Update: For an interesting discussion of this post, take a listen to this Security Weekly podcast. The discussion starts at 8 minutes, 10 seconds.
The cybersecurity tech market is crowded. Very crowded.
Whether you’re in security, IT, or another related discipline, choosing vendors and products can be overwhelming and frustrating — and making bad choices can be costly up front as well as down the road. To bring some clarity to the process, we’ve put together a brief list of questions. Together, they should help you develop a basic understanding of your needs and capabilities so you can start identifying appropriate offerings and vendors in the cybersecurity marketplace.
(Note: In an upcoming post, we’ll examine some of the key technical issues you need to consider before selecting a security product or solution.)
The questions in this section mainly focus on organizational and human factors and will help you create a picture of your company: its objectives, requirements, resources, skills, knowledge, experience with security, etc.
- Does your company have a security policy, and how experienced is your company in cloud security? OK, that’s two questions, but the aim is to gauge how mature your approach to and knowledge of security are so you can plan an effective strategy. If you’re just starting out in cloud security, it’s best to take things a few steps at a time so you don’t become overwhelmed.
- Does your organization have a dedicated security team? How knowledgeable and experienced are your resources? Again, two questions, but you need to evaluate your own knowledge and skill levels at the outset so you can start out confidently and then build incrementally on your successes.
- Have you identified specific security objectives and requirements and put them into a plan that’s both strategic and tactical? If not, write a plan — even if it’s rudimentary. Without a clear set of goals, you’re operating in the dark, and it’s unlikely that you’ll get the results your organization needs. Again, buying a security product or solution doesn’t have to be daunting, but it does require a certain amount of analysis and planning up front.
- Who do you need buy-in from? This may seem obvious, but it’s easy to overlook people who will ultimately be affected by the product you select — and it’s a lot easier to get buy-in before you make the purchase than after you’ve made a decision without them. Gather a list of requests and requirements from all parties involved. You should still make the final decision, but others will feel like they have had a stake in the process and will be more likely to give the technology a real shot post-purchase.That’s enough questions to start with. As you can see, the process really needs to start at home with an understanding of your company’s objectives, requirements, existing resources, skill levels, and your overall maturity level with cloud security.
Security Products and Vendors
Now it’s time to take a look at some questions about vendors and their products.
- Will this product help you achieve security or just compliance? Being compliant does not equal being secure. Even if compliance is the reason you’re shopping for a new vendor in the first place, why not reduce risk while you’re at it? If you buy the cheapest option just to check a box, you’re not getting much leverage from your tech dollars. It’s far better to buy a solution that will help you with compliance and also provide securityat critical points throughout your environment to keep your data and systems secure.
- How much time will this product save you vs. how much time will you need to put into it? Automation is great way to save time and resources — but it’s important to really think about how much time you’ll put into setting up and maintaining this automation so you can decide whether it’s really worth it. What you’re really doing here is evaluating part of the Total Cost of Ownership (TCO), and it’s critical to do this before you make a commitment (i.e., sign a contract).
- How experienced does a person need to be in order to run this product?
Do you need someone with ten years experience writing custom code, or can you put a junior engineer on it with a few hours of training? The answer to this question, as with the previous one, is part of calculating the true cost of the product — and an indicator of whether you’ll still get results even if your best engineer isn’t available.
- Will the product support you throughout a risk-management lifecycle (i.e., through risk identification, risk assessment, risk mitigation, and risk monitoring)? What specific functionality does the product provide to cover this?
- How will this product help you differentiate between day-to-day activity and actual problems?
Your security products shouldn’t hold your coworkers back from doing their jobs — and they won’t if you can readily determine what’s normal and what’s not. Ask yourself if this will slow you down or enable you to take action when it’s really important.
- If you’re compromised, what will your process look like? How will this product fit in?
Everyone in security knows it’s not a question of if you’ll be breached — it’s when — and how will you respond? Mentally walk through every step of your incident response process and try to think ahead about exactly how the product you’re purchasing will aid you in that time of need.
- Does this vendor use their own products? If a vendor doesn’t practice what they preach, eat their own dog food, or drink their own champagne — it’s a sign of a weak product. Ask your vendor how they use their own technology and how it has helped create efficiencies for their own team. If they don’t have a strong story, think twice before you buy.
- What do you know about the vendor’s stability and performance record? Do a little research to determine how well qualified and reliable they are. If you can, and if it’s appropriate, check out their certifications, ask for customer attestations, and find out what you can about their performance on SLAs. Also, find out how long they’ve been in business. Alone these questions might not give you everything you need to know, but together, they create a very revealing profile.
- Does the vendor provide good Tech Support and good Customer Service? At no point do you want to be stranded if something goes wrong with the product or if you need further information on how to use it. So insist on high quality, 24×7 coverage in these two areas.
- Will this vendor continue to evolve as technology changes? Technological infrastructure looks almost nothing like it did ten years ago, and it will probably look completely different in another ten years. You need to know that your vendor has a product roadmap: you need to feel confident that the technology you’re choosing today will evolve alongside your company so you’re not wasting time and money replacing it a couple of years down the road.
Final Words . . .
Obviously, these aren’t the only questions you should ask about your security needs, available products, and vendors, but they will get you off to a good start. And if you do proper diligence, ask additional related questions, and treat security as a serious investment (rather than a checkbox requirement), you will be able to identify a cost-appropriate solution that meets your requirements, along with a knowledgeable, experienced, and trustworthy vendor who can support your current needs as well as the needs that emerge as you grow and evolve your business.
If you’re new to cloud security, download a free copy of our eBook Jump Starting Cloud Security. It explains how to get the greatest results in the shortest time — while laying down a foundation that will scale as your organization grows and your security needs become more complex.
Security Vendor Assessment Worksheet
If you've been tasked with evaluating cloud security vendors, this is your starting point.