How can CISOs get past security vendor hype and make smart purchases?

CISOs have to make decisions about which vendors and products to use in their organization, but vendors aren't always straightforward in their explanations of their products and services. What advice do you have for making sense of vendor hype and their fear, uncertainty and doubt methods to choose the best security products for an organization?

There is no silver bullet for information security and compliance. Some vendor offerings are better than others, but all have limitations that will undoubtedly not be mentioned by the salesperson.

They praise the strength of its features, how it can increase productivity and scope, and the financial benefits realized if you implement their product. What they do not tell you is that the total cost of ownership (TCO) far exceeds the cost of the product or service. They don't tell you that if you add a new technology, a simple API would be required to allow for its integration. They provide studies that prove there would not be a significant impact to performance, availability, increased storage and memory, and TCO. Is that lying? Or is that vendor hype?

Either way, they both result in the same unexpected budget overruns, performance hits, dissatisfaction or worse -- noncompliance or inadequate protection of corporate assets.

Vendors must make a living just like the rest of us. They will do anything within reason for a sale. A good salesperson will do everything in his power to convince you that his company's product can satisfy a need you might have, whether you realize it or not. We can't blame them for that; but if they extend the truth of their products or services beyond their capabilities, then that is clearly vendor hype.

The following steps can help minimize the chance of being a victim of security vendor hype:

• Identify the need for a vendor product based on risk -- Risk can be measured by either security risk or compliance risk. Determine the proper level of protection necessary to secure mission-critical data and applications. Identify compliance requirements based on industry, regulations and laws, such as the Payment Card Industry Data Security Standard, the National Institute of Standards and Technology SP 800-53, HIPAA and so on.
• Do not buy a security product on your own -- Never pay retail price. Negotiate a price that fits your budget and that still meets your need. Obtain management buy-in for procuring the product or service.
• Perform more than one proof of concept (POC) in your environment -- A POC can never cover all the requirements and the entire scope of a production environment -- by its very nature, a POC takes shortcuts. This is acceptable for a POC, but not as the basis for a production environment implementation. Test more than one vendor product using the same selection criteria.
• Functional POC testing -- At best, a POC can be a functional test, since it's typically not performed in the production environment. However, the POC should also identify and test for functions and features that it does not perform. This aids in sizing the scope of control the product encompasses and reduces the risk of getting frustrated if the product is not functioning as you anticipated.
• Calculate the total cost of ownership -- The formula for TCO includes a junction of total cost of technology (TCT), total cost of risk and total cost of maintenance. Do not just consider the cost of the service or tool (i.e., TCT).
• Don't listen to the fear, uncertainty and doubt (FUD) -- FUD can be used as an attention-getter, but not for prolonged justification of the procurement of vendor products and services.
• Actively participate in the POC -- Commit to the level of need or willingness to engage. The vendor needs to see that the product addresses business issues; otherwise, you may be perceived as not being authentic and being a waste of time.
• Review key success metrics -- It doesn't need to be perfect to have value. Address the core business issues and ensure you can show value on the key success metrics you define within your POC scope.
• Vendor references -- Vendor references should be for comparable customers in size, complexity and, preferably, industry. Calls to the customer should not include the vendor, so that, as much as possible, candid conversations can ensue.
• Schedule procurements at EOQ or EOM -- Salespeople have sales quotas at end-of-quarter and end-of-month. Schedule procurements to leverage better deals for the product or service selected.

Lastly, do not waste a vendor's time if you do not have any intention of purchasing their product or service. We all know that management, at times, requires multiple bids when, in fact, you already know what product you want. That said, become familiar with your information security needs for protection and compliance. Research what products have the capabilities that will satisfy your needs, and work within your budget to identify those vendor solutions to POC. These steps will allow you to sift through the security vendor hype and focus on making the right selection.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)