“You're the first CISO in 15 years I've met who negotiates contracts,” someone told me the other day (during a negotiation, of course).

This struck me as strange and noteworthy. Maybe I'm a deviation from the industry norm, but I think hardball negotiation with security vendors is a core part of my job.

In fact, if sales reps aren’t taken aback by my lowball offers that go beyond their standard automatic “discounts”, I don’t think I'm doing my job.

Why?

I'm here to secure my employer to the best of my ability. And how do I measure success?

By how much security risk I can take off the table as cheaply as possible.

By my Security ROI.

We don't do security work in a vacuum with infinite resources. We have to perform a cost/benefit analysis on all security spend.

It's not maximizing risk mitigation alone or minimizing expense that is the goal here—neither is realistic in a business with, by definition, limited resources.

That means I have to maximize the equation above. Maximizing the numerator is something we all know we have to do, but minimizing the denominator is equally important.

And how do you minimize the denominator? By playing hardball during negotiations with security vendors.

Business is business, and as CISO you are a representative of the business. Your job is to get the best deal for your employer.

That makes negotiating skill a core part of the CISO toolkit.

Driving a hard bargain is part of your job.