Organizations are overwhelmed by the choice of cyber security tools in the market. They need to balance prioritizing and remediating vulnerabilities with managing their secure configurations. What’s more, many organizations are using hybrid clouds where they need to protect assets that are hosted both on premises and in the cloud.
This complexity requires a thoughtful approach to cyber security. Specifically, it requires that they spend some time figuring out what kind of solution they need, choosing a solution provider that fits their needs and then validating a solution before they elect to purchase it. Let’s explore these topics in greater detail one by one.
Settling on a Solution
You need a solution that you can depend on, that is able to provide you with necessary cyber security controls that minimize your exposure and improve your cyber security posture. Able to provide adequate coverage…affordable…easy to deploy…easy to learn…scalable…customizable…these are all just some of the characteristics that should factor into your decision-making process when it comes to purchasing a solution.
Simultaneously, it is important to filter out hyperbolic marketing messages from vendors, heavily-budgeted marketing channels and sponsored thought leaders’ representations, as these types of resources sometimes create an illusion of effectiveness.
Your solution-centric challenges don’t end there. They also extend to how they intend to use a solution. Even if you purchase one of the best tools endorsed by industry, poor implementation will help to ensure a poor ROI and potentially a weak contribution to your overall security posture.
You don’t want to be that company that purchases a product just for fab or compliance purposes and then lets it sit there as a “white elephant.” Instead, focus on the problem you are trying to solve. You will not go wrong. When choosing a particular security measure/tool that’s aligned with your cyber security strategy, leave it to the industry for assessment.
As Anthony Israel-Davis, Sr. Manager SaaS Ops at Tripwire, talks about in his blog, “Focusing on the critical controls that provide continuous security will be more beneficial than a breadth of tools adding noise to your system. Having enough trained staff on hand will reduce the cognitive load and ensure you have the expertise to get the value from the tools deployed.”
Deciding upon a Vendor
The choice of vendor is just as important if not more important than the solution itself. A few considerations when choosing a vendor include the following.
- Look for a vendor with a broad product portfolio that gives you the ability to use solutions from the same vendor for various needs. Taking the time to do this makes management and enablement easier and more effective.
- Go with a tried and tested vendor who has been around for a while with a reputation of dependability and reliability that can provide the support necessary for you to be successful.
- Choose a vendor with the right training, enablement, support and engagement programs that allow you to stay current with new product features. They should also be available to help you troubleshoot and resolve implementations challenges.
Validating the Chosen Solution
Once you have identified a solution and vendor that work for you, it is important to take the step of validation. This is a multidimensional process that requires participation of various stakeholders as well as external agencies. Here are some guidelines on how to complete the validation step:
- Find out what others are saying
- Seek reviews from fellow industry colleagues within the same region. A vendor that is highly regarded in one country might fail to replicate same customer support in another. That is why local industry engagement and networking is so important; both will help you to obtain an accurate assessment.
- When reading the assessments conducted by external agencies such as Gartner, Forrester or IDC, look at the overall picture such as depth of solution, complementary solutions, reputation and years in business—not just an arbitrary ranking.
- Seek feedback from other customers who have been using the product. This will provide you with insights on things like what went well and what went wrong, how to prepare for deployment and things not to do. It can be quite beneficial.
- Conduct a Proof of Concept
- If possible, it is always advisable to do a proof of concept to ensure that the solution addresses your needs.
The Major Decision of Investing in Cyber security
Cyber security is an investment—and a significant investment at that, I might add. Like any major decision, you have to make sure that you have done your due diligence in order to ensure that you can reap short-term and long-term benefits. A wrong cyber security decision could spell disaster for your reputation and the future of your company. So choose well.
To learn more about how Tripwire can help with your cyber security and compliance challenges, click here.
This blog was co-authored by Yong Hong Ow and Baksheesh Singh Ghuman.