The Case for Crowdsourcing Security Buying DecisionsWhy our industry needs a sharing platform with open and transparent access to peer knowledge, meaningful metrics, and transparency around security products and services
The Internet has forever changed the balance of power around information. To help illustrate this point, consider the process of buying an expensive item or hiring someone for a large project. Years ago, the buyer (the consumer) was at a tremendous disadvantage because of his or her information deficit. The seller (the person performing the work or the retailer) held all of the cards. The seller knew what his or her costs were, what profit and margin would be made at various different price points, and precisely what other options the buyer may or may not have had. Thus the chance of the buyer making an educated and informed decision was nearly non-existent.
Fast forward to today. Regardless of what I am looking to purchase, as the buyer, I have access to a wealth of information. In addition to technical and financial details, I also have access to another source of information - one that is potentially the most valuable of them all. What is this secret weapon I am referring to? The experiences of my peers. Sometimes, the best way to understand what buying a product or service really entails is to ask those who have bought it previously.
Of course, we’re all familiar with numerous examples of this transfer of knowledge across many different industries. But for some reason, this seismic shift hasn’t made its way to security’s crowded and complex marketplace which is overflowing with both buyer and seller confusion.
Let’s examine some of the reasons why this may be the case:
- Immaturity: Security is still a relatively young and immature market. Definitive and utilitarian criteria and metrics by which value can be measured are difficult to come by.
- Confusion: Value is hard to measure. This makes it difficult to weigh the pros and cons of various options and separate solutions that may fit one set of requirements from those that do not.
- ‘Drowning in Information:’ To be more precise, in security information, there isn’t so much an information deficit as there is a knowledge deficit on the side of the buyer. As John Naisbitt wrote in his 1982 book Megatrends, “We are drowning in information but starved for knowledge.” There is certainly no shortage of information out there, but it is generally not the right type of information, certainly not the type of information needed to help buyers gain knowledge and make educated buying decisions.
- Secrecy: There are some organizations that evaluate security offerings for buyers, though the mechanisms behind the evaluations are far from open and transparent. Without knowing how these organizations perform their evaluations, who was included, and how the organization operates, it can be difficult to understand how to interpret the results.
A Sharing Platform for Security
There’s no easy answer to these challenges. But imagine a platform that provides open and transparent access to peer knowledge, meaningful metrics, clarity, and transparency around security products and services. Here’s what that might look like:
- Peers: Often the best way to find out how something truly works, what problems it solves, where it exceeds expectations, and where it needs improvement is simply to ask your peers. If you have a strong network of peers who have experience with the same products and services you are evaluating, then those people will be a tremendous resource during your buying process. And if you don’t? That’s where a sharing platform could be most useful.
- Metrics: The buying process is difficult enough on its own. But not having reliable and meaningful metrics to evaluate potential vendor, and the progress and success of the project after the buying decision complicates matters even further. Benchmarks and metrics that show progress as the organization works to improve its security posture are sorely needed. Building benchmarks and metrics into a sharing platform would be also a big boon to better buying decisions.
- Clarity: Sources and tools that can cut through the marketing hype to show what a product or service truly offers in an easily digestible format are sorely needed in the security field. Here is another concept that’s on my wishlist for a security sharing platform.
- Transparency: When buyers know the rules of the game and how the different players operate, they are more likely to trust the results. More trust in the results means that those results will provide more help and guidance during the buying process. In other words, if I have access, via a trusted platform, to information that is provided to me in an open and transparent manner and that comes from my peers, my confidence that the data has not been “tainted” by specific interests will be higher.
Security buying decisions, like all buying decisions, cannot be made in a vacuum. As our profession continues to mature, we need to do a better job equipping and empowering security buyers to make the right decisions for their respective organizations. Otherwise, I see no end in sight to the market confusion we’re experiencing currently.
Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.
Josh is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA. Prior to joining IDRRA, Josh served as vice president, chief technology officer, ... View Full Bio