Today’s typical organization overflows with a cascade of overlapping security devices and tools. Protecting the business and its accompanying data practically requires it: Organizations have to be on the lookout for internal threats, external threats, network-borne threats, threats from mobile devices, IoT devices, and cloud-connected services, malware, ransomware, and denials-of-service. Our organizations use apps based on insecure code and maintain customer-facing websites that won’t accept passwords longer than 12 characters (it might be inconvenient for our users, you know). It’s no wonder, then, that security layers defenses. Because no one “tool to rule them all” exists (or ever will), the tools market has exploded to offer various and sundry security solutions that can help the organization better protect against threats. In the market’s quest to provide everything to everyone, though, we’ve ended up with a technology landscape that is confusing and repetitive. Marketing claims are bold, and often it’s easier for a security team to buy (or lust after) the most promising new tool than it is to re-architect systems or commit to the basic blocking and tackling that is required (but boring).
Regardless of the space or situation you’re in in your security career, at some point you’re going to have to evaluate and/or buy new technology. While no security product alone will prevent incidents, tools are necessary to get the job done. Just like you can’t build a house without laying a foundation of concrete, block, brick, or stone and erecting framing out of wood, steal, or brick (see? Lots of options there, too), security organizations need the raw materials with which to work.
‘Cause the boy with the cold, hard cash
Buying security tools should be straightforward: You identify a problem then you find a vendor that makes a product that helps with the problem, right? Anyone who’s ever been through a security evaluation or purchasing cycle knows this is far from the case. Vendor marketing teams try to differentiate themselves, and in doing so often muddy the message so that it’s hard to determine—without engaging in sales conversations, demos, and being auto-subscribed to email promotions—what’s on offer. Prospective customers might get a better answer to, “What does this really do” by speaking to an engineer, but the prospect is first compelled to wade through layers upon layers of sales and marketing jargon.
According to Raef Meeuwisse, Director at Cyber Simplicity Ltd. And author of “Cybersecurity Exposed: The Cyber House Rules,” the evaluation and procurement process for security tools need not be quite so laborious. Meeuwisse breaks down how to buy security products into 8 steps, which are detailed below.
Is always Mr. Right
First things first: Before considering buying a new security tool, the security team must have a keen understanding of the organization’s requirements, says Meeuwisse. Surprisingly, far too many teams head into product evaluations without a full comprehension of the threats which require combatting. “To be effective,” says Meeuwisse, “you need a product that matches the organization’s requirements, but first you need to know what those are.”
Research, therefore, is two-fold. It is based on internal requirements gathering and then examining the tools market—which companies offer what tools, with which features and functionalities. Meeuwisse warns, “Companies who’ve sold great products in the past garner current market share,” but that doesn’t necessarily mean the big name is the best fit for your organization. Instead, he says, an effective product is one that will be able to return a demonstrable effect on risk exposure. Look into many options—not just the name brands—before creating a list of potential tools for your organization.
Once research on what’s available has been completed, try to determine the extent to which the shortlist of products will make a significant impact if implemented. Gather data (not just from the vendor itself) on expected risk reduction, and review the organization’s current capabilities to find out if that technology is already being subsumed into another security technology. Often, says Meeuwisse, “Good security ideas become part of a bigger bundle,” so if the organization already has a tool that offers the same capability—or that can be configured to—don’t waste precious budget on buying the newest thing. Unless your organization has oodles of money to spend on replacement, see if what you already have in your arsenal can do the trick, either because it already exists and you’re just not using that feature, or because the vendor acquired a company and can “turn on” that capability for significantly less cost than buying a different product.
Whatever the situation, verify that buying or turning on the feature/capability/product has a positive impact on the security of organization in terms of risk reduction.
3. Update architecture plan
Companies often consider buying new technology because they’ve determined a need, but fail to update existing architecture plans to accommodate implementation of the new tool. It’s imperative to understand—ahead of time, if possible—how new technologies will be deployed, says Meeuwisse, so that additional costs and disruptions will be minimized. It is fruitless to deploy a new tool that can accomplish X, Y, and Z if it breaks the tool that manages A and B.
If it is determined that breaking A and B is OK, do your best to anticipate the situation and put compensating controls in place to manage the effort.
