Introduction: The NASCAR Security Problem
Some leaders and tech folks are glaringly tone deaf to walking into a meeting to pitch a multi-million-dollar engagement for security while wearing the vendor’s polo shirt. If you’re not clued in enough to understand why this is an issue, you may not be suited to sit in the CISO or even recommender of technology seat.
In every security program I’ve taken over, audited, or advised, I’ve come across what I call NASCAR Security. The slide decks are always the tell. They’re plastered with vendor logos, like the hood of a race car screaming down Talladega. You half expect the CISO to walk into the meeting wearing a leather jacket covered in stitched-on sponsors, trophy in one hand, bottle of vendor-funded champagne in the other, yelling, “Hell yeah, we’re secure now!”
Except they’re not. They’re just fast, loud, and one turn away from the wall.
This kind of security program isn’t built on architecture, strategy, or risk modeling. It’s built on perks, relationships, and vendor sprawl. Behind the NASCAR livery is a bloated tech stack, an overworked team, and a creeping culture of influence that starts with a free dinner and ends with bad decisions.
The Vendor Influence Playbook
Most CISOs understand the dangers of phishing emails, insider threats, or zero-day exploits. But far fewer recognize how much vendor influence operates like a slow-moving exploit chain aimed directly at your procurement integrity.
Here’s how it plays out: A vendor invites a few junior engineers to a “training seminar” in a nice city. Flights, hotel, meals, all covered. There’s a keynote, a few hands-on labs, and a rooftop happy hour. By the end of the week, your team is emotionally and professionally invested in a tool you haven’t vetted. When budget season rolls around, that tool magically appears at the top of their wish list.
The vendor didn’t need a bribe. They built loyalty.
I had an employee who bragged about a particular vendor giving him concert tickets and sports tickets as we moved towards a decision on purchasing. We didn’t have any formal training on grafts, gratuities, and bribery at that time. The employee had a Dilbert cartoon over his desk about Dilbert taking a gold watch from a vendor. To this guy and his detriment, the vendor was a pseudo-employer.
Influence doesn’t require intent. It just requires access, repetition, and familiarity. That’s why these tactics work.
Training or Trojan Horse?
Not all vendor-based training is bad. In fact, when you’re deploying a tool your team will manage every day, you want them trained by the people who built it. But that’s not what most of these engagements are about.
Too often, training is a sales pitch in disguise. It targets staff with minimal purchasing authority but heavy technical influence. It promotes one tool as “the standard” without showing alternatives. And it happens in venues designed to impress, not educate.
Even third-party certifications aren’t immune. Some require access to vendor ecosystems that nudge learners toward a specific product set. It’s familiarity-as-strategy. And it works.
There is a clear difference between education and training, and I prioritize upskilling on the tools my company owns. Any security or technology certification focused specifically on a vendor’s product is suspect if you do not currently own that product. Why? What value does it provide to the company? When I adopt new technology, I require the vendor or a value-added reseller to offer personalized training courses for my employees as part of the cost of adopting the new tool. Occasionally, I have negotiated to receive training before we purchase the product, but those involved understand beforehand that it might turn out to be a waste of time.
This isn’t education. It’s brand conditioning.
The Gray Zone Gets Grayer
Some CISOs argue that as long as the perks aren’t technically illegal, or as long as no one signs a PO at the golf course, it’s fine. But those arguments miss the point.
When junior or mid-level staff accept flights, meals, hotel stays, or gifts from vendors, it creates two corrosive effects. First, it compromises procurement objectivity, even if subtly. No one makes a major purchasing decision based on a free lunch, but the cumulative effect of positive associations adds up fast. Second, it normalizes a culture where influence is accepted as a perk, not recognized as a risk. That’s how you end up with vendor allegiance growing quietly in your org chart, tucked beneath your awareness until it’s baked into your next roadmap.
Would your internal audit team be comfortable with free international travel offered by a vendor? Would your CFO shrug off $400 concert tickets handed to your security architect? If not, why does security get a pass?
Other Professions Saw This Coming
In law, this kind of thing is tightly controlled. Lawyers can’t accept anything that looks like quid pro quo from vendors or partners. CLEs (Continuing Legal Education) must disclose sponsorship and remain content-neutral.
In finance, even the appearance of conflict of interest is grounds for investigation. Procurement departments often have rules that prohibit vendor gifts entirely, especially during RFP or renewal cycles.
Even marketing a field built on relationships requires transparency when gifts, perks, or sponsored events are involved.
Only in tech do we routinely accept that a vendor paying for steak, golf, and swag bags is somehow doing us a favor.
In many marketing and procurement departments, vendor relationships come with strict guardrails designed to keep influence in check. For instance, it’s common for procurement policies to outright prohibit accepting gifts, paid travel, or entertainment during active vendor evaluations. Marketing teams, while accustomed to relationship-building, typically require full disclosure and approval before any perks are accepted, maintaining transparency and minimizing conflicts of interest. Contrast that with many tech organizations where a casual “training trip” to a vendor conference, paid for entirely by the vendor, is accepted as routine no oversight, no approvals, just tacit permission. This lax approach leaves the door wide open for influence campaigns disguised as professional development, eroding objectivity and inflating vendor footholds within the security program.
