I have watched as the vernacular in cybersecurity normalized, abused, and over-used the term “best” in my career. Best is a very subjective term in cybersecurity. Best for whom, for what risk tolerance level, or for what threat profile? When looking at security products and technologies, the same “of what does ‘Best’ consist?” can be said. Features and benefits outlined in the sales cycle may taunt one into believing one technology is superior. When it is all examined with clarity of expectations for a specific organization, a deduction may become apparent that “Best for some may not be Best for the application at hand.”
It reminds me of an analogy my friend and colleague made. When the VCR was building in popularity, features like multiple timer events could be programmed through a menu interface displayed on the playback TV screen (“on-screen display” or OSD). This feature allowed several programs to record at different times without further user intervention and became a central selling point. But, sadly, for those who paid dearly for these enhanced features, the reality was that most consumers only used “play,” Fast Forward,” “Stop,” and “Rewind.”
This phenomenon can happen to any organization sans a formal Proof of Concept (POC) product selection process. This repeatable and customizable process will first document the expectations of the organization. Questions like “what challenge will this technology or tool solve?” and “what are the threat vectors, threat profiles, and typical methods of exploitation this technology or tool will need to address?” This shortlist of questions is, by no means, an exhaustive list. The initial questions should frame and define the custom scope and expectations for the applicability or organizational nuances.
In my experience, I see many organizations put “technical blinders” on during their POC efforts. They look at the technical superiority or ease of the technical aspect of deployment. This technological focus is less than half the story. The “operational sustainability” quotient, frequently, is overlooked. Items like current staffing levels, current staffing training or expertise, Upkeep or maintenance, Operational configuration, Features that are being considered that may require a cultural adaptation, are there any HR or Legal concerns to a new capability? These and other organizational specific challenges need to be weighed and measured.
Once the comprehensive criterion is established and weighting is applied appropriately, the “cream of the crop” will naturally rise to the top. CISOs will want to consider leaving some scoring leeway to account for business-related differentiators such as “how easy with whom to work is the supplier?” or, of course, the almighty pricing (and negotiation experience).