Having trouble finding the right security products for your business? You’re not the only one.
Today’s market is filled with hundreds of vendors and plenty of marketing hype. But figuring out which solutions are worthwhile can be a challenge, especially for businesses with little experience in cybersecurity.
[ 18 surprising tips for security pros. | Discover how to secure your systems with InfoWorld’s Security Report newsletter. ]
So we asked actual buyers of enterprise security products for tips, and here’s what they said.
Damian Finol, security technical program manager at a major internet firm
Businesses have to do their research. That means looking at customer recommendations instead of relying on what vendors say. Testing the security products in house is also highly advised.
“Do that due diligence, or you’ll regret it,” he said.
Good vendors are transparent with their products. They’re also focused on hiring more security staff, and paying them well, instead of recruiting more marketers. The best ones will also be happy to train customers to run their products.
“Great security companies are concentrated not just on selling, but they’re interested in supporting your enterprise, and providing consulting [and] best security practices,” he said.
Quentyn Taylor, director of information security at Canon EMEA
Customers should flesh out what problem they’re trying to fix instead of simply wandering into the cybersecurity market without a goal, he said.
“The market is very busy. Anyone with a flashy idea, a flashy logo, can launch a product,” he said.
Some security products can also be vaporware. The vendors selling them are more focused on finding a larger company to acquire them than on security, Taylor said.
To avoid buyer’s remorse, customers should approach their product search with a firm plan. “Identify what your success criteria is and tell that to the vendor,” Taylor said. “And then bake that into the service contract.”
“Don’t be afraid to admit when something isn’t working,” he added. “Take it on the chin, and do something different.”
Gal Shpantzer, a security advisor who works as a CISO for several firms
Sometimes the best way to solve a security problem is with something free you already have.
“They should ask themselves if this is something we can solve in-house with the current functionality we have,” he said.
For example, system administrators can block hacks based on certain malware infection methods by disabling macros in Microsoft Office. This can be set up with Microsoft’s group policy setting, at no extra cost. Shpantzer also likes to work with companies to implement proven protective measures such as application whitelisting, keeping software up to date, and other strategies like those recommended by Australia’s intelligence agency.
Clients who do buy security products should be aware that not all are easy to use. Imagine a threat monitoring platform that generates a hundred alerts each day — some false positives, some real. Do you investigate every one?
“If I gave you a million-dollar budget for an IDS (intrusion detection system), you would say, ‘Great, our problem is solved.’ No, your problem just began,” he said. The work is about to pile up.
Beyond the initial purchase, there’s a whole lifecycle to a security product. This can include the people who will operate it, how the product will be deployed, fine-tuning the technology, and understanding all the requirements needed to run and maintain it, Shpantzer said.
Jonathan Chow, a CISO at an entertainment-focused company
Bad vendors tend to use scare tactics, while good vendors listen to your needs and try to help secure your business, even if that means offering free advice, he said.
“There’s nothing really magical about a security product,” Chow said. “People need to be cautious and vigilant whenever spending money on a piece of technology.”
His top tip for finding the right security products is to listen to what other buyers are saying.
“I think asking their peers to share their experiences is the best way,” he said.
Brian Honan, CEO of BH Consulting, which advises clients on IT security purchases
Be wary of vendors that can’t offer any customer references, or that only offer products demos under strict test conditions, Honan said.
“If they don’t have the product reviewed or accessed by independent bodies, that would concern me as well,” he said.
Unfortunately, when businesses do buy security products, they often don’t use them correctly, Honan said.
“They buy a box with a flashing light, hoping it will keep them secure,” but end up with a false sense of security because they didn’t configure it right, he said. “I’ve seen this happen many times.”
“You have to spend a lot of time fine-tuning these tools, and a lot of companies don’t spend the time to do that,” Honan said. “They will then point the finger at the product and say it didn’t work.”