Cyber security is hot, with startups offering new solutions popping up regularly. On top of that established vendors are adding new capabilities. The air is filled with pitches for machine learning, artificial intelligence, visibility, insider threat monitoring, cloud-based identity and access management …

What’s a CISO to do? Be more skeptical, says one of those doing the pitching.

In a recent column Danelle Au, vice-president of strategy and marketing at SafeBreach quotes a number of anonymous chief security officers detailing frustration with the approaches suppliers and would-be suppliers are making.

“I hear hyped up pitches all the time; powerful messages offering Holy Grail solutions.” one CISO is quoted as saying.

What they really want is this: “Good security pitches start with a vendor that understands its product strengths and provides an honest assessment of how the solution aligns with customer needs,” Au quotes an infosec pro as saying.  “A good pitch also includes fresh, unique approaches to existing problems.”

When a vendor comes pitching do you grill the person on case studies, customer endorsements, false positives, implementation costs and other details of the solution?

As one leader quoted by author notes, the CISO knows the organization’s risks best, and thats’ where the focus needs to be. Ask specific questions that can’t be answered with prepared responses, is one piece of advice. Another suggests the cyber team think how a hacker would try to exploit the proposed solution.

It’s hard enough for a CISO to reminding the team to be tough when facing the daily avalanche of threats. Being tough is also an obligation when facing well-meaning salespersons.

And it’s also incumbent on vendors to make sure that the solutions being pitched actually solve real problems.