It’s increasingly difficult and more complex to be an effective buyer of security products today. Messaging and content overlaps are everywhere, cloud platforms claim to do what endpoint solutions do, and all the while products are constantly pivoting in the middle of operation - often changing their identity and main purpose. At the same time, enterprise and personal priorities change, vendor awards are presented to whoever pays more, analysts are not always aligned, and the list goes on.
As a result of a chaotic security landscape, confusion among buyers and sellers is common. The buyer wants to make a good decision that will fit the business and their own personal goals, and the seller wants a happy customer who will return for more. The way I see it, in a productive buying process, the seller and buyer are aligned and mutually benefit. As a customer, I believe that it is important to have a process in place and prepare extensively for each buying cycle. Having a clear buying framework and understanding how the seller operates - and the stages and players in the sales process - means buying an effective solution and structuring it in a way that will allow your enterprise to perform at its peak potential.
Based on my observations throughout the years as both a buyer and as a seller, here are key takeaways for cybersecurity buyers:
- Identify your pain points. Plan. Make sure you can articulate problems in your own words. For example, if I know that I lack visibility across identities in my corporate network, then I should be able to clearly articulate the problem. It may sound something like: “My visibility into what users are doing inside the network is incomplete, and no one can tell me with certainty today what their actual role in the network is.” This situation is as painful as it is common, as it not only overloads security operations, it puts the entire enterprise at risk. Remember your internal stakeholders! This includes IT, operations and the employees affected by the changes you’re looking to make. Once you’ve identified these critical pain points, you own them. Not the seller.
- Describe your desired goals. Where would you like your business to be after making the investment? How does this fit into your personal goals? When defining a successful business outcome, remember to be realistic. For example, one aim might be ‘Control the cost of SOC and reduce the risk of having employees identities compromised.’ It is important to make this effort because only after you identify your goals and document them (digital or handwritten), you actually can get a perspective throughout the buying and research process and judge if they are realistic.
- Make a note of capabilities while evangelizing. Simply create a list of functions which you believe will help you solve this problem. For example, you may start with: “I need visibility of all users privileged or not, and access patterns and accounts in all locations.” You might add: “This solution will also need to preemptively block threats and I want threats to be auto resolved so the team load reduced without adding more personnel.” It is critical that you use your own words here - while the seller may be educational, you must define your priorities, not them. As opposed to listing pain points and priorities which you set solely and own them, the seller might be able to introduce new ideas. The buying process can be tough. Be ready to evangelize internally, have two feet on the ground and remember the data must be reliable, so gather proof points for it. These might include formal and informal reference checks on the vendor.
- Define measurements for success when you choose to buy a solution. For example, a metric might be defined as: “Number of incidents that were auto-resolved, challenged, or blocked vs. current status.” Measure the security operation employee retention and investment. Remember to take a snapshot of what it is today so you have a solid point of comparison.
- Now Listen. By now, most of the heavy lifting on your side should be completed, congratulations! It is now time for you to sit back and listen, facilitate the players coming to the table (in many enterprises, this may include stakeholders from IT to operations). You know what you want, you’ve identified what you believe that you need, now let them tell you how they solve your problem and how they get you to your desired goals. Be patient, keep your ears and mind open, and ensure concerns are addressed.
- Decide & Agree with your seller on the desired business outcome. For example “I will be able to expand to cloud and maintain the same visibility and user experience.” (See our case study on how Dartmouth added security for cloud applications without causing user disruption.) Remember that your seller is your partner, they need to be there for you along the ride and make sure the solution is implemented properly and the success criteria are met.
- Build a plan for execution. It is not enough to buy and expect things to sort themselves out, be sure to implement and utilize the product. Make sure you assign a project leader and that the team is aligned and educated about the implementation stage. Remember it should be in the vendor’s interest to escort you through the project so use their expertise to your advantage.
From identifying the problem and pain points, to reviewing options on the table and taking feedback from stakeholders, this process will help you become a happy customer. Check out a previous blog of mine discussing steps towards a successful Proof Of Concept.