We've all been there. You're walking the exhibit floor of a security industry conference and nearly every vendor is peddling the same "next big thing." One year it was all about email and Web security, then threat intelligence, and later endpoint detection and response (EDR). Security orchestration and automation (SOAR) was the big buzzword when conferences were last in person. And as soon as we're all walking the floors again, we'll likely see extended detection and response (XDR) everywhere. All vendors sound the same – regardless of what they can deliver. There are also underlying technologies like artificial intelligence (AI) and machine learning (ML) that many claim to leverage.
But to what extent is this reality, and why should you care?
We don't see the plain truth in advertising that we often desire, like the slogan in the satire Crazy People: "Buy Volvo. They're boxy but they're good." So, it's not surprising CISOs often ask, "How can I cut through the marketing hype and really understand what to buy and from whom?" Being in the industry for over two decades ourselves, and admittedly sometimes the purveyors of this marketing, we did some soul searching to try to become part of the solution.
Here are 10 questions to ask vendors to help you understand if they have deep expertise and can deliver what you need to achieve your security goals and vision.
1. What Is the Value?
Everyone defines value differently. Work backward from what you strive to accomplish and think about what it will take to start achieving your goals. Use your desired outcomes as your guidepost for defining value, and make sure they align with what the vendor says it can deliver.
2. What's the Time to Value?
When will you see benefits? Is four weeks OK, or do you need to start seeing value sooner? Is your timeline expectation realistic given the technology complexities and the answers your vendor provides?
3. How Do You Define the Levels of Maturity Needed to Use Your Solution?
Use this to gauge their understanding of the problem and approach for when and how the solution is used. Often, a vendor that can advise is more effective than one that forces you to adapt to its processes and technology.
4. What Do You Think Is the Most Important Part of Your Offering?
The vendor's answer should align with the areas you plan to invest in and implement. If it doesn't, you may not have good alignment with your goals and could end up with another piece of technology that you're paying for, don't really need, or isn't adequately supported, which are all too common problems.
5. How Do You Interact With the Rest of the Security Ecosystem?
Security and privacy programs are increasingly interconnected, and technologies that sit outside the ecosystem are increasingly hard to leverage. Find out if the vendor integrates with what you're already using, and if not, ask what it would take to create that integration.
6. Which Competitors Do You Run Into Most Frequently?
A vendor that confidently and accurately talks about its competition and how it measures up is more likely to have a grasp of its customers' needs and be able to deliver on its promises.
7. What's the Vendor's Next Area of Investment and Why?
The depth of its vision and areas of weakness will matter long term to its customers. Don't be afraid to inquire about its priorities and new features you might want or need to hit your goals to see how adaptable its road map and research and development are as well as how willing and able it is to implement your requests.
8. What Do You Think About the Latest…?
Test its knowledge on the latest attacks, trends, regulations, or policies that matter to your organization. Vendors with a broader understanding of the marketplace, the threat landscape, and the complex regulatory environment are more likely to be able to deliver more value through their offerings.
9. Where and How Does It Store Your Information?
Not only is it important to be confident it won't create a security or privacy incident for you, the vendor's answers will provide insight into its awareness of common challenges you're likely facing.
10. Do You Use Your Own Technology?
While this may sound obvious, if it isn't, that doesn't bode well for your use of the technology. You'd be surprised how many vendors don't deploy their solutions in-house and how many people forget to ask.
Whether your next security technology search coincides with a return to in-person events or you're doing your search online, we hope this advice helps you get past the marketing hype to focus on what you really need and find the best solution for your organization.