CyberWire Daily - Buying Cyber Security [Special Editions]
Episode Date: December 30, 2016Every day there seems to be a new security product on the market, with many of them claiming they provide something that you simply can’t live without. Companies appear and disappear, and businesses... are faced with difficult, confusing, and often expensive choices. In this CyberWire special edition, we explore how businesses are navigating the process of choosing products and technologies in a crowded marketplace. We talk to some key stakeholders to find out what drives their purchasing decisions, and what they wished their vendors knew before they came knocking on their doors. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+. Every day there seems to be a new security product on the market,
with many of them claiming they provide something that you simply can't live without.
Companies appear and disappear, and businesses are faced with difficult, confusing, and often expensive choices.
In this CyberWire Special Edition, we explore how businesses are navigating the process
of choosing products and technologies in a crowded marketplace.
We talk to some key stakeholders to find out what drives their purchasing decisions
and what they wish their vendors knew before they came knocking on their doors.
Stay with us.
Well, I think that we've seen a lot of change in terms of the process for buying solutions around security.
Emily Mossberg is a principal at Deloitte in their cyber risk services practice, and she leads their secure portfolio of offerings.
In their role as consultants, her team provides expert advice to their clients on choosing cybersecurity solutions from a variety of vendors.
And I think that if you were to look back five to seven years ago, a lot of the focus was on and new ways, really focused on monitoring and getting more intelligent into the organization.
And I think that that's still something that's very important is getting more intelligent.
But I think that people are really focused more now on how are all of the different solutions that I have going to fit together? And how am I going to integrate together these solutions to get the most intelligence, the most information,
the most value, and the most efficiency for my organization in the whole patchwork of different
solutions that I have? So I think that there's just much more of a focus on
the way in which solutions will integrate and work together versus just standalone functionality.
There has been a shift in the industry from buying devices and boxes, appliances,
usually what we call them in cyber, to being able to get software-only virtual types of security services
to work on our own infrastructure.
That's Michael Singer.
He's executive director for technology security at AT&T, the largest telecommunications company
in the world.
You face a challenge of what is it that you're trying to solve?
challenge of what is it that you're trying to solve. And then if there's already someone who has solved that problem, it just doesn't make sense to construct it, to build it, to have the
development cycle and to have your people doing it because it's already been solved. That's probably
the most important place to start in your process is, you know, what's out there, that awareness
that you have.
We generally tend to look at the 800-pound gorillas in the market and try to see how
they fit within a firm our size.
Vlas Niralakot is the technology manager for Pinnacle Advisory Group, a private wealth
management firm with about 50 employees and offices in Maryland and Florida.
They're an established, successful small business with substantial cybersecurity needs.
Encryption is a pretty big significance in terms of how we are choosing the software that we use.
The SEC, the Sarbanes-Oxley, they all have security measures all built in.
If you're not adding some of that security pieces, you're out of compliance with the SEC, right?
So in terms of how we transmit data between our clients and ourselves,
how we store it on our systems, how people access those systems,
and what are the permissions around that, all of that is part of the regulations.
One of the things that was important to my role at TSA
was for the security posture of the organization. I had the core responsibility
for the cybersecurity posture of the organization. That's Dr. Emma Garrison-Alexander. She's currently
Vice Dean of Cybersecurity and Information Assurance at University of Maryland University
College. And prior to that, she served as Chief Information Officer and Assistant Administrator
for Information Technology for the TSA under the Department of Homeland Security.
We used a defense in-depth strategy, so it was not a one-size-fits-all, but there were a multitude of products and services necessary to provide the level of security that would be needed for a federal organization.
for a federal organization.
So we've got a spectrum of perspectives.
A small business, a major telecom provider,
a large government organization, and a consulting firm that helps connect buyers and sellers.
A lot of the decision was around
how is the point-to-point encryption,
how do they maintain their usernames and passwords,
and how do we transfer that information around.
That's Vlas Neralakot from Pinnacle Advisory Group.
We wanted to go down the path of choosing a dual authentication system.
I had talked to other firms and also a firm that does cybersecurity for RIAs, for independent advisors.
I had a conversation with them, and they said,
this is the software that we use for our own employees.
And so the dual authentication came that way, where we tested them.
We had an internal meeting with them where they demoed their system.
