offers a perspective in this exclusive interview published in CodeRED June–July Edition. From the importance of aligning cybersecurity initiatives with business strategy to the flaws in vulnerability management and the value of co-developing tools, Yakimov outlines what’s working, what’s broken, and how vendors can better support enterprise security goals in an evolving digital ecosystem.

What are the top cybersecurity priorities for your organization this year?

This year, our top priority is to support the business in achieving sustainable growth and stability as it works toward its strategic objectives. I often see CISOs setting goals in isolation focusing on internal KPIs or reacting to emerging threats without aligning with the broader business context. But it’s critical to remember that security exists to enable the business, and everything we do should be guided by that principle.

How do you align cybersecurity initiatives with overall business goals?

Everything starts with the business setting its goals for the year, which are typically based on shareholder expectations. At Equiti, business goals are clearly defined and openly communicated, so every employee understands the direction in which the organization is heading.

From a security standpoint, we use these goals as a foundation and, at the beginning of the year, during strategy planning, we brainstorm which cybersecurity actions will most effectively support the achievement of these goals. For instance, in 2024 we achieved ISO 27001 certification, which helped Equiti take a significant step toward building stronger trust with key clients and partners and becoming one of the leading brokers in the UAE. Similar security initiatives are aligned with goals related to operational resilience, among others.

What are the key factors you consider when evaluating cybersecurity vendors?

We take a comprehensive approach when selecting vendors, using comparison tables and well-defined evaluation criteria. These always include compatibility with our existing environment and compliance with local regulatory requirements. For example, in the UAE, financial institutions must store regulated customer data within the country, which immediately disqualifies many SaaS vendors without local data centers.

Given that Equiti is a rapidly growing organization, scalability and ease of deployment are critical factors for us. Once all evaluation criteria are met, we proceed with a PoC, a data privacy assessment, and a third-party risk assessment. While the process may seem complex at first, we aim to complete evaluations at a startup pace – typically within 2–3 weeks.

How do you prefer vendors to approach you, with education, product demos, proof of value?

I believe that anything that helps evaluate a solution within the context of our own environment is highly valuable. I have a hard time understanding vendors who reject proof of concept and instead get caught up in internal approval cycles at this stage. For me, that’s usually a yellow flag. If a vendor is willing to schedule as many meetings as necessary to ensure that the solution works effectively within our infrastructure, that is always an additional reason for me to prioritize them. It signals a high likelihood that they will continue to provide support after the purchase and that they have nothing to hide.

What are the biggest gaps in current cybersecurity solutions that vendors should address?

In my view, areas such as vulnerability management, despite their long history, are still underdeveloped. Even well-established and experienced vendors like Qualys and Rapid7 continue to generate a significant amount of noise in their vulnerability dashboards, and current prioritization methods do little to change that.

I regularly speak with many CISOs across the industry, and I keep hearing about hundreds or even thousands of high and critical vulnerabilities reported by their VM solutions. Yet, in reality, 99% of security incidents are either unrelated to vulnerability exploitation or are linked to vulnerabilities that were not flagged or covered by these VM tools at all.

Are there specific challenges in integration, scalability, or support that you’ve faced?

We’ve encountered situations where we acquire a tool that fits our needs very well, but face challenges finding the right expertise to implement it properly, considering all the specific requirements. And it’s not even about internal resources – it’s about the expertise available on the market. While evaluating a solution itself is relatively straightforward, assessing the contractor’s expertise, especially ensuring they are both trustworthy and fairly priced, can be quite difficult. I’ve previously worked at various MSPs, and I clearly remember how service providers often focused on selling the service first, while trying to acquire the necessary expertise during the implementation phase.

What role do vendors play in helping you maintain compliance?

When it comes to vendors and compliance, I truly appreciate the direction the market is taking toward GRC Engineering. I believe this area has the potential to become highly developed and popular in the future – similar to how DevSecOps gained momentum in its time.

Take Vanta, for example. Although it is essentially a tool for automating GRC processes, its interface is so simple and intuitive that it has successfully captured a market even among startups—a segment where selling anything from the security domain is typically challenging due to immaturity and limited budgets.

On our side, we are also taking proactive steps toward compliance automation. However, we must consider a wide range of factors, including our presence in multiple countries and various privacy obligations.

How is your cybersecurity budget evolving year-over-year?

There is a lot of talk on social media about cybersecurity underbudgeting, but in reality, many organizations tend to overinvest. A common pattern is CISOs onboarding numerous dashboards that generate excessive noise and offer limited optimization.

At Equiti, even though we’re open to increasing the cybersecurity budget, our team has been focused on cost optimization for two consecutive years, mainly through smarter licensing decisions. This often means replacing vendors – always with a proper risk assessment – but given the vast range of available solutions on the market, finding quality alternatives at a lower cost is rarely a challenge today.

What’s your advice to vendors looking to position their solutions for budget approval?

My advice is not to focus on addressing yet another threat, but rather to demonstrate how your tool brings real business value. Modern CISOs are increasingly expected to speak the language of the business and sit at the board table. As a result, the tools in a CISO’s toolkit should support business enablement, not just threat mitigation or the addition of another dashboard. If you look at the most successful cybersecurity companies  such as Wiz, Okta, or Zscaler  they’ve become integral to their customers’ operations and have a direct impact on business efficiency.

Have you collaborated with vendors on co-developing or customizing solutions?

Absolutely. Vendors willing to adapt their roadmap for our needs are always strong candidates. For example, we’re working closely with a SAST vendor that is developing integration features for one of our specific CI/CD environments.

Since this environment is relatively niche and not widely supported out of the box, the vendor’s willingness to invest effort in saving us extensive engineering time on custom integration has been a major factor in our decision. I must admit, this kind of flexibility is more common among small to mid-sized vendors.

What common mistakes do vendors make when engaging with CISOs?

Pushing too hard and being overly persistent. In my view, if someone genuinely needs your product, they will be responsive and willing to do whatever it takes to close the deal quickly. If you spend your time chasing people who show limited interest, you might move the deal forward temporarily, but in the end, it will likely fall through and you will have simply wasted time.

What’s one innovation or improvement you hope to see from vendors in the next 12 months?

Although I remain skeptical about the grand future predicted for AI,where it is expected to replace humans, I personally would like to see more practices focused not on solving isolated micro-tasks or problems by introducing yet another tool to the portfolio, but rather on enabling the correlation of all available security data into a unified pool of interconnected knowledge.

Such an approach could help predict where threats are most likely to emerge or which changes would yield the most significant impact. I believe that an AI system capable of aggregating insights across the entire organization and its cybersecurity tools could deliver this kind of value.

In today’s world, many security leaders still make strategic decisions based on educated guesses and abstract, subjective risk assessments essentially, reading tea leaves rather than relying on data-driven foresight.

Related post

View all