Additionally, Meeuwisse adds that, “Reviewing your architecture can also help you to understand if you have any notable gaps—Are you buying lots of the same type of security products or truly providing adequate coverage across your digital landscape?” Buyers (of any product, not just security) often fall into a rut and focus on the things they like or the things that are immediately top of mind. In the security realm, this could lead to an environment chock full of network security tools but lacking technology to secure mobile and cloud data, for instance. An asset inventory and architecture review will help the organization identify overlapping products and highlight areas where new or complementary technologies are needed.
Budget for new technology isn’t only about the purchase price. After the architecture plan has been reviewed and updated, says Meeuwisse, you might find existing tools or technologies to decommission, saving the organization money. On the flip side, you might uncover areas where additional tools or resources need to be added, or updates and reconfigurations need to happen, racking up dollars faster than a credit card on Rodeo Drive. Whatever your particular situation, plan for the unexpected.
5. Rent, don’t buy
The market is moving too quickly, says Meeuwisse, to commit to multi-year technology deals. Though it’s in the best interest of the vendor to lock your organization into a long-term plan, and you might be offered substantial discounts to do so, there is no reliable way to predict the future. In a market like security, where smaller vendors get gobbled up and larger companies add on capabilities once they become mainstream (think: threat intelligence tools), the benefit of a long-term agreement is solely with the vendor, not the buyer.
Furthermore, companies aren’t increasing security budgets year-on-year (much to practitioners’ dismay), just rebalancing. “You can’t rebalance your budget if you’ve committed to a 5-year subscription for an ineffective or antiquated tool,” advises Meeuwisse. Don’t look at multi-year deals right off the bat; “renting” for one year (i.e., signing a single-year contract) might be more expensive than buying for three, but if the company has locked into a long-term contract, when problems arise, the company will have little to no recourse or flexibility. Even with cancellation clauses written into contracts, the company will be dealing with headaches and negotiations should you need to opt out.
Try before you buy is the name of the game. If you do end up buying security products, ensure you’re not being subtly coerced by promises of savings. In the long run, the company might spend more on fixing, replacing, or compensating than the discount initially applied
Many companies buy security products only to have them sit in virtual shrink wrap for months on end, quips Meeuwisse. This is often due to a lack of planning (see step 3, above). As the security team is undertaking an evaluation of new security products, ensure resources—including people and time—are allocated for implementation. Earmark more than you think you’ll need. Then get it done. Purchasing shelfware won’t benefit the security of your organization, nor will it help you fight for budget the next time you try to convince the CEO and CFO you need $1 million for the next security product that will save the day.
Now that the security tool is implemented and configured to the organization’s specific environment, determine its impact. “Set and forget” is never a good security strategy, and the tool, by itself, won’t secure the organization’s assets.
The security team must measure what effect, if any, the tool is having. For instance, Meeuwisse offers that the security team can measure risk reduction, rates of detection, number of blocks, number of alerts (seen and managed), if the organization is handling a lower number of incidents as a result of implementation, etc.
The key here is to measure whatever changes matter to your organization (which is why metrics in security are so hard—there isn’t one measurement that says “You’re doing great” for all organizations. Success is individual). If you’ve taken the time upfront (step 1) to establish what success means to you, measurement will be easier. You might uncover some unanticipated surprises along the way, but don’t enter into a purchase without any idea of the goals you intend to accomplish. Ensure, too, that the security team is able to communicate changes outside of the security group. The business always wants to understand its return on investment, and it’s your job to provide the details they need. Doing so will also help when security desires funding for future initiatives.
8. Repeat and refine
Unfortunately in security, says Meeuwisse, there’s no end to the security product purchasing cycle (imagine how barren security conference expo floors would be if there were). Evaluating new products is a continuous activity, considering the emergence and evolution of technology, and security environments require constant monitoring and assessment. Keep a steady eye on the product market to see what’s emerging and what might benefit your organization. Then return to step #1 and do it all over again.
Interested in learning more about security solutions that will help bolster your organization's security posture? Join us at our Threat Intelligence Summit in Austin, Texas and the highly anticipated InfoSec World Conference in Orlando, Florida for the latest insights and in-person training.