They showed us how we can get a good report suite in terms of who's connecting to the system, how are they connecting
to it, are they out of compliance, and what are the steps that we can take once if somebody is
out of compliance that is using the software, how do we mitigate those risks? That's a pretty
common way to get started with any purchasing decision, asking around to people you trust,
gathering opinions from colleagues who've already been down the path you're traveling.
But for Neralakut, that's just the first step.
There's a trust and verify, right?
Especially security related.
You want to trust what they're saying,
but you also want to really put them to the ringer as much as possible.
And so before buying anything,
any company should be willing to give you a trial or test out their software
to make sure that it is viable and really what you're expecting. I think that doing some level of proof of concept,
pilot, bake-off, whatever you might want to call it, I think is exceptionally important.
That's Emily Mossberg from Deloitte. Because I do think that there are a lot of small details that often play into how well a solution actually works in an environment.
And I think in some cases, you don't really understand some of the complications until you see them up close and personal.
And that can be things like, can the product actually handle the volumes that are
going to be created from, you know, maybe it's a log perspective, maybe it's an alert perspective,
maybe it's the flow of data and how fast the data is flowing through depending upon the type of
solution. And you want to be able to see firsthand, can this solution actually handle the volumes
that I have within my organization?
Can it handle the speed at which my organization needs to operate?
Is it really going to interoperate with whatever it needs to interoperate with
the way that it states that it will in the product flicks and the product specifications?
That's the experience they had at Pinnacle Advisory Group.
With a security product, they were ready to buy,
the one that looked great on paper and in the demo.
It sounded great on paper,
but when you really put it in, either in production or in a trial period,
we realized it wasn't exactly what we wanted,
and so we ended up going a different way,
especially for the dual authentication pieces.
Mossberg says that kind of outcome isn't that unusual.
We've seen clients go into a bake-off type situation thinking there was a very clear leader,
a solution they really thought was the one that they were going to go with. Through the course of the actual test cases and the use
cases that they need to take that product through, realize that while there are certain components of
the functionality of that product that are exactly what they need, some of the ways in which that
product operates led them down the path of, we actually need to go another direction here.
Since they're in the financial services industry, any product up for consideration
at Pinnacle Advisory Group has to satisfy regulators too.
Not only does the SEC come to us and say, you know, what are you doing to protect yourself,
but how do you know that the people that you're working with are protected, right? So
a company coming to us should be able to prove to us how they are protecting their
data and what audits do they have in place to make sure that they continue to be secure.
We've probably bought one of everything along the way.
We have a group that tests everything in a lab. I always say that they
probably have one of each item that we've seen, you know, over the last two or three decades.
They still have some of that stuff up and running. Moving from a small business to big business,
really big, AT&T's Michael Singer says vendors need to consider the size of his organization
when they come knocking on his door. I've seen a lot of cases where the ability
to scale is just obvious up front, that there is something that will work but not at scale,
and it wouldn't work for a medium or large business, and it wouldn't work for a carrier,
that kind of thing. So you have to always be thinking about taking something times 10,
then times a million, or times a billion.
Don't tell us that we're going to run this on a small machine and it's going to be in a single instance.
I also think that they should know by now that it is important to have separated the hardware and the software, that we want to be able to run a lot of instances on hardware that we select
as opposed to having the coupling back to an appliance.
So that's a really big one.
And when you knock on a big company like AT&T's door,
it's important to knock on the right one.
We have what we call the AT&T foundries,
where we are intentionally trying to outreach,
and there's an opportunity to do fast pitches through the AT&T foundries.
So that's the right way, a good way to start to share
with the people who are really bright at AT&T.
And it's much more effective than just sending email over and over.
And I will add that at AT&T we have John Donovan who leads us.
He deliberately asks us to take a look at small, innovative players
and what they're doing, what they're doing differently.
Is there something we're trying to do that it can do faster in a different way, save you costs and put you in a better
position too, because it's more effective than some of the things that we've used in the past.
So it's part of our strategy to always be looking at those kind of smaller solutions,
most innovative solutions,
and look at those alongside the stuff that you would see on your usual industry chart.
In terms of preparation, Michael Singer has this advice.
There's nothing as good as actually doing it. So you can run tests and you can have the ability to generate traffic and to show things at scale.
But the best way to learn really is to have real data, real traffic.
