People, process and technology. To secure your organization you need all three. But most organizations spend about 70% of their overall security spend on 'stuff' and many get a poor return on that investment. A few tips to consider:
Are you using the stuff you already have to maximum benefit?
Very often people will buy a technology and only use 20% of the capabilities. They've bought a multi-purpose tool to solve a specific single-purpose problem, and the other features sit idle. Most security vendors these days are trying to solve a broader set of problems, and often have unsung features in their products that could be providing real security benefit.
A good example of this is DLP. Most email, web, even firewall solutions have DLP capabilities today but less that 10% of organizations use them even for detection/logging purposes. Instead, they embark on multi-year journeys through the DLP wilderness without taking advantage of the technology right under their nose.
Are you considering operational and sustainment costs when buying technology?
The biggest failing of most security projects is they buy a technology without fully factoring in the costs necessary to operate (people or services) and sustain that technology beyond maintenance costs. A good example of sustainment includes 5-7 year hardware refreshes (if acquiring physical boxes), regular license maintenance, and annual training for the teams on major new releases (if you want to take advantage of new features the team needs to know how to use them).
Have you built in scaling?
Self explanatory, really, but a lot of money is wasted when organizations don't guess correctly on how fast their organizational needs will grow compared to turnover times on technology.
Are you considering re-use or other projects that can benefit from the same purchase?
Very often security decisions on technology are made in isolated silos across an organization by individual teams who can't see that if they were sharing resources everyone would save money. One way to address this is to ensure you've got a security check in your IT project process at an early gate, and that check goes through someone (a security architect) who has purview across the organization and can thus offer up opportunities to share resources and infrastructure.
Are you buying technology X because Bob likes sales person Y?
Very often people and personalities come into play when making buying decisions. It's hard to avoid it - sales people calling you up for lunch, marketing materials from a vendor flitting across your screen on banner ads every 15 minutes because you visited their website once. If you're looking at acquiring new technology or even considering replacing existing technology, it is important to (a) write down a broad list of business and technical requirements, weighted, and (b) go further afield than one or two vendors or the Gartner magic quadrant when evaluating technology.
It doesn't really take much more time (a seasoned professional should be able to put together a grid and conduct a professional evaluation in less than 40 hours of work) and can help ensure you get much better solution for your organization. Here are some things to consider with your next checklist:
- What's their roadmap?
- If you want to scale, it is a forklift replacement or add a license?
- What auxiliary features could you be taking advantage of?
- Can you start small and expand based on business benefit?
- What's their track record of success on projects like yours?
- How much effort does it take to operate and sustain the solution? How big of a team would they recommend to get the most benefit out of your investment?
My favourite technique is to ask the Sales Engineers of the various vendors to help build my grid. Once I've talked to 4 or 5 of them for an hour each, it really helps me understand the product space and where common gaps or problems may arise.
Don't let 70%+ of your IT security spend underserve you. If you'd like help with a technology evaluation, please contact us today.