- Selecting a cybersecurity vendor can be a difficult task, given all the considerations that must be taken.
- Chief information security officers should ask themselves a series of questions before deciding on a cybersecurity vendor — from what threats it detects to how easy it is to use.
- Cisco's new SecureX cloud native platform is helping solve CISOs biggest cybersecurity challenges
Cybersecurity vendors always seem to be ready with answers. The trick for chief information security officers (CISOs) is to curt through the clutter by asking the right questions. Wendy Nather, head of advisory CISOs for Cisco, understands these conversations from the inside out. Here are the questions she says every cybersecurity vendor should be able to answer to get your business.
What threats can your product detect?
What you can't prevent, you must detect, but don't assume that security tools detect everything. Ask how broad the tool's scope and detection criteria are. Be sure that the vendor isn't leaving it up to other tools to detect subcategories of incident.
Which products do you really integrate with?
According to Cisco's 2020 CISO Benchmark Report, 81% of CISOs find product fragmentation a challenge, making cross-product integration a key requirement. Users should be able to exchange data completely within their security platform, Nather says. Exporting files and sending them via email introduces friction and exacerbates the cybersecurity fatigue that 42% of CISOs already feel thanks to information overload.
Some vendors that claim to integrate only publish an application programming interface (API) that lets other products talk to theirs, but that doesn't help if no one uses it. True integration means giving full visibility—no black holes — and exchanging data with other products seamlessly and automatically.
"Can I talk to other third-party product vendors that are actually using it?" asks Nather. "And can I see that integration in action? Those are the important integration questions."
How easy is the product to use?
The most functional product is only as useful as its interface. Security teams dealing with an incident in real time — especially those working remotely — must interact quickly and efficiently. That needs frictionless usability, so ask how consistent the user experience is across different product modules.
Follow up by asking how well the product's interface supports people with different levels of technical knowledge. A well-integrated product suite will support different functions and roles, so role-based access control with different usage privileges is crucial to stop costly mistakes.
"Another feature to ask about when it comes to access controls is single sign-on (SSO)," Nather says. Users should be able to log into different products and modules with a single multi-factor authentication (MFA) system. Cisco's Benchmark Report shows that only 27% of companies use MFA today.
How flexible is the product licensing?
Functionality comes at a cost that may not be obvious, so make sure to explore the vendor's licensing structure. Some vendors who license products on a per-application basis might restrict how often you can switch that license to monitor different software. They may also restrict your ability to apply the license to different business units, creating problems during company restructuring or acquisitions. Ensure that the licensing structure supports your usage model.
How easy is the product to secure?
Cybersecurity products come with their own security challenges. Nather suggests asking about the vendor's internal security process. Is there a team handling product testing? How does it interact with external security researchers, and is there a responsible disclosure policy that guarantees they'll fix bugs and notify customers? This is also the time to ensure that the product is easy to patch, which means asking about the security update cadence.
If there's one thing these questions teach us, it's that framing the right product questions takes technical knowledge. When a vendor touts a product feature, whether it's machine learning or application-layer DDoS mitigation, CISOs must know enough about the underlying technical nuances to fact-check vendor claims.
Even CISOs from a technical background can't have all this knowledge at their fingertips. It takes a well-informed team to help frame the conversation. When you're sorting reality from hyperbole, preparation is key.
CT Cisco recently introduced SecureX, its cloud-native integrated security platform. It unifies visibility, enables automation, and strengthens security across network, endpoints, cloud, and applications--all without replacing an organizations current security infrastructure or layering on new technology.
This post was created by Insider Studios with Cisco.