Network Security, Data Security, Compliance Management

Key questions to ask when evaluating a network-security vendor

Collaborative risk assessments

If your organization is shopping around for a new network-security product, tool, or service, it's your duty to thoroughly investigate each leading contender for your business and its offerings once you've narrowed down the list of candidates to a few.

That's because purchasing a network-security (or any cybersecurity) tool or service entails entering into a long-term relationship with the vendor.

You're not just grabbing a product off a store shelf and taking it back to the office. You're adopting a dynamic, sophisticated digital entity that will be cared for, upgraded, and updated for years to come, and it will need both your organization and its creator to make sure it thrives and grows.

Ideally, you'll want a client-vendor relationship to blossom into a true partnership, as was detailed at a recent CyberRisk Leadership Exchange conference hosted by the Cybersecurity Collaboration Forum.

Even if that doesn't happen, you'll still want to get to know your potential network-security vendor and the product it's offering to sell you very well before you sign that contract, or even before you pitch the potential purchase to your supervisors.

Whether you're buying a data-loss-prevention system, a cloud access security broker (CASB) or a behavioral-anomaly detector, here are a dozen questions you'll want to ask prospective network-security vendors.

What is the total cost of ownership of the product, including subscription fees, support, maintenance and upgrades?

Paying the purchase price doesn't mean you're done paying. See how many guaranteed upgrades come with that purchase and ask what kind of in-house maintenance and monitoring you'll need to do to keep the new tool running smoothly.

What kinds of support plans does the vendor offer, and how much do they cost?

Some level of support should be built into the product's subscription or purchase price, but it may not be enough. Consider paying extra for a guarantee of rapid response and action around the clock, including weekends and holidays. Don't settle for a 24/7 answering service that doesn't generate a response until the next business day.

How scalable and flexible is the product you're considering?

You want a network-security tool that can grow and change with your organization's evolution. Is the tool better suited to a cloud environment or an on-premises network? Can it do both? Can it handle hybrid networks? How well will the tool work if its workload doubles, triples, or quadruples?

How compatible is the product with your current security stack?

To minimize your overall costs, your new network-security tool or service is going to have to play well with your existing hardware and software. Are there any incompatibilities with any of those? Does the vendor offer APIs to link its tool and other programs?

Does the vendor offer help with implementation and/or staff training?

Deploying a new tool is rarely as simple as flipping a switch. Ask the vendor if it will help you set up and implement the new tool, if it offers training for your staffers in how to use the tool, and how much extra either service will cost.

Does the vendor offer a product bundle that might be useful to you?

If you're in the market for more than one network-security product, or even other cybersecurity services, the vendor may offer package deals or multi-tools that could be more affordable than purchasing all the products separately. Best of all is if the vendor has a unified threat management (UTM) tool that can consolidate several tools and telemetry feeds into a single interface.

How much experience does the vendor have delivering this kind of product? How long has the vendor existed?

Hot new start-ups may be attractive, but it's wiser to invest in one than to become its client. Stick to vendors with long track records and solid financial footings. You don't want to go with one that could go out of business nine months into your service contract.

What is the vendor's reputation? Can it provide client references and testimonials?

A vendor won't tell you that its clients have had mixed experiences, but those clients might say something different if you ask them directly. You'll also want to ask industry peers if they've used this vendor or product and if they can recommend it.

Does the vendor have other clients in your industry? Is it familiar with your regulatory requirements?

You'll want to find out if the prospective vendor has had experience in your field, because that will let its team hit the ground running faster if you select its product. Likewise, it's a bonus if the vendor knows what kind of compliance frameworks govern your business.

Who are the vendor's top customers, how many clients does it have, and what does its typical customer look like?

A client list with several Fortune 100 names on it is always impressive. The risk is that if you're not a big company, you might end up being a lower priority. Find out how many other clients the vendor has that are about your organization's size, and how much of the vendor's business they comprise.

Is the vendor routinely audited? Do its staffers have certifications? How well will it protect your data?

Just because a vendor offers a security product doesn't mean that its products are automatically secure. A reputable security vendor should have regular third-party security audits conducted on itself and be willing to share the results. Likewise, at least some of its staffers should have well-regarded cybersecurity certifications such as a CISSP, CISA/CISM or Security+/Network+. Last of all, the vendor's tool will be monitoring your company's data in transit, so you'd better be sure it's protecting what it sees.

What kind of features and functions are on the way for the product you're buying? What is the vendor's development road map?

If you're going to enter a long-term relationship with a network-security vendor, you'll want to find out its plans for the future and how they mesh with your own. Will its tool soon have additional features that will make it more useful to you? Is the vendor planning to develop other tools that you might need?

Take note of how willing the vendor is to give answers to each question. If an answer seems too good to be true, run it by peers at other companies who've used the vendor. And if a vendor seems reluctant to answer questions, or refuses to answer one or more questions outright, then you'll know it's time to move on to the next potential suitor.

Paul Wagenseil

Paul Wagenseil is a custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, and

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.