Do you want to live with a big rock, a fancy dog, a tailored suit, or a flexible ecosystem?
In other words, what’s the best way to procure cybersecurity technology?
That sounds like a trick question, but it isn’t.
While most cybersecurity professionals believe they’re underfunded (and probably are) and most cybersecurity programs are understaffed (and probably are), one of the ways to counter this austerity is with efficiency.
What would we do with more money if we got it? How would we be sure it’s spent to maximum advantage?
Figuring out how to procure information security products effectively is more challenging than it first appears. Here are four basic approaches:
- The big brand approach. “One stop shop” sounds good. Get everything you need from a single giant vendor whether they are the best at what they do or not. A single throat to choke, right?
- The boutique approach. Research “best of breed” brands and get all the hot solutions. Now you’ve got the opposite problem as the big brand method, for you need to go to a lot of little shops.
- The customize everything approach. Hire a smaller vendor and have them create everything for you, guiding their development to your needs. Better, but still time- and resource-heavy on your part.
- The ecosystem of best vendors approach. Each vendor has core competencies in different areas in the information security space. Integrating these competencies helps solve our customers’ problems.
At Tripwire, we believe our solution set is designed to provide a foundation for your security and compliance program, but it is only one piece. Equally important is Tripwire’s ability to integrate and share information with other tools and applications. Tripwire uses a collaborative approach to align its solutions with your evolving IT ecosystem.
Mature organizations know the best way to optimize this ecosystem with their limited resources is to:
- …use an architecture of technology categories (and services)
- …roadmap their deployment of these in logical sequence
- …address most pressing needs first
- …and revisit at least annually to prove coverage and ROI
Finally, some of the security and compliance related solutions might be resident in different budget centers – some might be compliance, operations or cyber-security related. Knowing when to pay/buy and whether you need them is important.
Where do you start?
Use a framework like SANS 20 Critical Security Controls. There are many frameworks that can be used for prescriptive guidance on how to address security & compliance – NIST, CIS, PCI, NERC, etc.
Above are the SANS Top 20 controls in priority order (architecture, logical, needs first) filled in with *just* Tripwire capabilities, and below we have the same chart with a few of Tripwire select partners.
In this example, you can see that we can help you extend your coverage by integrating with over 40 different partners across the security ecosystem.
Visit our Technology Alliance Program page for a full listing.