Why CISOs Let It Slide
There are a few reasons. Many CISOs came up through engineering or ops, not governance or finance. They’re not trained to recognize influence operations. It’s uncomfortable to be the person who says no to your team’s trip to Vegas. They rationalize it: “Everyone does it,” “We’re not buying anything yet,” or “It’s just training.”
But the core problem is a mismatch in incentives. Vendors are playing a long game. Security leaders often aren’t.
The Cost of Complacency
This culture costs more than a few overpriced dinners. It leads to tool sprawl multiple products solving the same problem. It results in poor integration because shiny tools don’t always talk to each other. It drains budget, often into expensive shelfware pushed by vendor-aligned staff. And it erodes trust, not just with finance, audit, and procurement, but within your own team. Security leaders lose credibility when their stacks look more like sponsored booths at RSA than coherent strategies.
What a CISO Can Do (and Should)
First, it starts with codifying expectations. Create a formal policy that spells out what is and isn’t acceptable when it comes to vendor gifts, perks, and training. Don’t leave it to interpretation. Set hard limits on the dollar value of any gifts, and require pre-approval for all travel or event participation. This isn’t about micromanagement it’s about drawing clear boundaries so that no one, including vendors, can claim confusion.
Then, control how vendor relationships begin and evolve. Centralize communications, especially for unsolicited contact. Vendors shouldn’t be able to directly approach your junior team members with “training” invites, exclusive dinners, or early access perks. Make it known that all vendor engagement must go through designated procurement or governance channels. This removes ambiguity and minimizes the risk of influence sneaking in through informal relationships.
Next, reinforce expectations in contracts. Include ethics clauses in your vendor agreements that explicitly ban gifts, paid travel, or any attempt to exert personal influence. These clauses should have teeth. Make it clear that violations won’t just get a slap on the wrist they could terminate the business relationship.
Security awareness needs to evolve too. It’s not enough to teach teams how to spot phishing attempts and rogue USB drives. They should also learn to recognize influence campaigns. Run training that includes examples of how vendors might try to build loyalty through perks, even if it doesn’t feel like a direct sales pitch. Connect the dots between subtle influence and strategic misalignment.
Also, don’t be afraid to audit for influence. Review expense reports, travel approvals, and event participation. Pay attention to patterns. If you notice a particular vendor cropping up repeatedly in casual staff interactions or someone suddenly becoming an internal champion for a tool they haven’t been asked to evaluate, dig deeper. These are red flags, and they deserve the same attention you’d give any other sign of operational risk.
And finally, take a stand. Make integrity part of your security program’s identity. Tell vendors directly: If your product can’t win on merit, it doesn’t belong in our stack. Put that message on your vendor engagement policy. Say it during public panels. Make it part of your onboarding for new partners. The more transparent you are, the less appealing your org becomes for vendors looking to game the system.
I have fired account teams that tried to influence my staff without my permission. I have always had good relationships with vendors, but when my team is giving over road maps, technical details of our network, architectural reviews, and we haven’t even had a request for proposal on the street. I have a tendency to become a petty tyrant and inform the account team that their continued discussion, formal or informal, is to end and put them in a time-out for at least a year. I never seem to get invited to speak on vendors’ dimes at Black Hat in my dottering retirement. Think they’re related?
The Litmus Test
If you wouldn’t be comfortable reading your team’s vendor engagement history out loud at a board meeting, then it probably shouldn’t be happening.
If you wouldn’t let your procurement officer accept a free flight and $500 dinner from a supplier, then your architect shouldn’t either.
Security is not exempt from the standards that guide the rest of the business. In fact, it should be the one setting them.
Conclusion: Stop Playing the Game You’re Supposed to Be Defending Against
Vendors are running soft influence campaigns every day. They’re smart, subtle, and relentless. They know that getting your junior staff emotionally invested is worth more than a hundred demos.
I like to organize vendor quarterly reports, formalize acquisition strategies, and reduce the chaos of buying surprise items. If my staff can’t quickly put together a request for information or proposal, then they’re not serious or prepared to acquire millions of dollars in equipment. I’m not surprised to see CISO team members push back against this kind of structure, and even the procurement folks say they can’t handle the structure in Fortune-rated organizations. Ultimately, it often comes down to a loss of integrity and is not about security at all. The pushback is itself an indicator of an opportunity for change, and I have advised boards of directors that asking basic questions along these lines is a good indicator of CISO relevance and maturity.
It’s time to stop pretending graft is normal. It’s not. And it’s not harmless either.
If you’re the CISO, your job isn’t to make friends or gather swag. Your task is to develop a security program that functions even without steak, lanyards, or an open bar.
Put away the leather jacket. Ditch the champagne. Stop driving the NASCAR stack. Win on performance, not perks. Are you a business leader or pass through for some vendor who sees you as an easy mark?
About the Author
