How to select an enterprise security vendor

Cybersecurity issues
Edward Liebig, global head of Security Services Delivery at Unisys Security Solutions, has shared tips to select an enterprise security vendor.

Security vendors are cropping up left and right. They all seem to have the “better mouse trap” or the “most comprehensive process.” Sometimes organizations get dazzled with security jargon like “Threat Vectors,” “Kill Chains,” and “Advanced Persistent Threats,” and their real challenges or needs remain obscured. When it comes to choosing a security vendor, there are a few things to keep in mind, not only from the vendor’s standpoint, but sometimes even more importantly, from within your own organization. The suggestions presented here will better prepare your organization to select a vendor that is right for your operational, cultural, and business requirements.

Know where you are

All organizations, by now, have invested some amount of time and effort in building or sourcing security technologies and/or prowess. Knowing just how well your organization “does security” today will be the first step in figuring out what you require from a third party. The ability to measure the security program will be a key skill in maintaining continuous process improvement and quantifying the Value of Investment for the overall security program. Most organizations may seek help for this step so as to not tie up staff or leverage subject matter experts. To preserve knowledge gained during the assessment process, be sure to pick a firm that will not have a conflict of interest once the assessment is finished. By being diligent in avoiding conflicts of interest, the assessment work can seamlessly flow into remediation and further implementation of controls.

Know where you wish to be

Plant the flag of risk tolerance. This is not an easy exercise for many organizations. Security can be as strong or loose as the organization wishes to tolerate. Recognize that the stronger the security, the higher the price tag.

Know your corporate culture, strengths, and limitations

Some organizations can turn on a dime and reinvent themselves almost effortlessly, while others are very set in their ways. Resistance or acceptance of change is a critical differentiator in the success of organizations. Knowing when to take the bull by the horns and when to simply say “I don’t know” can be very challenging to some organizational structures. Know when to ask for help.

Prioritize, rank, and weigh the areas of security for which you would most like assistance

Once you have analyzed the current and future state of the security landscape in your organization, looking at the gaps in capabilities and mapping remediation efforts becomes more intuitive. This will also give you an opportunity to prioritize, rank, and weigh areas of importance to organizational success.

Look for vendors that can help guide the security program “end-to-end”

Once the organizational needs have been mapped, start looking at vendors who can address the main direction of the program, but be mindful of the vendor’s ability to help with integrating these services into the organization’s overall security program. Look for vendors that are prepared to supply expertise and assist in areas of security that may be outside of their core business. Service offerings have an interrelationship with other areas of the overall security posture and you need to have vendors that are prepared to understand and maximize these relationships.

Look for vendors that know their strengths and limitations

There are several companies that try to be all things to all clients. Gravitate towards companies that know their strengths and understand their limitations. The best consultants are the ones that know when they may not be the best choice for the job, but will help you source the right ones. This type of candor is what makes a consultant not just a vendor, but a trusted advisor.

Seek a trusted advisor

Look for companies that take a holistic approach to security, follow industry driven security frameworks and recommend solutions customized for your organizational needs and capabilities. Your vendor should be able to understand the challenges of driving change, while balancing staff utilization and skill sets against daily operations, and moving the initiatives down the field. Look to partner with a trusted advisor that can help with more than just the technology or security specific tasks; they should be able to help with the “business” of security. A true trusted advisor should be able to help with business justification, Return on Investment and Value of Investment presentations to the board, calculate quarterly and yearly budget requests, track burn rates, and quantify / benchmark security improvements.

Look for vendors that understand your business

Security is important to all companies. The variant is the industry vertical and nature of the business. Just like driving is a common process, driving a race car is different than driving a taxi. Both have unique challenges and the same rings true for security. A chemical company has different influences, risks, and consequences to consider than a financial services company. Neither security program is more or less risky or complex; they are simply different. Choosing a trusted advisor that understands your industry vertical and business focus will greatly increase the overall applicability and ultimate success of their recommendations.

Pick a vendor that can customize solutions

Not everyone is starting with a “green field” environment. Often, there are cases where software licenses have been purchased, around which processes may have been built. Choose a vendor that is willing and able to customize a solution that incorporates sunk cost items (be it capital or effort expenditures). Shy away from vendors that offer one flavor of a solution or expect your organization to limit what is available just to consume what they offer as a standard. Keep in mind that leveraged solutions can carry an attractive price point from an overall bill/burn rate, but there may be redundancy and additional costs associated with changing software and processes.

Open the playing field to a reasonable (manageable) number of short list vendors

Some organizations can become mired down in analyzation paralysis by opening up too big of a field for Request for Proposal (RFP) response. Depending upon the available review staff, ensure the number of respondents is proportionate to your organization’s ability to not just review, but to truly absorb, compare and contrast the proposals/responses.

A typical selection ratio might look like the following:

# Request for Information (RFI) – sent to 12 respondents

# Request for RFP – sent to the top 6 from RFI short list

# Orals (onsite or virtual presentation) – Invitations sent to the top three from RFQ/P short list

By Edward Liebig, global head of Security Services Delivery at Unisys Security Solutions
[email protected]