Jason Lamar, Sr. Director, Product Management, Security Business Group, Cisco
Security professionals are under a lot of pressure to stay on top of the latest developments. Nobody wants to say, “I don’t know,” when their boss asks them about whatever buzzy topic is making headlines in the tech journals this month. And, let’s be real, new tech is fun for us. If we didn’t get excited about the potential of groundbreaking technology, we wouldn’t have chosen careers in security. It’s easy to get caught up in the excitement around the shiny new things at the RSA Conference.
But new isn’t always better, often shelfware, and there’s a good chance you already have products in your stack that will deliver the same benefits. I’ve met enterprises who literally buy one of everything from seemingly everybody and still tell me they aren’t getting the full value out of their security operation.
If you already have 40 vendors, will adding a 41st help or hurt your security posture? I suppose it can fill out your lunch-with-vendors schedule, but can you really operationalize another? Are you confident you can properly configure your new product, or are you worried about creating gaps when you install products you don’t have the ability to fully learn and understand?
A lot of the products in your security stack were purchased based on a single feature in a single category. That leaves a wealth of potential benefits that go to waste, taking a chunk of your budget with them. This particularly happens among companies in the earlier phases of the maturity curve; they’re still struggling to operationalize standard controls like multi-factor authentication, but they continue to spend on new products in hopes the next purchase will advance them along the curve. But it won’t, unless they have the time, skills, and budget to make comprehensive changes.
Your security team has a finite amount of resources, and those resources are divided every time you add a new product to your security stack. Adding layers of products without a strategic plan isn’t defense-in-depth: it’s spray-and-pray.
Innovate or integrate?
Choosing a niche vendor or a startup is risky. Of the 300 cybersecurity startups that launch each year, few survive long enough to make it to IPO or acquisition. Some just fold, leaving surprised customers scrambling to fill the gap in their stack.
If you decide to become an early customer of a startup cybersecurity vendor, you’ll pay with more than a check. You’ll pay with your time. A lot of smaller vendors are still building out their product portfolio, and they depend on you, their customer, to give them feedback and direction. Do you want to spend your time helping a company in which you have no stake, or do you want to devote your time to executing your own strategy?
Buyers may overlook larger vendors, because they have the misconception that brand leaders only do one thing. No big vendor does one thing anymore-their solutions are designed to integrate new technology as it emerges. Integration allows you to be innovative in your own environment, since you can orchestrate systems that are truly tailored to your needs.
Plan before you go
Take some time to prepare for your visit to RSA. The sooner you can get through the vendor talks, the sooner you can get to the networking and learning that help your career. Here’s how to prepare:
1. Prioritize your gaps – Know your greatest security issues and be prepared to have in-depth conversations with vendors about your specific environment and your business goals.
2. Check your existing inventory – Set up an internal process to ask your team if they’re using everything you already have and, more importantly, if they’re using each product to its fullest capability. Their answers will reveal whether you need to shop for the latest innovation or simply turn on useful features that have been gathering dust in products you’ve already paid for.
3. Know your budget — You don’t need exact numbers, but have a ballpark budget. If a solution is priced out of reach, move on. There will be plenty of other options.
4. Bring a shortlist of vendors that starts with your current providers –
Before you talk to 20 startups, take your list of controls to your current vendors’ booths and ask if they can help. You may not know that your routing vendor also has a killer endpoint security solution.
Recognize your power
Seasoned security professionals know the difference between “slideware” and solutions that help their businesses. Everyone enjoys a good tech demo, but a demo built to show off features isn’t going to help you understand whether the product will deliver the controls you need in the environment you have.
Bring your list of controls, needed outcomes, and possible vendors, and be ready to ask hard questions. If a vendor can’t look at your shopping list and address the specific ways their product will strengthen your security stack, walk away. As a customer, your time is your power.