Zero Trust. Artificial intelligence. Cyber kill chain.
If you’re tired of hearing and reading terms like these in vendor pitches, you’re not alone. The cybersecurity vendor landscape has become so confusing, with every solution provider co-opting trending terms to improve their SEO rankings, analyst coverage, and likelihood of fitting in as a budget line item.
Yet, one can hardly blame marketing, sales, or PR teams. The game emerged alongside digital transformation (an also-loathed buzzword), growing complexity in organizations’ technology ecosystems, and the mainstreaming of cybersecurity. Further, to compete for a spot in the coveted budget, vendors must appear alongside competitors and adjacent technology categories, even if the technological differences and intended outcomes are fundamentally different.
Regardless, it’s hard to parse vendor marketing materials when a firewall vendor’s solution sounds like an endpoint protection vendor’s solution, and an endpoint protection vendor’s solution sounds like an application access control solution. Throw in innovators’ desires to create new categories — such as extended detection and response (XDR) and secure access service edge (SASE) — and the ensuing appropriation of terms to fit the trendiest of categories, and it’s no wonder buyers are confused.
Aside from navigating the cybersecurity vendor landscape, there’s enough on cybersecurity users’ plates. IT ecosystems were already sprawling before the mad dash to accommodate fully remote offices. Now, there’s an even greater number of devices, users, and systems to account for.
Companies are more highly interconnected and integrated with third- and fourth-party systems than ever before, leaving tech teams struggling with the scope of every technology deployed, the configuration and hygiene of every deployment, and the risk of vulnerabilities in the supply chain. This all results in security buyers’ desires to gobble up the latest and greatest technology to help with coverage gaps.
However, when choosing the right solution is convoluted by artful product descriptions and savvy sales tactics, what’s a buyer to do?
In Part 1 of this two-part blog series, we look at tips for buyers, including focusing on the fundamentals.
New Product and Category Convolution
The growing number of cybercriminals and their increasing savvy have pressured organizations to implement processes and technologies to quickly and accurately identify, protect, detect, respond to, and recover from all types of cyber threats. When organizations only had a north-south perimeter to consider, it was easy to implement solutions. Today, however, there’s a whole lot in between the edge and the core — not to mention the need to monitor the external attack surface for known vulnerabilities and threats.
Myriad products and platforms have thus emerged over the last 15-plus years — on top of tried-and-true categories like firewalls and antivirus — to help companies compensate. But with hundreds of product categories currently on the market (some of them overlapping), it’s a full-time job to simply keep up with the nomenclature, much less uncover what to buy and how it will benefit the organization.
Tips for Buyers
Choosing security technology for your organization shouldn’t be overly complicated, yet it is, due to the factors listed above as well as many others not covered here. To navigate the cybersecurity vendor landscape and identify the right vendor for your organization:
1. Learn What You HaveWhat technologies do you have deployed? Where are they deployed? What kind of data do they produce? How actionable is that data (i.e., what risk reduction actions can you take as a result of the data)?
Importantly, given that many product companies are evolving into platform companies — meaning, the core product might include additional capabilities such as full visibility into network traffic, application dependency mapping, or comprehensive event logging — the functionality you need may be embedded in another solution.
If so, you’ll need to determine if that functionality is good enough or if a best-of-breed solution is needed. There’s no one size fits all. Your answer is entirely dependent on your business, compliance requirements, risk tolerance, and ability to operate deployments.
2. Focus on the FundamentalsWhile it might be tempting to allocate a budget for the newsiest product or platform, if you don’t have the right foundation for your security program, everything deployed on top will crumble in a flash. Think of it like building a house: you need to pour the foundation and frame the structure before you go installing bathroom fixtures.
But security teams could theoretically buy an XDR or packet analyzer without already having firewalls, ID/PS, antivirus, appsec, email/web filtering, endpoint protection, access controls, anomaly detection, etc. — basic cyber hygiene functionality — deployed. Going straight for the gusto won’t help if your company can’t even block basic spam — so tackle the foundations first and grow from there.
3. Quantify Your BudgetDespite the rash of breaches and risks to an organization when/if they are a victim, no security team has unlimited budget to procure products. However, financial outlay is just part of the equation.
Personnel to deploy and manage implemented technology can quickly add up, especially if in-house resources are not an option. You will also have to think about how operational impacts could affect both your team’s time and costs. For instance, if a tool takes six weeks to deploy, that’s a lot less resource-draining than a six-month deployment. And deployment is only the start of maintenance costs.
Stay tuned for Part 2, where I’ll explore questions to ask vendors to clarify what they’re selling and differentiate them from other products and product categories.