I really didn’t expect to write this article, but then it occurred to me that sometimes it’s a useful exercise to sense check the naïve basics of a thing to make sure that one’s accumulated knowledge and experience hasn’t subverted those fundamentals. With that in mind I’ve jotted down some of those basics, recognising that many will read this and hopefully learn nothing new per se. But I do hope that the reader takes away a “refreshed dose of cynicism” when it comes to the cyber-security marketplace, and a reminder that some vendors are out there to make the online world safer for your business to be more successful.
So, how do you choose a vendor for a cross-domain security solution?
Well, the first step is probably to make sure that you understand what cross-domain means to you, and the nature of the security that you want to achieve; and what is the business enablement that you’re seeking to deliver. Then make sure that this can be well articulated, if you can’t ask for what you want then the likelihood of getting a good result is limited.
If you’re in the market for a cross-domain solution, then it’s fair to assume that you already understand the failings of the ‘detect and defend’ model and have elected to mitigate and manage risk by segmenting your estate into several domains. But adopting such a defensive stance incurs a cost – and you’re now busy trying to stitch together the necessary web of supporting workflows across those segments/domains.
After that, the next step is a bit of a bi-directional activity – talking to potential vendors to make sure that they understand your needs and that you understand how they intend to meet them. The cyber security space is full of folks selling hammers who see every opportunity as a nail. This is especially difficult in the cross-domain space where there is still a predilection to offer a custom built “$7,000 hammer”.
In order to avoid such a hammer, or indeed any other flavour of cyber-snake oil, the vendor conversation needs to be open and honest. Being a bit of cynic helps. Experience from all walks of life teaches us that you can’t trust the salesman; and cybersecurity is the same, and then some.
There are several key questions for that conversation:
• In house security testing – this can be difficult, especially for individual companies or organisations. Finding previously unknown vulnerabilities in products is expensive and usually not affordable at the level of an individual buyer.
• Security analysis – this is also a challenge. Ensuring that you have the skills and resources to carry out a meaningful analysis of a range of cyber-security technologies is a big ask. That aside, is the vendor willing to share detailed design, development, testing and release information to maximise the likelihood of a meaningful test – will they tell you exactly how their product works, and indeed whether there are residual risks.
• Third party evaluations – National security organizations such as GCHQ and NSA do conduct detailed security analysis of products, and if they have devoted time to assessing the products on your shortlist, it may be possible to get information from those organizations in order to back up vendor claims. In some cases, however, there may be issues around secrecy and trust that work against this approach.
• Warranties for security – Historically, security vendors have not provided commercial warranties for their security claims, but if buyers were to ask for them, it could help to distinguish those vendors who have real confidence in their claims from those who do not.
So, you’ve understood your business challenge, you’ve successfully filtered the vendors down to a short list based on good communication, and now the final step in selecting a cross-domain security vendor is to ensure that they understand your wider goals and are going to stay with you on the journey.
Buying any cross-domain solution can be a transactional process, but such an approach is unlikely to identify and/or add possible further benefit. In the fast moving, digitally transforming world of business, establishing a collaborative partnership with vendors who seek to understand your business drivers and help draw out use cases for how to do things differently is a better route to long term success.
Cross-domain security technology, as I said at the outset, is about security, but also about business enablement. Choosing a vendor should be about more than incurring an infrastructure cost, it should be about looking for a partner to help deliver better outcomes in the most secure way possible.