If you didn’t know, I spent 6 months of my career being a security team of one. Yep, sure did. Is it as stressful as it sounds? Absolutely. My saving grace was having a security minded network engineer that loved to extrovert and had already spent some time doing security work before I came on board. He was able to fill me in on the ground work that happened before me, which included vendors that were no-gos and vendors we loved.
Though I didn’t get to officially implement a new solution, I spent a LOT of time talking to vendors over the course of my 6 months at my last job. Why? Well, if I was a security team of one, there were definitely holes that needed to be filled. What do you do when you don’t have the funds to employ your own security team? Outsource a chunk of it, if possible. Of course you also spend a lot of time on user education/cybersecurity awareness, but that’s for another post.
If you, like me, have spent most of your career working with way less authority, you may also, like me, be completely lost when it comes to vendor conversations. Where do you start? How do you start? Do you just Google “what is a security solution for…” and hope for the best?
This post is designed to give you an intro level guide on what to do when you’re trying to mature your company’s security posture without breaking the bank.
First things first, what is important?
Before you even lift a finger to type a single letter into Google, you need to do some recon. This means aligning with leadership and the business to see what is important. Do we have PII we need to secure? Are we more concerned with physical access to data? Is our main concern phishing and email spam?
Knowing what is important to the business will save you LOADS of time and energy, because you will be making educated choices on what you need and what the priority is. There are all types of frameworks out there for security maturity, but they are pretty generic. What you need to do is identify what is important to your employer.
B—, Betta Have My Money!
Yay, the fun part. How much is the business willing to set aside for security solutions this year. Yes, year. I can’t tell you how many times I brought a shiny new quote to my boss and got hit with a “Yeah, no, that’s way too expensive.”
Save yourself the embarrassment and the shame and ask for a budget up front. This also helps weed out a ton of vendors off the bat. When you go into a vendor meeting armed with a non-negotiable number, you save lots of time and effort. For instance, Rapid7 and Splunk are known to be a tad bit pricey, probably because they are catering to large enterprises. If you’ve only got $50k to put towards a SIEM/SOC solution, may as well not meet up with a vendor that has a huge price tag. And no, $50k is not a lot when we are talking Security. Everything can be negotiated…but there are limitations. If a vendor costs $250k for what you need and you only have $15k, you’re going to have a hard time negotiating down that low…unless you are a hypnotist or something.
Prioritize and Strategize
So, after meeting hell, you have identified what is important to the business. Great! Now some of the real work can begin. You need to first translate what they said is important to a security solution. If the complaint is phishing emails, then, Email Security and Cybersecurity Awareness is where you should focus your efforts. Have some servers that are top secret? May want to look into Identity and Access Management. Network constantly being hit with all kinds of filth? Firewalls, antivirus software, network segmentation and least privilege may need to be a thing. Needing more insight and alerting for many machines at once? Can anyone say “SIEM?”
If multiple things are important to your employer, you need to decide what will have the biggest impact on the business should the solutions fail. Having issues with fast clicking on emails? Firewall super weak? Tons of computer malware needing cleaning all the time? Whatever the pain point is and whatever causes the biggest impact on the business should be considered first. So spend some time doing some major recon on the org and how it runs.
Once you have landed on what comes first, it’s time to do some homework. Here are some steps I took to determine what vendors I should look into and which ones I should leave alone:
- I asked my network. I asked the many group chats I am a part of, my friends, my former coworkers, Twitter, etc. Nothing beats a referral from someone you know and respect. And let’s be clear, vendors are here to sell you something. They often have honey on their tongue and a budget for wowing customers to back it up. Talk to who you know for suggestions first before you get swept away with vendor dinners and happy hours.
- I worked my Google-fu. I simply typed in what I needed and looked through all of the solutions mentioned, bookmarking reviews as I went on.
- I pulled from memory. Reaching back into the crevice of my own mind, I thought of all of the vendors I had seen used in previous work places, even though I wasn’t the one to manage them. Definitely doesn’t hurt.
Once you have a solid list of vendors, you can start calling them for quotes. Of course, respect any policies you have, including making sure NDAs are signed before giving away specific information about the network. Most of the time, you can get away with talking in hypotheticals. They will ask you to meet so they can show you all the fancy bells and whistles and maybe take you to a nice restaurant. Ethically, there is much debate on whether or not you should be doing that before landing on a vendor. I leave that up to your own moral compass.
In the next part to this post, I will discuss demos, POCs, agreements and everything else.