Results 1 to 5 of 5

Thread: Tips For Security Purchasing

  1. #1
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830

    Tips For Security Purchasing

    I don't know how many of you in the AO community have enough pull at your respective companies to be involved in medium to enterprise level purchasing decisions, but it you have any insight I would appreciate it.

    What are the things that you think are essential to factor into a purchasing decision or to consider when selecting a product or vendor or making a purchase?

  2. #2
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Wow, that's a broad question. I think it's more appropriate to consider what the process is that an organization goes through...the things to consider are going to vary widely depending on what you are looking to purchase, or contract, or obtain and *why* you need (or feel you need) said product/service.

    For example, a previous client had been handling email content filtering in-house with their enterprise sysadmins and a pair of *nix bridgehead servers running a slightly older version of TrendMicro's offering…InterScan, I think. The company was on an outsourcing kick…they do a really good job of finding precious substances under the ground, not providing IT support, etc. you know the story. So they chose to outsource their email content filtering to a managed security service firm. The issues surrounding this change that were identified by the PM included:
    - Outsourcer’s solution did not have the flexibility or granularity that their TrendMicro software offered
    - Cost effectiveness of the outsourced solution was MUCH better than the dedicated in-house resource
    - The comprehensive package of having a view on the big picture from the outsource provider, being able to identify large scale events that are impacting not just their email, but other companies and clients, etc. was more inline with the company’s security and business goals
    So in this situation, even thought they lose a level of control and flexibility, they gain from not having to manage the resource themselves, and have a better insight to what may be happening outside their networks but is impacting them.

    This is a single, crude example but the point stands. You need to consider some of the obvious points: who is the vendor, what is their reputation for support after sale, and what do other companies think of them. SANS offers some good insight into this area with their What Works web casts. I usually don’t have the time to bother with sitting through the presentations, but these are always based on real companies that have gone through this process, and what their post-transaction feelings about it are.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  3. #3
    I work for a large company, and I can tell you without doubt that there is only one factor when making these kinds of decisions:

    Price.

    Though we wish it were otherwise, wee invariably end up buying the cheaper software regardless of differences in capabilities. Sad but true.

  4. #4
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Price is a big factor of course. In a fact you have to justify it.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  5. #5

    Re: Tips For Security Purchasing

    Originally posted here by tonybradley
    I don't know how many of you in the AO community have enough pull at your respective companies to be involved in medium to enterprise level purchasing decisions, but it you have any insight I would appreciate it.

    What are the things that you think are essential to factor into a purchasing decision or to consider when selecting a product or vendor or making a purchase?
    If you're asking that on the Internet, and your resources permit, you presumably need to consult professional risk management. There is only one member that I know of that has experience in professional security risk management and that's catch.

    I know this much. One of my clients received a $23 million dollar loan last year from a big oil and gas investor. Before that loan committee granted it to them. The committee wanted proof of implemented risk management. I had another client who received a grant for a large sum of money as well. They wanted risk management, internal auditing and whatnot.
    I don’t know if you carry that kind of pull, but even smaller businesses consult risk management. It’s just smart practice.

    But since you mentioned security, you might want to refer to the NCSC-TG-004-88 on risk management. It’s a little different.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •