In a SaaS world, everyone wants to move fast! Rapid development can slash time to market and put you in a strong competitive position, and of course this is the way to operate as long as you’re not sacrificing quality. But remember: There’s bad fast as well as good fast. Too often we jump into projects, or we’re pressured to jump in before we’re ready — before we have all the necessary information and a clear understanding of what that information means.
Think of the old proverb: Measure twice; Cut once. Moving fast can be good provided you have controls in place to ensure that you’re doing the right things.
So when you’re in the market for a cloud security solution, take the time you need to specify (and verify) detailed requirements for your organization, and then rigorously evaluate vendors for their ability to meet these needs. Move fast by all means (you do need to secure your organization and ensure that your business is viable), but before committing budget and resources to a solution, take time to create a detailed understanding of:
- Your main security goals
- Your priorities for creating a secure SDLC and tech stack
- Which vendors can actually deliver on your organization’s particular requirements
If you do, you’ll be less prone to errors or gaps in your requirements and less likely to be confused or swayed by vendors’ claims about their products. In positive terms, you’ll be much more likely to address your technical, operations, security, compliance, and business needs both now and as your organization grows over time.
The Requirements Specification & Vendor Selection Process
For guidance with the requirements gathering process, you can download our Cloud Security Requirements Analysis Worksheet & Workbook.
Ideally, you should start requirements gathering well before you approach a vendor. Otherwise, vendor buzz words and jargon, combined with your own lack of clarity, could lead to problems. You might conclude that a vendor has your requirements covered based on a misalignment between the meaning that a vendor assigns to a term (serverless, containers, or machine learning, for example) and what you understand by the same term.
Once you’ve gathered requirements, you can then prepare to speak with vendors. Choosing one before doing a proper analysis and question/answer session could lead you to the wrong choice even if you trial their products for some period of time before adoption. And this could lead to wasted time and money, especially if you have to go back and do the process all over again with another vendor.
As final preparation before you complete the Worksheet and/or Workbook, take a look at the following seven points that we’ve provided as pointers and best practices:
- Take your time: Once again, we recommend that you take plenty of time gathering your requirements and crafting meaningful questions for vendors before you actually speak to them.
- Consider your threat landscape: Many items in the Worksheet are designed to get you thinking about the assets you have in your cloud and tech stack and how they might be compromised or attacked. Good threat modeling will assist with this.
- Define buzz words as they crop up: Many terms in the cloud security space mean different things to different people (consider serverless, containers, machine learning, application security, for example). Think about what these terms mean to you and your colleagues, and make sure to ask specific questions based on that understanding to ensure that you and the vendor are talking about the same thing.
- Think about your entire software life cycle: Think of your complete SDLC and how each part of it can be at risk from cyber threats. This life cycle includes writing your code, building it, testing it, deploying to production, and monitoring. As well, think about the kind of security training or recommendations you expect in a solution and where it fits in your overall DevSecOps program.
- Factor in time and budget: Can you manage a security solution yourself with the team skills and budget you currently have, or do you need someone to handle that for you either now or over time?
- Align your compliance needs with vendor capabilities: Don’t forget about compliance. Know your compliance needs and how they map to what you expect a solution to provide. And don’t be lulled by generalized phrases like “our solution supports XYZ compliance.” Ask probing questions, and determine very specifically how the product helps. If someone claims they provide “continuous compliance in the cloud,” for example, ask questions that will help you determine precisely what they mean by this.
- Ask whether you can speak to reference customers: The direct experience of a customer can be very revealing, so ask the vendor if you can speak to one or more current users of the solution.
If you follow these pointers and best practices, you will definitely be well positioned to make a good analysis, minimize wasted time, money, and errors, and choose a cloud security solution that’s suited to your organization’s needs. Investing in a solution has a big impact on your organization. Do your best to do it right the first time so you can avoid operational weaknesses downstream, along with the additional time and expense needed to rework, augment, or replace systems.