SentinelOne recently hosted a “Meet the client workshop” with security and marketing professionals, providing them with a rare opportunity to speak with a security executive in a “safe” environment. Our guest for the day was Les Correia, Director – Global Information Security – Architecture, Engineering and Operations at Estee Lauder. Les has a long and distinguished career in IT and security, and he shared with the forum some of his professional insights regarding security products acquisition.
Les noted that the executive view of security is changing. Board members and Executives are more involved than ever and the CISO role has become quite a tricky business position, with differing priorities – such as risk versus availability – and principles dictating many of a CISO’s decisions. The turnover of CISOs is also very rapid, and security executives must take great care in recording their decision process in order to be able to justify it in case things go south.
Les reiterated the lack of skilled manpower to conduct all security engineering, security operations, new product evaluations, threat and risk management roles. This creates massive workloads on personnel and leaves only limited bandwidth for dealing with current and new technologies.
Les noted the current trend of quickly migrating all possible technologies and functions to the cloud, whether that be applications, storage, or entire data centers. This rapid push entails better controls to manage risk, both on premises and in the cloud. Also, a global, distributed organization must be able to support a large workforce working in numerous locations. That means Identity, Privacy, Segmentation and other management technologies come to the forefront. Les also noted that the risk from unaccounted IoT devices continues to be a real concern.
When considering new products, security personnel must first look at how the product contributes to the improvement of overall security or reduction of risk. Other considerations include ease of use, vendor roadmap alignment, interoperability and integration with existing products, automation, and financial drivers. A new security product must not, in any way, interfere with operations or revenue generation of the business.
The key is consistency and professionalism throughout the buying cycle. From the first approach to the demo, PoC (Proof of Concept) and deployment, responsiveness is highly regarded. All the sell cycle stages should deliver a positive experience, moving the process forward. A good initial demo is really key to progressing to a full-on PoC.
Les defines his process as one that starts with identifying needs, defining the business case, then securing the budget. The next stage involves scoping the market for solutions, and reading market reports, sometimes just to draw up a shortlist from the multitude of solutions on the market. From the shortlist, the next stage is to try and define what criteria a demo or PoC must meet in order to be considered successful.
Consulting with peers and considering references like Gartner Peer Reviews can help narrow the shortlist down to the final contenders before a PoC and reaching a go/no-go decision on a particular solution.
As for the PoC process itself, it must be well defined with realistic KPIs and requirements on both ends. No enterprise will allow full security testing on a real network or endpoint, so we need to figure out how to demonstrate the effectiveness of the technology in a lab environment. That means using real malware along with compatibility testing in a pilot production environment.
It is actually better to test it in an isolated environment using identical hardware models and software versions. Deviance between the testing environment and the production environment is asking for false positives and screw-ups when you roll your product out to the client at a later date, and that kind of result can remain in the collective memory and taint the reputation of the vendor for many years ahead.
Tests don’t have to be perfect, but what does have to be perfect is the responsiveness of the PoC team. Responsiveness shows vendor’s commitment and professionalism. Clients will use the same test scenarios on all vendors and will quantify and compare results, but many times the differences are not huge and the decision is down to which vendor offers better service or responsiveness.
Remember that the PoC is not a full-time job, so the PoC will take time to complete as the people running it are simultaneously busy with their daily chores. Les advises security vendors not to ignore documentation. It’s critical to show the technical depth of the product, and good documentation eases the burden on busy IT and security professionals dealing with your product.
Another driver is of course cost. Some excellent products will cost too much over time, and hence will be passed over for a less capable product with better ROI. One should continue to explore products that lessen the load by combining features that enable consolidation. Even a fantastic product is not enough on its own – it has to fit the organization’s budget and needs, and it has to be compatible with other systems in the organization.
Les has formulated a well-defined process of evaluating security products. He has shared his insights in an e-book, which you can download for free here.
Cold calls are the worst. Cold email could work, depending on the availability and load. Most executives will visit one of the large industry shows for insights – e.g. Black Hat or RSA as well as some of the smaller cons.
Aggressive marketing is a turn-off, so is badmouthing the competition. Similarly, don’t over sell your product. Don’t promise to solve ALL the customers’ cyber problems. Focus on tangible benefits and provide a roadmap to cover future needs and improvements.
We are grateful to Les for sharing his experience and all the participants for their contributions. The meetup was a rare opportunity to bring together two distinct populations: security practitioners and the people who market to them and try to sell them security products. We believe that such open, transparent and honest dialogue is crucial in improving the relationships between vendors and clients and, ultimately, will help us all deliver better security.