What matters, especially when buying a home, is location, location, location. But what about when it comes to buying a cybersecurity product for a business? What matters then are the product evaluation criteria. But what are they? Here are the Top 5 recommendations to establish a list of criteria to meet to choose a cybersecurity solution.
1. Know the people involved
If this is obvious in any project, it is perhaps two or three times more important in the context of cybersecurity projects. Of course, cybersecurity is everyone’s business, so everyone who works in the company is concerned. Any change in cybersecurity processes also risks impacting the supply chain.
For a project to succeed, it is not reasonable to expect to be able to actively mobilize all of the workforce, but it is still possible to identify individuals who will represent groups present in the company. These designated representatives must be involved as soon as possible in the project and contribute to the satisfaction of the objectives set.
2. Focus on the problem
No one starts a project without a problem to solve. Often the trigger is the result of an audit, but it’s more of a catalyst than the real cause. The audit reveals the existence of a problem. It is then a question of understanding how solving the problem will benefit the company, beyond the conclusion of the audit. It is necessary to take the height and it is the intimate knowledge of the company which will make it possible to identify the true problem. Once this is done, it is possible to define the criteria for selecting the solution. It is also necessary to be careful to remain focused on solving the problem without drifting from the objectives to the point of getting lost.
Audits often reveal that the company has insufficient control over the use of privileged accounts. This is a widely shared finding and usually due to too many people with uncontrolled access to privileged accounts and an overly complex security model. Indeed, too many super user accounts make the security model significantly more complex. Not only is it necessary to manage the lifecycle of these accounts and monitor their activity, but this large number of accounts can affect the reliability of detecting malicious activity. All of this leads to a particularly complex cybersecurity model. Some people need privileges to do their jobs. These conditions must therefore be met without further exposing the company to risks.
3. Driving change
In the event of an attack, it is natural to want to find quick solutions. We then spontaneously turn to technology. “There must be a tool or an app for that!” But technology is rarely the only solution. When you change tools, you have to change the process, which means training the teams so that they are as operational as possible.
And to get the most out of a tool, you have to make sure that they are perfectly adapted to the desired changes in the processes. Driving any significant change in a business relies on three elements: people, process and technology, without which the solution will be less effective with a lower return on investment. In the worst case, the project risks failing, inducing even more complications than originally.
4. Validate the cybersecurity criteria to be met
It is not uncommon for the person in charge of a project to lack expertise on the problem to be solved. The best way to start is to draw up a list of the criteria expected from the project stakeholders. These lists are then communicated to the project manager who summarizes them and produces a final list of the criteria to be fulfilled. This list may include the following:
- The suggestion of functions, including appearing in existing technologies
- The operating or deployment conditions of the solution
- The expression of impossible conditions to meet to cause the project to fail (some people will express conditions that are impossible or very difficult to meet by the solution, for fear of seeing their work practices change)
It is better to give the interviewees enough time once the project has been presented to them, so that they can digest its possible impact and thus avoid having them content themselves with copying a list of features offered on the website of a supplier, especially if they are already familiar with a particular solution. And, even if the project manager is aware of the subject in question, it is better that it is not him who evaluates the list of criteria: sending back all the answers obtained to the people consulted can allow a better articulation of needs. , with key measures of the effectiveness of the solution.
5. Make cybersecurity a central issue
Cybersecurity is no longer an option today. Over the past 5 to 10 years, the media have widely covered the cases of companies that have been victims of cyberattacks. However, it should be remembered that they report only the most sensational and emblematic cases. We are so reliant on the technology we use that business resilience and business continuity are closely tied to keeping systems running. When you look at cybersecurity from this perspective, the security of every system and every project to implement a system is no longer an option, but a top priority.
The question is no longer “how to implement a system and secure it” but “how to guarantee the security of system deployment”. Cybersecurity aspects must be integrated from the outset into all the processes that form the topology of the company. To do this, it is necessary to combine new projects and existing and planned cybersecurity solutions. Thus, the company will reap more benefits. An environment that is already secure and ready for expansion will facilitate the successful implementation of a new system. The simple fact of taking on each cybersecurity project in an evolutionary approach will increase the added value of each with greater fluidity of operation as a result. Any solution implemented must run perfectly in the environment and, in doing so, be an integral part of the business process at stake. The more the solutions are able to make professionals as productive if not more in their functions, the more they will become promoters cybersecurity assets.