So I guess as they're making their business plans and picking their partners,
they need to be thinking with an eye toward just a lot of data, a lot of diverse data, a lot of volume,
and maybe even different types of customers and segments so that when they come to you with their solution,
they have already kind of seen everything and they're not learning for the first time
as you experience different types of traffic or you hit new thresholds and volumes.
So as with any acquisition within the federal government, TSA was operating under the Federal
Acquisition Regulation. That's Dr. Emily Garrison Alexander, former CIO of the TSA.
And we also had the Competition and Contracting Act, you know, where we had to make sure that we were using full and open competition,
as well as making sure we were following the FAR in terms of the legal responsibilities and also the policies surrounding acquisition.
So TSA was under the same rules and policies and laws as any other civilian agency.
Federal organizations like the Transportation Security Administration, the TSA, have a lot of regulations to follow.
They also have a lot of money to spend.
My budget that I manage in Oversaw was $450 million annually. And then I had an oversight for IT that was outside of the direct purview of the CIO of
about $278 million.
So those acquisitions had to come across my desk for approval as well.
So because of that level of budget, there were many, many different companies with an
interest in coming into the agency and doing business with
the agency. And so I actually had a strategic engagement organization that actually looked at
the various companies that were interested in coming in, looked at their products and services,
and also how they might fit into the organization. We also had a small business requirement,
you know, to do business with small
businesses. So we were always looking for small businesses that might be able to support us as
well and to learn more about them. It's important for them to know the organization. And part of
what we did through that strategic engagement part of the organization was kind of getting to
know them because at the end of the day, we still had to
adhere to the Competition and Contracting Act, which is a law that's really about creating
competition so that the government can get the best bang for their buck, the best value for their
dollar and to try to lower prices and to have more competitive pricing. So we would still end up there, but what engaging
with the various companies would do for us, it really was an education process for us. It helped
us to understand what was possible within the marketplace. It also helped us understand where
the gaps were. You know, the government in general does not move fast, but there are ways to be creative,
stay within the regulations and the laws, look at more innovative approaches so that
things can move along faster, vice being slowed down.
But that is a challenge.
It's a challenge, I will say, for anyone within government that's working within the acquisition
process.
It is definitely a challenge.
She also emphasizes the importance of doing your homework.
Make sure you know the organization. Make sure you understand the mission,
understand their requirements. And that does not mean requirements from a contractual standpoint,
but the kinds of needs that the organization might have. The other thing, organizations are allowed to submit white papers to the government
with ideas, innovative ideas in particular,
and that sometimes is a way to get your foot in the door for a meeting
or to have some conversation.
Also, it's important to understand government processes,
how the contracting process actually works.
I think it's also important for companies
to know who or what organizations is this particular agency working with now? What companies
are they doing business with now? Find out something about those companies so that you can
kind of get a sense of the culture, of the environment. I would say also spend some time,
you know, maybe talking to previous employees or previous companies.
So there's this information gathering piece.
I think that's really, really important for those individuals who want to have an opportunity to come into an agency to talk about their products and services, or if they're going
to respond to an RFP, request for proposal, on a particular need of an organization.
People would be amazed at how companies who really know the process don't even follow them well,
and they don't necessarily respond to the RFP appropriately.
And so it's really important to pay attention to detail.
We all would just assume that all of these companies do those things.
They do not, and it always surprised me. So really following the rules, understanding the procedures,
answering the questions that are asked in the RFP is really important. You will have an advantage
if you really do that. And then always look for innovative ways to help the government
in their mission and their ability to carry out that mission.
What about service after the sale?
Our experts agree that the ongoing relationship with a vendor after the contract has been signed is a critical part of the equation.
Solid communication. Really, that's it.
I want communication as to what is going on in the industry.
I want to know if they're having any problems.
I want to know about it versus telling them about it.
I want them to be telling us, hey, we found this.
There's a lot more confidence when you're being told that there's an issue
and they're working on it as opposed to us finding it and they're like,
oh, I've got to fix this now, right?
So communication is really the key on that one is I want to know what they're working on.
I want to know how it's going to affect us.
And I want to know if anything has happened, what are they doing to address it?
We have something that we would often refer to as incumbenitis.
