Knowing how to approach buying cybersecurity vendors is a difficult task. There’s a lot to manage internally (budget, needs, fit) and it’s hard to know what kind of vendors or solutions would serve your organization best. The fear, uncertainty, and doubt (FUD) experienced by cybersecurity vendors are especially troubling. It’s hard to know which vendors are just preying on fears, which are just good at marketing, and which ones will actually solve your problems.
Fortunately, we spoke to Vikram Phatak, CEO of NSS Labs, who provided a great understanding of how companies should approach cybersecurity vendors. But first, some context.
“The days of people doing this by themselves are pretty much over.”
Phatak encourages companies to think about outsourcing their security because what an average organization (regardless of size) needs to protect has increased exponentially, even just compared to a few years ago. There’s too much complexity in an organization and new technologies and platforms, like cloud services, connected devices, and more, makes it nearly impossible for a sole department to defend against.
On the other side of the coin, attackers have gotten more sophisticated in their techniques and what kind of attack vectors they’re targeting. This requires organizations to consider various solutions or technologies that are all in communication with each other so there’s no gap in protection or visibility. Again, because of how complex this can be, it’s often better to consolidate processes into a single management solution.
Phatak outlines three levels of threat organizations face.
Untargeted Attacks (“the everyday stuff”)
Most companies fall under this as the subject of “spray and pray” style of attacks. Think broad-scale phishing attempts or employee-level credential stuffing.
If your organization is part of a high-risk industry (say finance or healthcare), you might fall into this category. Criminals may target individuals in your organization and/or impersonate key individuals or websites.
This might be the case if your organization works with the government. For the purposes of our discussion, we’ll consider most organizations falling into the first two buckets.
Another important consideration is your organization’s size. Phatak provides a good breakdown.
Small (Less Than 1,000 Employees)
Phatak recommends working with a partner, one that particularly has a cloud security solution so they can manage security for your environment. While a small organization can invest in certain technology staples such as antivirus, endpoint protection, network protection, and a firewall (Phatak points to Microsoft’s standard security solution being good enough), a partner should be able to take care of anything that a tool/solution can’t do.
Small organizations usually can’t devote budget to a team or individual who can handle all of the responsibility necessary for proper cybersecurity. A partner is likely to be the best option and you can work with them to understand what you can manage internally, and what they’re responsible for.
Medium (1,000-2,000 Employees)
Medium-sized organizations can take a hybrid approach of having a small infosec department (or even a single individual) whose main responsibility is to oversee, manage, and delegate outsourced contractors or vendors. Even at this size, there’s still not a lot of room for dedicated security practitioners or managers.
Compared to smaller organizations, medium companies should expand the breadth of solutions they’re considering (such as network, endpoint, and breach protection solutions) but they should also start considering policy and enforcement tools and solutions, which will increasingly be scrutinized as the organization grows.
Enterprises have the budget and staff available to create a robust security department, but Phatak stresses that “where or when you can offload labor, you should. For example, you can lean on Microsoft to analyze and encrypt email on external servers. It makes risk & compliance happy and it’s something that you don’t have to think about.”
Enterprise companies are really making decisions around functions and responsibilities. Phatak says that an important question to ask is “Who’s doing what?” considering your internal staff & department, partners, contractors, solutions, and vendors under the security/risk umbrella.
For the most part, your security department and Security Operation Centers (SOC) are dedicated to performance management and ensuring everything is running well. Adding additional tools and solutions may not always affect the security team in a positive way. Phatak knows that there’s never enough budget and even if there was, enterprises face a different challenge when it comes to solutions and vendors.
“Everytime you buy a product, it makes more work for you.”
When considering purchasing a new vendor or solution, ask yourself two main questions:
Phatak has some key advice.
“Think about what it is you [or your team] want to be doing. Think about the things you don’t want to do. Try and find a solution that allows you to offload responsibility or labor. Otherwise, there’s too much.”
It may be that a managed security services solution has more experience with your industry’s specific challenges or protects a section of your environment your team can’t focus on at the moment. By letting your vendor fill those security gaps, you can improve the effectiveness of your department.
At the enterprise level, you’ll face unique challenges and scenarios no other company will. That’s why your team or SOC needs to focus on building and deploying new solutions tailored to your enterprise. While you’ll have solutions focused on intrusion prevention, breach detection, endpoint detection, it won’t match your environment precisely. That’s where your internal team comes in and becomes your bespoke infosec department that tailors your security approach specifically to your organization.
Find people on your team who will give you references and a better idea of what your organization needs. It’ll help you identify the kind of processes or tasks you can outsource. You also need to ensure your team that you’re not trying to replace their job or function but instead looking to give them more impactful work.
Get them to understand how this will change their responsibilities and day-to-day tasks. Be sure you’re framing it in the right way or you might get some internal pushback. “Employees need to see that it’s about deploying resources,” Phatak says.
When speaking to a partner or solution, make sure they have the right qualification for your organization, your industry, and what/how your organization needs defending. If you’re considering a partner or outsourcing some work, always talk to the person who would perform or manage the work on a day-to-day basis. Ask them what their process is and how their particular solution, vendor, or tool will help address your organization’s needs.
“If they articulate specifics, what they do, what the process is, what action they’ll take and you [find yourself] agreeing with them,” Phatak says, “you’re probably talking to the right person.”
However, if you find that they’re just throwing numbers, buzzwords, and marketing speak to you - maybe move on to a different option or see if you can talk to someone else in that organization.
Phatak largely pushes back against the fear-based and one-solution-fits-all kind of marketing vendors fall into. He stressed that companies, whether small or on the enterprise level should always focus on the fundamental needs or organizations and adapt to their organization’s specifics.
“There are billions of dollars spent in marketing in the security industry designed to take you off track. You’re much better off doing the work upfront because there are a lot of shiny objects that will take you off road. Put blinders on, think about what you strategically want to achieve, then take the blinders off.”
Now you’re ready to start considering vendors.
Interested in learning more about this topic while learning about emerging technology? Visit the InfoSec World Conference & Expo in Orlando, Florida. Here's what you need to know.