Once you’ve assessed your needs, look past the glossy sales material and slick user interfaces to understand how well the security solutions you’re being pitched will work in the long term. Focus on gritty practical issues such as:

• Total cost of ownership: Given the size and skills of your staff, will you need to hire new staff (or expensive consultants) to deploy the tool and effectively use it every day? How much training will your staff need to understand the alerts and logs the tool generates? Is it so overloaded with bells, whistles, and options it’s hard to find the real security threats, or so dumbed down it doesn’t provide the depth of analysis you need.
• Interoperability: Does the solution provide out of the box connectors that lets it share data with your current security tools? If it provides an application programming interface (API) for such connectivity, how well documented and easy is it to use? How easy, or difficult, is it to reformat the alerts and logs the tool generates into the dashboard or analytics the rest of your security staff uses?
• Long-term gain: How much work will it take to reconfigure the solution if, for example, you move more applications to the cloud, need to secure data from the Internet of Things (IoT), or if your current security expert moves on? Does the vendor have a road map that will let you automate more low-level security functions, so your staff can focus on more strategic threats?
• Necessity for the tool: Step back and calculate the total cost and effort required to choose, deploy, and manage any security tool and whether your staff’s time could be better spent on more strategic work. Evaluate, with the help of a trusted adviser, whether it might be more cost-effective (and provide better security) to let a security-as-a-service provider handle this work for you.
• The vendor’s threat research capability: Any security solution can only protect you against the threats it knows about. With new threats emerging daily or even hourly, a vendor needs a robust threat research capability, and ideally combines that data with updates on new threats from other vendors. Ask about the amount and type of threat data the vendor sees, how they share it, and how they use that knowledge to improve their products or services.

Trust, But Verify

You’re buying security software because there are some unsavory actors out there. Unfortunately, you also need to watch out for possibly sketchy behavior from security vendors and even some of your own staff.

Complimentary Download: Navigating the Cybersecurity Ecosystem

As you talk to vendors, beware of any who recommend one-size-fits-all solutions without doing an in-depth assessment of your needs (or at least examining your own.) As you hear recommendations from your own staff, remember that some may fall in love with features like a slick interface they may not use that often, while ignoring more business-critical security features. You also, unfortunately, need to watch out for staff members that recommend you buy a tool they know to assure their job security or a bigger raise.

Finally, don’t forget the old-fashioned, common-sense due diligence checking of references, both online and directly with customers. But be careful of anecdotal references from companies whose needs might be very different from yours. Again, keep your up-front assessment in mind at each step of the product appraisal process.

If you’re feeling like all this security self-assessment and solution evaluation could get in the way of your day job, we hear you. In our third and final post, we give a quick overview of how to choose a trusted partner to take some of this work off your plate. Or click here to get out full guide to Navigating the Cybersecurity Ecosystem.

• cybersecurity, 
• security