When you hear the words "security product procurement," what's the first thing that pops into your head? Many enterprise customers who make security decisions for evaluating and purchasing technology often first think of the competitive landscape: How does one vendor's product compare to another? While this approach has been used since the dawn of commercial security products, there's a better way to conduct the product selection process.
Of course, security procurement decision makers can't really be blamed for this reaction. Ever since the first antivirus product was sold to a home user and the first enterprise firewall went into a business environment, vendors have been locked into promoting their competitive advantages to potential buyers, pushing comparison matrices and other competitive analysis tools into the laps of prospective customers. This makes complete sense from the vendors' perspective: Pointing out the ways their products are more advanced than those of their competitors is a great way to differentiate and make their solutions stand out to buyers. Many vendors go further, creating their own marketing names for standardized concepts to try to differentiate themselves from the competition. Sometimes, the result of security decisions based primarily on competitive analysis is shelfware, as discussed in Javvad Malik's RSA Conference 2014 session, Security Shelfware: Which Products Are Gathering Dust in the Shed, and Why? Other times, the result is worse: the acquisition of products that don't meet real business needs but are shoehorned into place anyway.
Organizations have also looked to industry analyst firms to help guide their decision making when it comes to new products. Analysts take a well-meaning approach of attempting to create a normalized, apples-to-apples comparison among different vendors. Often, however, they do that by boxing vendors and their products into static pigeonholes. Just as vendors' competitive marketing tactics make things difficult for customers, this common analyst approach can unintentionally skew results against smaller vendors, as well as vendors who truly have differentiating technologies in the market or whose products span multiple "pigeonholes" of functionality that analysts prefer to keep discretely separate.
Security and procurement personnel need to start focusing on the only criteria that really matters: business requirements. Instead of asking ourselves, "How does Vendor A compare to Vendor B?" as the first question, we should be asking ourselves, "What business problem(s) am I trying to solve, and what are the technologies and features I need in order to address those problems?" For example, instead of starting the conversation by saying, "We need to buy an IDS" — which naturally leads to the desire to immediately compare IDS vendors — buyers need to focus on the details of the underlying problem: "We need to reduce the amount of time it takes to identify and report known attacks originating from outside of our network." Does that necessarily mean an IDS solution? Possibly, but it might lead to something else, like an entire suite of solutions that detect attacks across multiple layers of infrastructure (not just the network) or possibly new products from little-known vendors that solve a myriad of problems in a truly unique way. Only then, when evaluating similar products, should vendor details come into play — and then, only in terms of how each vendor's product addresses the needs of the solution (e.g., bandwidth capacity, interface types, etc.). By focusing on a top-down, requirements-driven approach to security technology acquisition, rather than a bottom-up, technology-driven approach, security decision makers can improve the quality of their product selection and better reduce risks to their enterprise.
Just as importantly, buyers need to stop looking to analysts as arbiters between themselves and vendors, and similarly, analysts need to become better facilitators between buyers and the detailed vendor and product information they need to successfully make their own decisions. Analysts are smart people, certainly; but they'll never understand an individual security buyer's business needs better than the buyers themselves. When we collectively stop placing artificial categorization walls around vendors, eliminate arbitrary comparisons, and start relying on more detailed, quantitative information in making purchasing decisions, enterprises will start getting products that better match their needs.