RSA is upon us, which hosts arguably the largest gathering of IT security vendors under one roof. For many attendees, the sheer volume of vendors can be overwhelming. Making sense out of products, understanding what they do, and what differentiates them all is no easy feat.
Even when a potential buyer knows the security product they are after, knowing what questions to ask, or how to evaluate the vendor can be challenging.
So we asked notable experts in the field who have purchased security products what their top three considerations are when choosing to splash out their cold hard cash on security products. Here are our findings:
CEO, BH Consulting
- Does it have a reputable track record in addressing the issue it is being implemented for? This means researching independent reviews of the product, talking to existing clients who are using it, and seeing if it is being used by respected peers in the industry?
- Does it address the business issue/risk that needs to be addressed? It is not just enough that it can technically address the problem, but how easy is it to deploy, maintain, and manage? Is there a good support structure provided by the vendor, or if open source is there a strong community behind it or the possibility to pay for support for it. And finally, what additional costs are involved such as hardware, training, support, and upgrades
- Last, but not least what is the reputation of the provider and its ability to deliver? Is the vendor recognised and respected in the industry? This does not mean you have to stick to traditional vendors or adhere to the “no-one got sacked for buying IBM” mentality, but do check the vendor has a track record in delivering what it sells, that it has respected experts on staff, and that it has some clients that are similar to your business and challenges.
Principal Consultant, Voodoo Security / SANS Institute
These answers assume that the product has been vetted and presumably functions as promised.
- While sort of "meh" - Do I have budget? This HAS to be a consideration.
- Can I demonstrate a return on investment within 6 months? This is usually measured in operational time spent.
- Is the vendor going to be a partner to me? Will they treat me like a number, or work with me to help me succeed?
Managing Partner, YL Ventures
- Strength of the team (building the security product)
- Total addressable market (must be over $1B within about 3 years)
- Competition (relatively scant; no existing 800 pound gorillas)
Information Security and Risk Executive
- Meeting Functional and Non-Functional Requirements
- Cost and Ease of implementation
- Overall fit with the Enterprise Architecture blueprint (covers all aspects from future proofing perspective)
Partner, Boston Meridian
- Long term vision of the product so that it can continue to keep up with the newly emerging threats
- Its current ability to show least false positives and stop real threats.
- Least Total Cost of Ownership
Senior Analyst, 451 Research
- First, they must use buzzwords properly. I’m not buying anything from a company that thinks an APT is something that can be injected into a packet. Everyone kinda has to use the buzzwords, so at least use them properly. If a company can’t keep up with the lingo, why should I think they’re keeping up on the product/service side?
- Second, how flexible is the product? Does it integrate with other products? Does it have an API? Is it highly configurable, or a complete black box? Do I have options on how to manage and deploy it? In other words, do they have MSIs I can deploy with Microsoft SCCM? Do they have on-premises and in-cloud management console options?
- Finally, has the company hired a third party to perform due diligence on their product? This could be a custom engagement with someone like IOActive, or even a public bug bounty with HackerOne or BugCrowd. I’ve even seen hackathons at security conferences that are kind of like informal bug bounties. Whichever is used, a security company needs to make sure their own product is secure before they start selling it to the public, and getting someone outside the company to review it is an important part of that process.
Principal Security Strategist, Duo Security
- Do we have a chance in hell of being able to deploy it?
- How much does it cost (both up front and over time)?
- Does anyone I trust use it too?
CISO, Publicis Groupe
- Relationship with the people in the company
- Is it compatible with Mac?
- Will I ultimately get fired for choosing this product?
Security Awareness Advocate, KnowBe4
- Capital cost vs reduction in risk (should be solving specific issues, preferably more than one)
- Operational cost including maintenance and FTEs to manage the product
- Ability to work well with other products already deployed
Product & Solutions Security Officer, Siemens Wind Service
- What certifications (IEC, ISO, NIST, NERC) does it comply with and how?
- What is your vulnerability notification procedure?
- What is the Return on Investment and mean time between failure?
Independent Information & Cyber Security Consultant
- Will it actually help to resolve the issues we have - I want to see a PoC
- How much resource will it take to get it up and running to be useful. Resources as in man time, tuning, effect on existing team’s productivity etc.
- I'd like to see some real life case studies from my sector - I want to see evidence from the coalface and also how it compares to competing vendors.
Director of Information Security, Canon EMEA
- Does it actually work and does it resolve the issue that I have. Too many procure products that fix the wrong problem. Additionally the InfoSec product world is filled with products that work better in PowerPoint than in the real world.
- Does the product integrate with what I have and can the team that will support it - support it. Too many products are great at what they do, but playing nice in the corporate environment has been bolted on as an afterthought. If the Windows team are to support it, it has to integrate into AD seamlessly and natively - else the support team will hate it. If the support team hate it you may as well dump it.
- How much is it? Is it worth it? Too many InfoSec products on the market today are way too expensive given 1 and 2 above and whilst I appreciate you can discount if the cost of the product is 10x the risk then what should I buy it?
Armed to the teeth
Now you can walk into RSA, or other conference, or meeting with a vendor armed with some useful questions from the experts.
We’d also love to hear some of your ideas, feel free to share them with us on social media, or pop over to the AlienVault booth if you’re at a conference we’re at (booth 1215 South Hall at RSA 2017) and we can share some ideas whilst sipping over our world-famous refreshing cosmic cocktails.