Navigating the cybersecurity vendor landscape: How to ask the right questions – SC Media

Navigating the cybersecurity vendor landscape: How to ask the right questions – SC Media

The cybersecurity vendor landscape has become more confusing than ever.  

Driving this complexity? Every solution provider feels forced to co-opt trending terms to improve their SEO rankings, analyst coverage, and likelihood of fitting into enterprise cybersecurity budgets. 

But, as a buyer, asking the right questions can disambiguate the cybersecurity vendor landscape. I’ll explore how you can do just that in this post. 

In part one of this two-part blog series, I highlighted three tips for buyers navigating the cybersecurity vendor landscape. In part two, I’ll explore how asking the right questions can help. 

Questions to Ask 

First things first: figure out where your organization stands from a capabilities perspective. Learn what you have, focus on building a solid foundation for your security program, and quantify your budget.  

Once you do that, it’s time to start asking vendors and prospective vendors questions to clarify what they’re selling and differentiate them from other products and product categories. 

  1. What Does Your Product Do? 

If your vendor is speaking purely in business outcomes or industry jargon, (i.e. We stop attacks before they become breaches, or We protect your applications from software vulnerabilities) you’ll never truly understand what they do.  

Similarly, if they try to fit into too many categories, you’ll never get to the heart of what the product actually does technologically. No tool is a next-gen, AI-powered, Zero Trust-compliant, automated detection engine for anomalous behavior across the seven layers of the OSI model. 

Insist on a simple explanation — devoid of buzzwords — that clearly states the intended outcome. For instance, at Axonius, we tell prospects that our platform: 

  • Provides a comprehensive and up-to-date asset inventory 
  • Surfaces coverage gaps and validates security controls 
  • Automates enforcement actions  

Don’t settle for, We prevent breaches. Instead, look for sales people who detail specifics and quantify risk. For example: 

  • Our passwordless solution eliminates passwords — one of the largest attack vectors — to decrease the likelihood of unauthorized system access.  
  • Our platform monitors DNS traffic to identify known-bad domains and prevents users from connecting to malicious or compromised hosts. 
  • Our endpoint agent can be installed on every device connecting to your network. The agent checks the device’s security hygiene before every connection attempt and approves or blocks access depending on its security state. 

A universal rule to go by: The less hyperbole, the easier it will be to assess a product’s impact. 

  1. How is Your Product Deployed?  

Also ask questions like: Where is it deployed? How long will it take to deploy? How are system updates handled? 

Find a product that fits your specific needs, depending on your organization’s architecture, risk tolerance, and in-house capabilities. A product doesn’t need to be SaaS or cloud-native or any other feature if that’s not what you — the customer — need. It may be de rigueur to say or even build certain things, but it’s you and your organization that need the product to fit your environment. 

Further, try to talk to a current customer to learn about their actual deployment. Every vendor will promise deployment in hours or days when many will actually take weeks or months — which impacts your bottom line and ability to control risk. 

  1. How Will Your Platform/Product Improve My Security Posture? 

Again, don’t settle for an answer like, We prevent breaches. Solid products allow for measurement and benchmarking. Many vendors today will show you how they map to the NIST Cybersecurity Framework, CIS Controls, or MITRE ATT&CK, which will help your organization prioritize protection and detection against the full spectrum of attacks. 

Make sure the vendor demonstrates their reporting functionality in full, and ensure you can customize reports to your business needs.  

There are many more important vendor evaluation questions, including the security of their platform’s architecture and their customer support model. But first things first: what does it do and how will it help you. Relying on marketing speak to protect your company from cyber compromise isn’t a sound strategy.  

It may take a little patience and persistence on your part to wade through what sales and marketing teams are conditioned to do — be buzzword-friendly. But the good vendor reps out there will get you the answers you need to make an informed decision. 

Interested in learning how Axonius can help solve your asset management challenges? Schedule a demo.  

Meta description // The cybersecurity vendor landscape has become confusing due to marketing-speak overkill. Learn how asking the right questions can help with choosing the right vendors. 

By Katie Teitler  

Source: https://www.scmagazine.com/native/asset-management/navigating-the-cybersecurity-vendor-landscape-how-to-ask-the-right-questions