It's spending season for many organizations and that means it's time to unload some of your IT budget on network
security products. Maybe it's time to replace that outdated intrusion detection system (IDS), upgrade to a full-blown patch management system or implement a configuration management solution to help you with your compliance initiatives.
Don't go into this unarmed, though. The marketing fluff and sales speak is easy to fall for and there's too much money and skin to lose in the process. Once you develop your requirements (a critical step that's often overlooked), it's time to start compiling some key questions to ask prospective vendors. I'm not talking about technical questions about bytes and encryption strength – most vendors can handle the technical aspects of what needs to be done. Instead, I'm referring to operational and administrative questions that will help you determine if the vendor's solutions will fill your business needs (where it really counts) and keep you from pulling your hair out in the process.
Here are some questions to ask prospective network security vendors. You may make them squirm and stumble a bit when you put them on the spot, but asking the hard questions is the only way to find a good technology fit and to protect your organization from making bad spending decisions.
- How is your product going to save me effort and money? You should expect to hear things like: It can automate repeatable processes, reduce false positives and drive costs out of compliance by providing real-time audit reports.
- How do you know this is good for my environment? This is where they need to be asking you the questions -- and lots of them -- to figure out exactly what your requirements are and what your business and technology environments are like.
- How do you know your software is secure and that it won't introduce vulnerabilities into my network? Many people don't think about this, but when you're going to be installing something on the network perimeter, or worse, on every computer, there's undoubtedly going to be new points of entry and attack surfaces. Expect to hear things like: We perform source code analysis; we've had our software independently tested against the OWASP Top Ten (less than ideal but better than nothing); or we have a dedicated testing team that releases fixes at X intervals.
- What regulations is your product going to help me comply with? You should expect to see sample policies, rulesets and other features pre-packaged for various privacy and security regulations. However, if they say you'll be compliant with X, Y, or Z regulations by using it, run the other way. Compliance doesn't come in a box.
- How are you guys doing it differently? You don't necessarily want to go with a me-too technology, but, then again, very few things are innovative these days. Still, find out why their product is better suited for your environment. You can expect to hear things like: We focus on Windows and nothing else; this application is our forte and we tailor to businesses your size. You may also want to ask if a third party has analyzed what they're offering. This isn't a requirement but it does demonstrate that they're interested in getting unbiased feedback and positioning to make their product better.
- When can I get a trial version? Sounds elementary, but I'm hearing stories and have been experiencing it directly myself with vendors saying they don't have a full-fledged trial to run. Or, if they do, it's a Flash movie or WebEx-based demo. That isn't going to cut it either. You may also sense pushback because they don't trust you enough to try out their product for fear that you'll use it and never buy it. I say that's crazy. If you're going to spend that much money on their product, the least they can do is let you see what the product is going to do in your environment. This will highlight any nuances and bugs and will also help you determine how much expertise and effort it will take to use it once the vendor's pre-sales engineer is gone.
- Can you give me reference accounts in my industry? This is not a must, but it'll certainly help to talk to someone else that has needs and pains similar to yours to see how the product is working for them and if they recommend it.
It's important to remember that your vendors' responses will vary depending on the type of technology you're considering and the type of industry you're in. If you've found one or more vendors whose answers sound reasonable and you have a good gut feeling about them, it's almost time to take the plunge. But, there's one more thing left to do. You've got to make sure you and your business are ready to move forward with your purchase by ensuring a good foundation is in place.
I've outlined 10 reasons not to buy information security products here. These 10 reasons are just as important for making a good purchase as the answers you receive from your vendors on the questions above.
If you do your homework up front and ask the right questions but still end up making a bad purchase because of something that wasn't revealed during the pre-sales or trial process, at least you'll know you did what's right. Odds are that you'll make much more informed business decisions and buy prudently for a good long-term solution.
About the author: Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has more than 19 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well asThe Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels audiobook series. You can reach Kevin at firstname.lastname@example.org>.