What’s the best way to procure cybersecurity technology? That sounds like a trick question, but it isn’t. Although most cybersecurity professionals believe they’re underfunded (and probably are), what would they do with more money if they got it? And how would they be sure it’s spent to maximum advantage? Figuring out how to procure infosec products effectively is more challenging than it first appears.
Many cybersecurity organizations take a “big rock” approach—buying security products from their preferred IT vendors. It turns out this approach is a mistake. It makes far more sense to adopt an “ecosystem” approach—the approach preferred by the most mature organizations. Another effective strategy is to invest early in security startups, and guide them towards developing solutions customized for your organization’s needs.
It’s also important to have an architecture that encompasses the technology categories in which you are acquiring products and services, and a roadmap for deploying them in a logical sequence. The architecture and roadmap should address your most pressing security challenges, and revisiting both on an annual basis is a proven best practice.
Finally, not all technologies—even if they’re security related—should fall into the cybersecurity budget. Knowing where to pay for them is just as important as knowing whether you need them and when you’ll deploy them.