Welcome to February, the month before RSAC^TM 2026 Conference and the season of love. This time of year puts a spotlight on partnerships. And while the cybersecurity community may not be the best place to turn for romantic relationship advice, we do know a thing or two about the security partnerships that matter when the stakes are high.

In the latest episode of Cyber at the Top, I had the chance to sit down with Tal Arad, former CTO and Group CISO of Carlsberg Group. Tal brings unique perspective, having led both IT infrastructure and cybersecurity on a global scale. During our conversation, he shared some of the most practical guidance I’ve heard on choosing cybersecurity partners and establishing relationships that last.

His insights are especially timely as CISOs head into 2026 facing an increasingly crowded vendor landscape and growing pressure to make the right investments. Below are three key lessons I took away from our discussion.

Start with the problem you need to solve

Anyone who has walked the Expo floor at RSAC Conference knows the feeling: rows of vendor booths stretching as far as you can see, all promising the latest breakthrough powered by the newest buzzword. It can be overwhelming, and it’s easy to spend valuable time chasing shiny objects instead of solving real problems.

Tal offered what may be the most important question a CISO can ask early on: “First and foremost,” he said, “Are they solving an issue that I actually to need solve? You’d be surprised that’s not a standard question. "Before evaluating features, dashboards, or AI-first claims, leaders should have clarity on what gap needs to be addressed, whether it’s net-new risk, operational improvement, or consolidation.

Tal also emphasized the importance of moving past marketing claims and getting to technical discussions quickly. Push for a technical proof of concept sooner rather than later. And just as importantly, Tal suggested bringing the implementation team into the conversation, so you can find out if their plan is realistic. A worthwhile partner won’t hide behind abstractions. If they can engage in real technical depth from the beginning, that is often an early signal of substance and a long-term future. If they have a realistic timeline and can acknowledge that nothing ever goes perfectly according to plan, it’s a good sign you’re dealing with a true partner, not just a strong salesperson.

Focus on alignment to establish long-term partnerships

One theme Tal returned to repeatedly was alignment, because every organization has its own strategy, operating model, and level of risk tolerance. That means ensuring your partners can integrate into your environment, including your IT service management systems, workflows and reporting structures, internal security values and governance, and user experience.

Tal shared an example of a time his organization wanted to work with a phishing simulation provider, but they couldn’t integrate with the phishing reporting button already deployed across his company. Introducing a second button would have undermined years of user training. It might seem like a small detail, but it’s an operational reality that can make or break a partnership. For multinational organizations, alignment also extends to language support and regulatory requirements across jurisdictions. A solution that works smoothly in the US or EU might not translate easily to other parts of the world.

Avoid common mistakes that derail cyber partnerships

Even strong partnerships can ultimately fail without the right governance and attention. Tal highlighted a few of the most common mistakes CISOs make. The first is surprisingly simple, he said, “It’s not using the offering or not using it to capacity.” Many organizations invest heavily in platforms with broad capabilities only to leave value on the table. He also recommended bringing contract specialists into negotiations. As a cybersecurity expert, you may not know all the angles of legal contracts.

Another major issue on both sides is letting the relationship go cold after purchase. Vendor attention often peaks during the sales process and drops after the contract is signed. In some cases, support becomes sluggish and innovation slows. Tal advised cyber leaders and partners to be proactive by maintaining the relationship through mutual updates, shared accountability, and structured engagement. The strongest partnerships are supported by clear expectations, measurable outcomes, and operational follow-through.

Tal shared examples of the best and worst ends of the spectrum. He highlighted a provider that consistently advised him on what was best for his organization, even when it meant less revenue for the vendor. On the other hand, he was disappointed by a provider whose neglect and lack of care contributed to serious incidents. Trust and long-term commitment are difficult to fake, and a strong community of cybersecurity leaders is likely to spread the word about vendors who perform well and those that don’t.

Final takeaway: Choose the partner you’d still trust five years from now

At the end of our conversation, Tal offered one of the most memorable pieces of advice I’ve heard on this topic. He explained, “Choose a vendor or partner that you can see yourself sitting with in a pub five years from now and still get engaged by them. If you’ve done that, you’re going to be ok.”

Cybersecurity is built on relationships, whether it’s between teams, across industries, or with the partners we rely on to defend critical systems. So, as we head toward another RSAC Conference, another Expo floor full of potential partners, and another year of rapid change, it’s worth remembering that the best cybersecurity partners aren’t defined by flashy promises. They’re defined by honesty, alignment, and showing up when it counts. Those are the partnerships that last.

Listen to the full episodeorwatch the video to learn more, including Tal’s advice on choosing between emerging startups and established players.