Cut through cybersecurity vendor hype with these 6 tips
Cybersecurity vendor hype can make purchasing decisions difficult. When considering a new product or service, think critically about whether it would truly add business value.
To protect themselves against today's constant barrage of security threats, organizations turn to an ever-increasing array of products and services that promise to safeguard their systems and data.
Cybersecurity vendor hype and marketing jargon can make it challenging to determine which tools have substantive value and relevance for a given organization, however. Just because an impressive new product or feature exists doesn't mean adoption makes business sense for every enterprise. Before making any new investments, cybersecurity leaders should first assess and prioritize their own unique, risk-based security needs. After clarifying their requirements, they can start to navigate the complex cybersecurity market.
In considering a new tool, the first step is to establish what, on a practical level, it actually does -- which is often more challenging than it sounds. When talking to a vendor, try the following tactics:
Request a detailed, technical explanation of a product's or service's core functionality.
Ask to see a practical demonstration of the tool.
Request real-world examples that illustrate how the product or service can mitigate specific threats on the ground.
Explain the organization's security environment, and ask how the tool might specifically address its most pressing challenges.
Use the information from these conversations to gauge a tool's effectiveness and how well it aligns with organizational security needs.
In considering a new tool, the first step is to establish what, on a practical level, it actually does.
In particular, consider whether a tool would duplicate the functionality of technology already in deployment. Tool redundancy not only wastes resources, but also increases complexity and introduces potential compatibility issues.
Then, identify any portfolio gaps the new product or service might successfully address.
3. Consider the long-term cybersecurity vision
Security pros should not evaluate a tool or service solely on its immediate benefits, but also on how well it aligns with an organization's long-term cybersecurity vision and strategy. The following questions can lead to important insights:
How well might a given tool evolve to reflect the shifting threat landscape and the security program's changing needs?
Does the tool integrate with other products and services the security program plans to adopt in the future?
Investing only in technology that aligns with the organization's long-term cybersecurity vision ensures scalability, reduces the risk of vendor lock-in and provides a solid foundation for future growth. Like Wayne Gretzky -- who famously aimed to skate where the puck was going, not where it had been -- try to anticipate where security threats are heading, not just where they are today.
4. Seek independent evaluations and reviews
Rather than rely solely on vendors' claims and marketing materials, seek out independent evaluations and reviews of the tool or service in question. Trusted sources, such as industry analysts, cybersecurity experts and peer organizations, can provide valuable insights based on their hands-on experience and unbiased assessments.
Industry conferences often offer particularly good opportunities, both in formal sessions and informal conversations, to learn about peers' experiences with new security products and services.
5. Request proof-of-concept testing
Before committing to a significant investment, request a proof of concept (POC) or trial period from the vendor. A POC enables the security team to validate the vendor's claims, evaluate a tool's effectiveness within their organization's unique environment and assess its compatibility with existing systems and processes. When pressed, most vendors with effective products happily assist in setting up free trials -- and, certainly, security leaders should insist they be free.
Before a POC, be sure to establish specific requirements from any business units the product or service would affect. During the trial, involve relevant stakeholders and subject matter experts to get feedback and assess the tool's performance against specific use cases.
6. Evaluate total cost of ownership
While the initial cost of a cybersecurity tool may be apparent, it's crucial to consider total cost of ownership over its entire lifecycle. Evaluate all associated expenses, such as licensing fees, maintenance costs, training requirements, integration costs and ongoing support. Consider also any potential impact on the organization's operational efficiency and productivity.
Finally, establish whether the product might need to temporarily run in parallel with another legacy system it would ultimately replace. If so, account for any duplicated functional costs during the transition period.
While it is worthwhile and important to consider new cybersecurity products and services, teams need a diligent and strategic approach to cut through the inevitable vendor hype. Preparation and coordination among peers and business units enable informed purchasing decisions that truly add business value.