And that's where you have a company that has been inside of a government agency for a period of time and they become somewhat lackadaisical, you know, because they
have the business, they can get comfortable. And so my goal was always to ensure that they never
get comfortable, that they always understood that we are paying good money, taxpayers' dollars, for your goods and services, and you have to deliver,
and you have to do it at a level that is acceptable to the government and to ensure
that the government is really getting the right value for the money that they are putting into
your product or services. I think that the expectations for the vendors really come back to accessibility,
making sure that as there are questions or potential concerns related to the way in which a solution is operating,
that there is that ability to have a back-and-forth communication around how things are going, what the issues might be,
how quickly, if there is an issue, it can be resolved. And I think that in many cases, we see it over and over. Our clients just have a lot of
expectation that they are heard and they feel like their concerns are being acted upon once they have
a product in the production environment. The other thing that can happen in the industry that as things change, you have a lot of your
supplier partners getting acquired or merging.
And it does happen that the new owner may make changes and may even decide to declare
end of life support. and may even decide to declare end-of-life support,
and then maybe even they're not even going to let you run a particular solution anymore.
So you just have it out of necessity.
You have to either find some other way to support it,
work with another supplier partner, or do it yourself when those situations occur.
And I think whenever you have stuff that works really well,
sometimes you run it for a long time. And as quickly as things are changing, once you get
past three years, five years, you're definitely going to look at those type of situations to
protect you from situations where you'll have something go unsupported. The last thing that
any client or the vendor wants, for that matter,
is for something to be deployed, for it not to work as well as expected,
and for it to become shelfware.
And one of the key roles, I think, that we play in making sure that solutions are deployed and used
is to make sure that the deployment is sound,
is to make sure that the deployment is sound, that the product and the solution and the processes and the people at the client site have enough understanding of the solution that it operates well,
and that then it continues to evolve with the client's environment so that it stays relevant
and the configuration is updated
as needed. So it's really just how can we keep that solution going and alive and providing the
most value to the clients. And that's what's the most helpful to both the client and the vendor.
Both Emily Mossberg and Emma Garrison-Alexander have some insights for sellers
to make it easier for those doing the buying.
So much of the emphasis and focus is on the actual technology itself and the way the technology works.
And that's very important.
But there's not as much emphasis as I think there should be in terms of what is the true business purpose that a client needs this solution for? What is the
challenge that they're facing? And how is this piece of software or this solution or this product
going to help deal with that business issue? And I think that we're seeing more and more
a demand from our clients that, you know, don't just talk to me about the technical
functionality and the bits and bytes associated with the solution, but help me understand how
this is going to help solve my business problems. And so I think we're also seeing with that more
of a focus on having an industry lens associated with understanding how a solution fits in.
Because the fact that, you know, what data you're trying to protect becomes more important.
Because of the fact that the types of adversary and the motivations of those adversary is so
targeted based on industry, being able to talk about how the solution assists as it relates to
that particular enterprise and that particular industry that the enterprise is in is something
I think we're seeing a lot more demand for today. So I think some of the challenges have been around
integration of the various products to ensure that you have the best solution and you have the
best security posture within your organization.
Because, you know, businesses are in business to make money.
If they're not making money, they're not in business.
And so trying to manage the integration across products and services and ensuring that those things go well, that is one area I think that the industry still needs to do a better job of,
you know, doing more across compatibility, doing more with common standards, more with testing to
ensure that various products work well together. That's a very important area that needs much
work, I believe. One of the most interesting things that I've found in some of the conversations that we've had with some of the VCs and the startups, and many of these are in their infancy, but they talk to us and they tell us so much about the cool functionality of their solution.
of their solution. And it is really cool. In many cases, they've talked about some pretty interesting things. But when we start to ask questions like, well, talk about in what case
a client would want to deploy this. Talk about the use cases of why a client would need this.
Talk about who the buyer is.
They're more focused on the cool technology than the applicability, right?
And so I think that making sure
that you understand the applicability
of your solution is so important,
especially as you want to start to make
a more senior level, impactful, larger sale. The applicability cannot be underestimated.
And that's our CyberWire special edition. Our thanks to Vilas Niralakot, Michael Singer,
Dr. Emma Garrison-Alexander, and Emily Mossberg for sharing their views on buying cybersecurity.
You can learn more about the CyberWire and subscribe to our daily news brief and podcast at thecyberwire.com.
The Cyber Wire podcast is produced by Pratt Street Media.
Our editor is John Petrick.
Our social media editor is Jennifer Iben,
and our technical editor is Chris Russell.
Our executive editor is Peter Kilby,
and I'm Dave Bittner.
Thanks for listening.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.