Security solutions are the treadmills of the IT community. No, I don’t mean you implement them, sweat it out, and don’t really get anywhere. I mean that you buy them when you feel that change is needed, and urgent. And if you haven’t done your homework, you'll find that they aren't that easy, they make you sweat, and you don’t really have the time to realize their full benefits.
Before you sign a multiyear contract for security shelfware that you may never get full value from, consider this five-step approach to making sure that the products you choose will provide the protection you need.
Step 1: Understand your current situation
You may feel like you have a very specific security gap, some hole in your protection technology that is leaving you exposed. Before you move to fill it, stop to think about your organizational context, the parameters of the problem that are uniquely yours. Think about the number of individuals or systems you're trying to protect, specifically about their functions and exposure. Once you have that documented, count noses. How many IT or security staff have the time to focus on adding new protection? What are their skill levels? Do you feel confident that they are incented to make this new solution seamless and successful?
The answers to these questions form the basis of your requirements for a new solution. Being consistent when talking to providers about your requirements helps you avoid the tendency to make impulsive selections. You will have a much better chance of selecting a plan or product that will work with your team and your actual needs.
Step 2: Know what you’re looking for before you start looking
Be specific. Before you start to look, understand the fundamental reason for making this change in the first place. For example, is this about security awareness and improving visibility, or is this about blocking threats before they blossom into disasters? Are you looking to reduce cleanup costs or monthly charges for hosted log storage?
Additionally, limit the features you look at to avoid the situation that new car buyers run into: adding options and features because the dealer throws them in at a discount. Avoid solutions that may someday or potentially provide value. The last thing you want is to pay for unused features that only increase cost and complexity from the start.
Step 3: Get advice from other organizations like yours
Once you understand the problem you are trying to solve, what your team can reasonably consume, and the exact features you need, t's finally time to shop.
This is also a good time to seek advice from peers or other organizations who have been through a similar process. The best input will come from organizations and individuals who are most like you. Look to like-sized companies in similar industries, and for peers that have similar roles, staffs and challenges.
When you speak with vendors, look for specific examples of current users that feel familiar to you. Questions to ask include: Have you had any customers in my industry that are about my size? Can you connect me to my peer at another similar company? Encourage them to explain their recommended approach and give them time to involve others as necessary.
If a vendor is unable or unwilling to describe their solution this way, or if they can offer no peer or industry example, that a sign that you should probably look at other solutions.
Step 4: Try before you buy
Once you’ve made a tentative choice, you still need to take it for a test drive. You will never be able to entirely predict how adoption and deployment will play out, and in more cases than not, some amount of additional consideration or effort will probably be necessary to take full value from the investment that you are making. Trying the software first, in limited deployment or PoC will let you wring out these issues without destabilizing or inconveniencing the entire organization.
Remember: Don’t buy more than you expect to roll out. While there may be an upfront discount, unused product is usually just a loss. If possible, negotiate the next phase of adoption and deployment in the first contract, but don’t just buy product to put on the shelf in hopes of using it. Why? Because technology ages faster than peeled avocados.
Step 5: Pick the right kind of partner
I always keep in mind this quote from HubSpot founder Dharmesh Shah: “Success is making those who believed in you look brilliant.” Pick vendors who make their customers look brilliant, and whose customers confirm this for you. Since security products can cause hiccups for users or business processes, the right kind of responsiveness and support will minimize delays and reduce any institutional blowback caused by difficulties during implementation or use.
Plan for it. Do it.
Unless you have a remarkably focused role, these incremental security projects are not your only responsibility. In spite of your personal commitment to improving security and your organization’s vocal support, other things will happen. Unrelated projects may require more resources, individuals or business units may become fractious or recalcitrant. Plan well, champion vocally, succeed incrementally, and know that each successful step moves the organization towards a more secure, stable, and informed position.