With the current state of cyber security, the market has become inundated with “solutions”. When every manufacturer is selling hammers, then all problems look like a nail. Security personnel are expected to evaluate solutions, while still trying to find time for operational tasks. After the media fills executives’ minds with the latest security buzzwords, they all look towards the security group to implement the latest and greatest (with limited funding, of course). After perusing the latest Gartner Magic Quadrant or Forrester report, it appears that the market is filled with silver bullets.

How do you pick the right solution for your organization?  Should you even be considering new solutions?

DO Define Requirements

The first thing to consider when it’s decided a new product is necessary to fill a gap, is “why?”. Define a list of requirements and use cases that are necessary for a product to provide a return on investment. These requirements will help quickly weed out manufacturers that don’t fit the bill, and speed up proof of concepts for those that do. Some high level topics to consider when building requirements include:

  • Architecture – How is the solution deployed?
  • Needs – What is non-negotiable from a capability standpoint?
  • Wants – What would tip the scale if multiple solutions meet all of the needs?
  • Impact – What impact will this product have on end users and business processes?
  • Operations – Is the necessary headcount in place to use this product after installation?
  • Budget – We’d all like a Ferrari, but can we afford it?
DO Leverage a Value Added Reseller

If creating requirements is proving difficult, reach out to a trusted security value added reseller (VAR). While finding time to research every security product on the market is impossible, a true VAR should be able to recognize the proper security vertical to fill a gap, and be able to discuss the space and competitors. Leveraging this knowledge, a VAR will be able to help compile a list of unique and comparative differentiators, shortening a list of potential manufactures to 2 or 3 that would be worth looking into.

Many times the answer is a recommendation to not buy a product.  Sometimes new head-counts, improved internal processes, or different configurations are the answer.

DON’T Leverage Resellers

Selecting a VAR is a lot like selecting a security product. While true VARs want to make sure a customer purchase the correct product, resellers only want to make sure customers purchase a product. Work with a company that is looking to make a partnership with the organization, and act as an extension to the security team, rather than someone waiting for a call about a project. A VAR should always work to increase security capability, instead of increasing security spend.

An easy question to ask to see which you’re working with is, “have they asked if I have requirements or not?”. If the answer is no, or they haven’t asked to discuss in detail to find the right fit; you’re working with a reseller.

Should I Contact Manufacturers Directly?

If a screwdriver is necessary, but you contact someone who sells hammers, your screw just turned into a nail. Manufacturers only benefit from selling their product, so of course, it will always fix the problem. Contacting a manufacturer before defining requirements is lethal.

Too often, customers view a demo for a product without having requirements defined, and walk away with a list of needs that don’t actually solve a business problem. Allowing a manufacturer to determine requirements may end up in the purchase of a product that serves little value to the organization. Also look to a VAR to clarify any information that seems “too good to be true”.