Back to Blog November 19, 2021

    Navigating the Cybersecurity Vendor Landscape: Ask the Right Questions

    The cybersecurity vendor landscape has become more confusing than ever. Driving the complexity is the fact that every solution provider feels forced to co-opt trending terms to improve their SEO rankings, analyst coverage, and likelihood of fitting into enterprise cybersecurity budgets.

    However, focusing on the fundamentals and asking the right questions can help disambiguate the cybersecurity vendor landscape.

    In Part 1 of this two-part blog series, I highlighted three tips for buyers for navigating the cybersecurity vendor landscape. In Part 2, I’ll explore how asking the right questions can help.

    Questions to Ask

    Once you know where your organization stands from a capabilities perspective, it’s time to start asking vendors and prospective vendors the questions that will clarify what they’re selling and differentiate them from other products and product categories.

           1> What Does Your Product Do?

    If your vendor is speaking purely in business outcomes or industry jargon, i.e., We stop attacks before they become breaches, or We protect your applications from software vulnerabilities, you won’t ever truly understand what they do. 

    Similarly, if they try to fit into too many categories, you’ll never get to the heart of what the product actually does technologically. No tool is a next-gen, AI-powered, Zero Trust compliant, automated detection engine for anomalous behavior across the seven layers of the OSI model.

    Insist on a simple explanation — devoid of buzzwords — that clearly states the intended outcome. For instance, at Axonius we tell prospects that our platform:

    • Provides a comprehensive and up-to-date asset inventory
    • Surfaces coverage gaps and validates security controls
    • Automates enforcement actions 

    Don’t settle for, We prevent breaches. Instead, look for sales people who detail specifics and quantify risk. For example:

    • Our passwordless solution eliminates passwords — one of the largest attack vectors — to decrease the likelihood of unauthorized system access. 
    • Our platform monitors DNS traffic to identify known-bad domains and prevents users from connecting to malicious or compromised hosts.
    • Our endpoint agent can be installed on every device connecting to your network. The agent checks the device’s security hygiene before every connection attempt and approves or blocks access depending on its security state.

    The less hyperbole a product maker provides, the easier it will be to assess their impact.

           2> How is Your Product Deployed? 

    Also ask questions like: Where is it deployed? How long will it take to deploy? How are system updates handled?

    Depending on your organization’s architecture, risk tolerance, and in-house capabilities, find a product that fits your needs. A product doesn’t need to be SaaS or cloud-native or any other feature if that’s not what you, the customer, need. It may be de rigueur to say or even build certain things, but it’s you and your organization that need the product to fit your environment.

    Further, try to talk to a current customer to learn about their actual deployment. Every vendor will promise deployment in hours or days when, in reality, many will take weeks or months. That impacts your bottom line and ability to control risk.

           3> How Will Your Platform/Product Improve My Security Posture?

    Again, don’t settle for a lazy answer like, We prevent breaches. Solid products allow for measurement and benchmarking. Many vendors today will show you how they map to the NIST Cybersecurity Framework, CIS Controls, or MITRE ATT&CK, which will help your organization prioritize protection and detection against the full spectrum of attacks.

    Make sure the vendor demonstrates their reporting functionality in full and ensure you can customize reports to your business needs. 

    There are many more important vendor evaluation questions, including the security of their platform’s architecture and their customer support model. But first things first: what does it do and how will it help you. Relying on marketing speak to protect your company from cyber compromise isn’t a sound strategy. 

    It may take a little patient persistence on your part to wade through what sales and marketing teams are conditioned to do — be buzzword-friendly — but the good vendor reps out there will get you to the answers you need to make an informed decision.

    As the pandemic winds down, businesses have a new challenge: securing hybrid environments. Download the “Take Back Control of Your Hybrid Work Environment” white paper to learn how.

    Tag(s): Cybersecurity

    Sign up to get first access to our latest resources