The process of selecting and implementing a network-security solution involves three types of activities: gathering information about both your own organization and potential security vendors; obtaining approval from decision-makers; and properly deploying and maintaining your choice solution.
Steps for deploying network-security applications, tools and services are broadly the same,whether you're buying a next-gen firewall, a cloud access security broker (CASB), an intrusion-detection system. Similar procedures can also be applied to other aspects of information security.
Here are 10 steps you should take when picking out and setting up a network-security solution.
1. Conduct a thorough inventory, vulnerability audit or risk assessment of your organization.
You won't get an idea of what you need until you perform due diligence on your own organization's strengths, weaknesses, and ability to grow. Whether you call it an audit, an assessment, or an inventory, you'll want to make sure you can fully answer the following questions. Don't forget to query every stakeholder in your organization.
- What is your organization's threat model?
- Who would its most likely attackers be?
- What are your organization's network-security weak spots?
- How many of your employees work remotely, and how often?
- What kind of rules and regulations govern your organization's business activities?
- What kind of network security model do you use? Is it perimeter-based or zero-trust?
- Do you allow employee-owned devices on the company network? What if they're working from home?
- What kind of assets do you have in the cloud? How recently were they migrated there?
- What is your organization's 5-year growth plan, and will its network-security needs change?
- Are there any network-security appliances that need to be replaced?
- Are there any critical vulnerabilities that need to be patched?
2. Determine what kind of additional network security you need, and what's possible.
Do this only after completing the internal due diligence, which should give you a much better idea of what you need.
For example, if you're still using an on-premises firewall appliance, it might be time to move up to a next-generation firewall. If you're new to the cloud, then you'll want some cloud-native security tools. And if you're using a perimeter-security model, you ideally should upgrade to a zero-trust model — but do you have the staff time and expertise to do so?
Also check to see whether you have existing network-security tools or services that could be repurposed to meet some of your needs.
3. Determine what your organization can afford and get approval for that amount.
In some ways, this is the most crucial step, because it will determine what you can and can't buy. Then go over the list of network-security tools and services you need or want and rank them in order of highest priority, starting with the ones you feel are most immediately necessary.
4. Research and compare vendors and their solutions, tools, and pricing.
Find out who has what you need, and how much it costs. You'll be conducting a lot of research on your own, but you should also reach out to other organizations in your industry or similar fields. What are the other organizations using, and what can they recommend?
For each potential solution, you'll also want to find out:
- How scalable is it?
- How easy is it to use?
- How well would it work with your existing tools?
- What would be the total cost of ownership, including support, maintenance, and staff training?
- Would it affect your regulatory-compliance requirements negatively or positively?
- If you need more than one networking-security solutions, are there multi-purpose bundles — often called unified threat management — that could save you money?
5. Make a shortlist of potential vendors and interrogate them.
Once you've narrowed down the possible solutions to a handful, it's time to grill the vendors. You're about to enter a long-term relationship with at least one of these firms, so don't be afraid to ask tough questions like the ones below.
A good networking-security vendor will be happy to answer these (and many more):
- Does the vendor provide 24/7 support and response? If so, how much extra does it cost?
- Does it offer staff training for the solution you're thinking of buying? How much would that cost?
- Does the vendor provide help with deployment and implementation? Does that cost extra?
- Does the vendor have experience with other organizations in your industry?
- Is the vendor familiar with the forms of compliance your organization is subject to?
- How many clients does the vendor have?
- What is the vendor's typical client profile?
- Are there any new features or functions on the way for the solution you're considering?
- What is the vendor's 5-year development plan?
6. Narrow it down to two or three vendors, get their proposals and quotations, and then present your own proposals to management.
You'll want each viable potential vendor for each solution to make a pitch for your business, including price quotations. Don't be afraid to try to get the vendors to sweeten the deal with extra "gimmes." For example, maybe a vendor could toss in staff training on its tool or service for free.
One note: Feel free to mix and match solutions from different vendors, as long as those solutions are compatible with each other (and your existing environment). You may not want to be too reliant on a single vendor.
Then take the vendor quotations and add your own set of known performance indicators (KPIs) that you think each solution will help you achieve.
Present the whole package to management for approval, clearly indicating your first choice of solution or vendor but also making clear you'd be willing to settle for second-best if it's a bit cheaper and, very importantly, nearly as good.
7. Sign the licensing/service agreement with the winning vendor(s).
Assuming that the contracts or agreements are routine, this may be the least complicated part of the whole process. But don't bust out the Champagne — you're not done yet.
8. Slowly deploy each new solution, one at a time.
Don't implement your new tools too quickly. Test each one in a sandboxed environment, then roll it out across your organization department by department. Lean on the vendor to provide deployment support if they offer it (and they really should).
Make sure you have a rollback plan for each solution in case something goes wrong — and be ready to explain why to management if it does.
9. Make sure your staff receives the proper training to handle these new tools.
Implementing a new solution is rarely as simple as flipping a switch. In most cases, it results in having to learn a new set of procedures, and in the case of initial cloud migrations, an entirely new set of skills.
Be certain that you've got enough in your budget to cover training for any employees who will be working with the new tools or services. If the vendor can provide that training for little or nothing, that's great, but you may also want to consider third-party training firms.
10. Conduct a follow-up assessment.
Six months to a year after all the new tools have been implemented, you (and your boss) will want to know how much of a difference they've made. Conduct a second audit or assessment, using the KPIs you designated KPIs in Step 6, to determine whether your upgraded network security is offering the desired return on investment.
