CISO'S LOOK BEFORE YOU BOOK! CISO GUIDE TO PROCURING SECURITY PRODUCTS AND SERVICES
In present day the perils of third party vendors or products bringing it to your organization is on the rise. According to the recent surveys more than 45 % of the products and services do not undergo a through risk assessment prior to procurement of the products.
As CISO you have been bestowed with responsibility of procuring the right security product or services for your organization. With torrent of technology products and slew of vendors and services to choose, it often leads to pandemonium. Today buying product solution is in reality akin to haggling in a fish market. There is no silver bullet to buy a right cyber product or services however below pointers will lead to making the right choice and take right decision.
1.Align it to organizational objective–Procuring and choosing the final product should align to the overall business objective of the organization.Cyber security products should have longevity and should be scalable, interoptable while bringing more value and return on investment to the organization.
2. Vendor Review and Comparison Evaluating your needs and doing research often is prudent before making the final choice. Peer review is such lucrative way of reviewing the product which will give you more real and honest feedback of the product.In addition Online Services Company such as Fire compass can assist with online comparing the products. They analyse the products and gives more granular review of the product combined with more legitimate user review.
3. Vendor Due Diligence –How often you land up in reviewing the fancy presentation with fluffy talks from the sales team. Behind the flashy presentation there could be an ostentatious trapping. Hence prior to zeroing the vendors a through vendor due diligence should be performed.The reputation of the third party should be validated and independently reviewed. For all critical vendors a through onsite assessment should also be carried out and score card of the vendors should be reviewed and validated through various market sources. According to Mr. Ganesh Viswanathan SVP- Cyber security & Privacy Quatrro“The cyber risk has to be evaluated from the start. Due diligence of new suppliers should be done and regular audits to be conducted as part of supplier quality assurance Cyber procurement should be linked to the organizational priorities and align with the purpose.”
4. Air Tight Contract -A length sheaf of contract is always scares most of us which tempts us to perfunctorily turn the last page and sign the contract. However before the ink touches the paper, we must ensure that the contract is meticulously reviewed for hidden caveat. NDA and basic hygiene should be eloquently articulated in the contract. SLA should be mutually agreed and should be agreed with the vendor,Penalty clauses should also find place in the contract to keep the vendors on their feet.
5. Integration – With infusion of cloud and mobility platforms, product integration is all the more complex. Comprehensive integration testing and interoperability testing should be carried out prior to stitching the product into your eco-system. For example, you may need to see your logs data alongside your anti-virus report data. If these systems can’t "talk" to each other, your ability to gain valuable insight on your company’s operations is compromised. Systems should have open API and should be able to seamlessly integrate with all other products. Testing –Products may not behave the same as you saw in the board room during your sale’s presentation. Therefore it is important to carry out POC and subsequent user testing of the product / services along with all its feature. Component testing of the product should also be performed diligently. Ganesh Viswanathan further states that “The recent “A Monitor Darkly” attack involving Dell monitors where the display controllers are exploited to manipulate and snoop on the screen content is a manifestation of a compromised supply chain.” This backdoor build into the hardware is inserted through components or sub-components that gets surreptitiously from lower tiers into the critical elements. “ You may need a cross-eyes to identify the sea of features which you’’ need for your business. It’s productive to determine all your need’s first. For large scale deployment it is advisable to take phase wise approach.
6. Training and Delivery – Good product training helps companies increase revenues by at least 69%. – A study conducted by Experticity Enterprise software and solutions are often complex and intricate having many touch points. A formal training plan can have lasting impact and solve teething issues and can have long term benefits. It’s always advisable to check the talent and competency available in the market skill sets who can use operate the products.