04 Apr How to Buy Cybersecurity
A central theme of the so-called paradox of choice is that too many choices can lead to decision paralysis.
There is a dizzying array of choices in cybersecurity products and services. That’s according to a recent CyberWire podcast – Buying Cyber Security: A CyberWire Special Edition.
The podcast highlighted viewpoints from technology decision makers across organizations large and small. This included a global telecom carrier, a government agency, a small business with regulatory requirements, and a large consulting firm, which in part, advises clients on cybersecurity purchases.
Collectively the participants provided sound advice for evaluating and procuring cybersecurity products including the following:
1) Understand the business purpose for a security product.
Buyers and vendors alike should provide greater emphasis on the business problem, and how a given product fits into the overall solution mix. She noted this is especially important in vertical markets because “the type of adversary” can vary based on unique attributes in vertical markets.
2) Integration of security products is growing in importance.
A few years ago, much of the attraction in purchasing new security products centered on new features and functions according to Ms. Mossburg. While better monitoring and intelligence remain inherently important to cybersecurity, the trend is tipping toward integration.
Dr. Emma Garrison-Alexander, a former CIO for the Transportation Security Administration (TSA) agreed. She added that managing the integration as the environment evolved was equally important.
3) Start by talking to people you trust.
Chances are whatever the cybersecurity problem you’re trying to solve, you’re not the first to face it. As such, beginning the search for solutions by asking people you trust, is a good place to start.
That’s how Vilas Naralakatt of Pinnacle Advisory Group got started in his search for dual-authentication technology, according to the podcast. An independent security advisory firm pointed him toward a product it both used – and recommended.
With 50 employees, Pinnacle is a small business, but its focus in wealth management means it’s technology and security products must both meet the needs of the firm and regulatory requirements. For example, data transmitted to and from clients must be encrypted both in transit and at rest.
4) Trust but verify: proof of concepts.
While recommendations and referrals are a good start, Mr. Naralakattu said nothing replaces testing the software or technology. His firm examined products that “sounded great on paper” but rigorous testing demonstrated these didn’t quite fit his firm’s needs. Consequently, his company “went in a different direction for the dual authentication pieces,” and perhaps avoided an expensive mistake.
Ms. Mossburg also emphasized the importance of a proof-of-concept, pilot or bakeoff. She observed there are often “a lot of small details” and complications that go overlooked until a product has been tested – and tested with the same volume or speed it needs to work within a production environment.
Alerts, logs, the flow of data, speed, and interoperability are some of the aspects Ms. Mossburg cited as examples to test. She said sometimes clients go into such proof-of-concepts thinking they had a clear leader in mind, but emerge on the other end of the test with a very different perspective.
“Nothing as good as actually doing it,” said Michael R. Singer, executive director for Technology Security at AT&T. The best way to learn is “to have real data and real traffic.”
5) Product scalability matters.
Scalability may be one of those words used a too liberally in technology circles, but Mr. Singer said scale really matters. As a global telecom carrier, the magnitude is sometimes exponentially greater than some of the new security technologies are prepared to handle.
“We’ve probably bought one of everything along the way,” Mr. Singer said. That experience in part has helped the company learn to distinguish among products that can scale, from those that can’t, very early in the review process.
6) Separate hardware and software.
“This is a big one,” said Mr. Singer suggesting this a long-standing requirement cybersecurity. Many businesses want to run software on the hardware it has selected rather than be forced to go with a solution that bundles the two together.
7) Consider the service after the sale.
All the speakers remarked to the effect that service after the sale was an important consideration. Dr. Garrison-Alexander called it “incumbent-itis” where an existing vendor becomes “lackadaisical” after obtaining a contract.
For Mr. Naralakatt that means transparent communication. If a vendor finds a vulnerability in its software, for example, he’s more confident in the relationship if the vendor notifies him and tells him what they are doing to fix it.
Ms. Mossburg’s comments also centered on communication. She said clients want to be heard and feel like their concerns are being acted upon – even after deploying a product in a production environment.
Strategic Tech Engagements to Navigate Choices
Strategic engagement organizations are one of the interesting ways larger organizations are staying abreast of developments. Mr. Singer described a program called AT&T Foundry, which is an organization that facilitates “outreach and fast pitches” for startups. The website for the program lists several “foundry” locations around the world – technology hubs like Palo Alto – and says it meets with 500 startups annually.
He said the AT&T leadership “deliberately asks us to look at small innovative players” to examine what those firms are doing differently. The company strives to understand how new innovations can help the carrier solve a business problem more efficiently or effectively.
Similarly, the TSA also maintains a “strategic engagement organization” with a similar mission – to engage small but innovative companies, according to Dr. Garrison-Alexander. Her budget while large – $450 million annually with “purview” over an additional $278 million in technology spending – also comes with a lot of requirements. While the government “doesn’t move fast” strategic engagements were a way to stay in tune with innovation, keep incumbent vendors on their toes, and help fulfill the government’s desire contract with small businesses.
Arguably, such strategic engagements are a proactively way to navigate the myriad of options, make better cybersecurity procurement decisions, and certainly to avoid the paradox of choice.
If you enjoyed this post, you might also like: Cyberthreat Evolution Shifts Emphasis to Proactive Detection and Prevention
Photo credit: Flickr, Danny Oosterveer, Online Security (CC BY-ND 2.0)