Security Tool Procurement: 3 Keys To Success

Security products, or tools, are an important part of the three-legged stool of people, processes, and technology. My experience has been that the technology portion of the equation gets most of the attention and a large share of the budget. There are many reasons for this not the least of which is product vendors spending significant money marketing their tools as solutions to the CISO’s problems.

Despite all of the money that swirls around tool procurement, success is elusive. Discarded Data Loss Prevention (DLP) investments, over budget identity and access management projects, and underutilized Security Information and Event Management (SIEM) platforms are common outcomes when the focus is exclusively on the technology without consideration of people and processes.

3 Keys to Enable Your Technology Investments and Succeed for the Long Term

1: Execute a Staffing Plan to Utilize the Product

The operation and maintenance of a security tool procurement are almost never included in the planning or purchasing process. Typically the same number of engineers continue to be stretched across more tools until only the most critical tools can be sustained. Often, other tools may sit neglected operationally despite the annual maintenance bill from the vendor. To avoid this pitfall, be realistic about the minimum staffing requirements needed to reap the original benefits that drew you to the tool. Have a conversation with the engineers that will support it to establish service level agreements and metrics that everyone can live with. Be skeptical of thinking you can send someone from your team to the vendor’s 3-5 day training class and assume that will suffice. It won’t. These classes tend to cover a high-level overview of the tool’s capabilities, often time burning precious hours on modules you have yet to purchase.

Be honest about how thin you can stretch your team and make the business case for additional staff if that’s what is required for success.

2: Formally Integrate the Product Into Existing Operational Processes

To support the team operating the tool, procedures should be formal, documented, and repeatable. Ideally, if some process already exists, for example, incident response, fold the new product purchase into the existing operating procedures if appropriate. If you have already spent the time and investment in creating a mature cybersecurity program, then take full advantage of your good work and integrate the new product into your program. If you have a Governance, Risk, and Compliance (GRC) solution be sure to add a data feed for the new product or find some other way to leverage existing investments to make the new product a part of the current environment at a minimum.

3: Continuously Measure the Effectiveness of Your Investment

Deploying a recently purchased technology should not be your end game. Deployment does not equal victory, it’s often just where the hard work begins. Cybersecurity is fast-paced and dynamic so by the time you finish negotiating a price with your vendors there will likely be a new number one priority. Even with that reality, and in fact because of it, having metrics to measure the effectiveness of your new product is critical. Force the selling vendor to come up with a way for you to continuously measure the tool they are selling over time if they want the sale they will do the work. These metrics will keep you from being in the position of paying annual maintenance for tools that have long outlived their utility.

Buying security tools is easy, optimizing them for long term success is not. These three keys will enable you to better measure and manage your technology investments for the long term.

Did You Like This Post?  

Subscribe to CyberSheath’s blog today to receive email updates as new posts become published.