All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-trusting-security-vendor-claims/) Do security vendors deliver on their claims and heck, are they even explaining what they do clearly so CISOs actually know what they're buying? Check out this post and the Valimail survey for the basis of our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Lee Parrish (@LeeParrish), CISO, Hertz. Thanks to this week's podcast sponsor, AttackIQ. AttackIQ, the leading independent vendor of breach and attack simulation solutions, built the industry’s first Security Optimization Platform for continuous security control validation and improving security program effectiveness and efficiency. AttackIQ is trusted by leading organizations worldwide to plan security improvements and verify that cyberdefenses work as expected, aligned with the MITRE ATT&CK framework.  On this episode of Defense in Depth, you’ll learn: From those surveyed by Valimail survey, a third to a half didn't believe that vendors did a good job explaining what their product does, or that the product actually performed, or there was any way to actually measure that performance. Many questioned those numbers because they feel many security buyers still fall for security vendors' boastful claims. Both can actually be true. Stunned behavior at a trade show is not the indicator of knowledge and susceptibility to vendor pitches. When you're under the gun as a security professional to produce results you often become victim to security vendor claims because you want to deliver on demands from the business. By nature, CISOs should be skeptical about vendor claims and information within their own environment. There's a battle between those vendors truly trying to deliver value and those who are using their marketing savvy to sway industry thinking. Don't place all the blame on the vendors. CISOs still have trouble understanding their requirements, risk, and priorities. Many are guilty of engaging in "random acts of security". Claims can often be more trustworthy if the vendor is willing to explain what they can't do.