Making sense of conflicting third-party security assessments

Research reports from Enterprise Strategy Group, a division of TechTarget, reveal that organizations value outside guidance, including analyst recommendations and independent, third-party testing reports. Yet, outside testing often includes conflicting results, so how do security teams sort through these assessments to find answers that best fit their individual needs?

All too often, security architects come to analyst firms looking for recommendations with the expectation that we will be able to share our "favorite" solutions based on all the research we do. We are often asked to recommend specific security vendors and products to satisfy the needs of individual organizations.

As industry analysts, we have tremendous visibility into what security vendors and product suites are available, including great detail about specific capabilities, customer experiences and partnerships. However, we don't have the same level of insight into the specific strategies and needs -- current and future -- of individual organizations and associated security teams. One thing we do know is that there is no one-size-fits-all in the security industry. Here are five reasons why:

1. Every organization has its own, unique attack surface to defend. This includes some combination of devices, workloads, SaaS applications, partners, locations and networks.
2. Security leaders develop specific, individual strategies in support of their organization's security objectives.
3. Risk posture and tolerance vary widely across organizations of all sizes, industries and competencies.
4. Resources and skills vary dramatically across organizations, as do staffing models associated with security operations.
5. Growth trajectories of different organizations impact scale and scope requirements, driving some to focus more on openness, while others focus more on convergence and reduced complexity.

Despite the best efforts of industry analyst firms and other third-party testing organizations, few can make accurate predictions about which security options fit the specific needs of individual organizations. In my alternate life, I play in a classic rock band, so I'll use a hokey analogy to make the point. The famous song "Looking for Love in All the Wrong Places" reminds us that, despite what others might find a perfect fit or think might be a perfect fit, to find love, people have their own unique personality, quirks, expectations, goals and lifestyle. Careful attention to all of these individualized needs ultimately leads to finding true love. Maybe a bit oversimplified -- OK, not that finding love is simple -- but finding the right security solution provider requires careful attention to the specific needs, objectives and strategies within each organization.