Death to Shelfware: 5 Steps for Buying the Security You Actually Need


Posted on by RSAC Contributor

At a time when the industry is urging for increased investment in security, we’re also seeing plenty of security products gathering dust. Efforts to do more are not bringing the expected results, mainly because there is a rush to solve the problem, and not enough time spent understanding how various threats fit together.

Consider the five-step program below to improve the likelihood that the products you choose will bring the protection that you need.

Step 1: Understand your current situation

Before you address a particular security concern, get to know your organization by asking:

  • How many people are you trying to protect, and what are you protecting them from?
  • If you are protecting a resource, in how many places does it live, and how is it transmitted or managed?
  • How do you currently protect them, and why change that model?  
  • How many employees focus on security, and how much time do they have to implement, monitor, and/or maintain a new solution?  
  • What kinds of skills and experience do they have?

Based on your answers, create a checklist of your criteria to review while speaking with vendors. Being consistent will help you select a plan or solution that is going to work with your team and your actual needs.

Step 2: Know what you’re looking for before you start looking

Before you start researching solutions, develop a specific sense of what you are trying to achieve.  

Are you trying to:

  • Increase visibility?
  • Better manage pesky user machines?
  • Reduce help desk requests or message volume in your monitoring?  

Limit the features you are looking for to avoid rationalizing buying more than you need. Be wary of solutions that will potentially provide new value in the future, but not now. The last things you want are unused features introducing increased cost and complexity in your operations.

Step 3: Get insights from other organizations like yours

Now that you have a clearer sense of your priorities, and a list of the capabilities you need, it is finally time to shop.

While you’re on the hunt, keep in mind the best input will come from organizations and individuals who are most like you. A large company with a team of security analysts may love a product that would completely overwhelm a mid-sized IT director.

Ask vendors about their experience and request references of customers solving similar problems. Present a detailed view of the problem you are trying to solve and encourage them to explain their approach.

You will learn how others view the problem, and their unique approaches may be able to teach you something new. On the other hand, if a vendor is unwilling to make these connections, this could be a good indication to go elsewhere.

Step 4: Try before you buy

Having the right criteria can help you hone in on the best solutions, but keep in mind you will never be able to entirely predict how adoption and deployment will play out. There will always be surprises (for example, a product may require more initial training or maintenance than you thought), and for that reason it is a good idea to gradually phase-in your new product.

Also, when making your deal, don’t buy more than you will roll out. While there may be an upfront discount, unused product is a loss. It’s good practice; resist adding more tasks and financial pressure to complete deployment on a larger scale.

Step 5: Choose vendors who will partner with your success

I always keep in mind this quote from HubSpot founder Dharmesh Shah — “Success is making those who believed in you look brilliant.” Pick vendors who behave in this way, and whose customers confirm this to you.

Healthy companies and sales teams recognize that it is the long-term success and adoption of the product that will bring the greatest value. The involvement of the vendor can save weeks of frustration because they have likely helped others through these steps and obstacles before, and they are a source of practical advice.

Plan for it. Do it.

Remember that security projects are not the only IT investments that can go sideways, or fail to deliver on their expected value. Plan well, champion vocally, succeed incrementally, and know that each successful step moves the organization towards a more secure, stable, and informed position.

Jack Danahy is co-founder and CTO of Barkly.

Contributors
RSAC Contributor

, RSAC

security awareness

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs