It’s time for RSA Conference again. That annual gathering of enterprise security professionals, technology manufacturers and solution providers, and partygoers, where you will find some of the brightest minds in the industry and the newest and most innovative companies with the goal of helping you better secure your enterprise.
The trouble is – how do you know what technologies, products and services will address your needs? Lately, I have written a lot about fundamentals and even dedicated podcast episodes of late to the cause. Some people have taken notice because we’re having discussions about fundamentals and there is renewed focus here.
With that in mind, here is my list of the top three questions you should ask as a customer of the security industry. As a potential buyer and consumer of security technologies, I believe these are reasonable things to ask, not just at RSA Conference but any time you’re approached with a new technology, product or service.
1. What business problem does this solve?
So many of the technologies, services and solutions on the show floor of RSA Conference are great ideas. Many of them are potentially great solutions – but are they right for you, right now? More importantly, do these solutions address a problem that requires your attention now because it is at the top of your list? In the past I’ve worked for CISOs who made purchases, based on recommendations of my peers, that solved a problem so far down the needs scale it worried me. Sure it’s great, but what good does it do if it’s a distraction from more important things (like those pesky fundamentals) or is it isn’t going to get the proper attention right now? Let’s focus on solving problems at the top of the business-risk-priority stack, and getting this right before we chase cool solutions.
2. Do I have the resources to plan, design, implement and operationalize?
Security tools and solutions should work to remove burden from your existing resources. A tool that requires more of your people’s precious time but doesn’t offer any measurable payback elsewhere is of little use. The industry has seen inadequately planned, designed, and implemented solutions struggle here. Not to pick on SIEM, but this is one of those common tools that cases where the expectations mismatch the product’s capabilities. It’s a fantastic idea – to centralize your logging, collection and correlation and alerting – unless you forget the operational human power and processes that are required. You’ll need someone to tune it, operate it, and respond when it fires alerts. If you don’t have those resources today, and you aren’t budgeting for the appropriate additions for your purchase cycle – think it through as part of the overall evaluation.
3. What task does this automate that my existing tools cannot do?
It turns out that many of the things you want to buy, your existing tools already do. Shocking. This isn’t new or revolutionary, but what you should ask yourself and your provider is this – does my existing toolset perform at least 80 percent of the functions this new tool includes? That percentages number is a sliding scale based on your budgetary capabilities and your critical need for those features which don’t overlap. I’ve seen far too many tools that overlap entirely too much with existing solutions but that organization purchase anyway for either political reasons or simply lack of knowledge.
If you are at RSA Conference this week, I hope these tips help make sure experience more productive and enable you to choose the right solutions for your organization. Enjoy the show!