"The more comfort a provider can provide us through their own practices, such as through independent audit reports, the better."
How not to sell
Following nearly six years of experience in the Serco security hot seat, naturally, Arronis has encountered many a bad pitch, whether that be through channel partners or direct encounters with the vendor.
For Arronis, the issue centres around an overriding hunger for securing a larger market share, which blocks providers from offering the best solution to the customer.
"Most providers are trying to grab a bigger piece of the pie in the security and assurance space," he said. "Some of their offerings are not core strengths and we see this come through in delivery."
Arronis observed that partners that view cyber security as a new growth area for the business, mistakenly approach sales with a traditional "box dropping" mind-set, offering solutions in a similar manner.
Specifically, this includes relying on a brand to get them in the door or applying a one size fits all approach to potential customers.
But from the perspective of the CISO, Arronis said this approach often causes more damage to the business over the long-term, through offering a technology which isn't fully understood.
Quite simply, it comes back to knowing the customer.
Arronis acknowledged however that such issues were not exclusive to prospective suppliers, with incumbent partners also guilty of failing to deliver value on insights gained from the product or service provided.
"I find many provide good informational reports yet fail to add value by answering the 'so what' question," he added.
If Serco engages a partner in a managed services capability, usually the partner provides monthly reports crammed with information but little insight.
"What I receive in those reports most of the time is that we have had X number of events and closed out Y number of events," Arronis explained.
"But what they don't do is take the information they have seen from their other customers, especially if it is a managed service, and infer new insights from that information, which could potentially drive me to make a change in the way I run security in my organisation."
Plainly speaking, Arronis said providers today are providing "static information", rather than real-time and actionable insights.
"Some offer okay insights, but we really want vendors [and partners] to step up and deliver real value in that space," he said. "That should be part of that base offering, not just providing me with raw data."
Slotting into the supply chain
Aside from ongoing issues around the need for appropriate security solutions, Arronis said many partners, both large and small, still struggle to understand where they fit within the supply chain.
Sign up for Computerworld eNewsletters.