Finding a Good Vendor Partner: More than Technology

Finding a security vendor that is the best fit for your company’s business objectives, culture, risk profile, and budget is challenging today. The purpose of this blog is to suggest that working with a “vendor partner” is more than working with a standard technology vendor in that a partner aligns not only with “Technology” concerns but also with “People and Process” concerns. Prior to my time at Tripwire, I spent close to seven years in the Integrator space of Information Security. Strictly speaking, this space exists to bridge the gaps created and/or neglected by technology vendors with regard to services related to their specific technologies, in particular audits, assessments, consulting, deployment, health checks and optimizations. During my time as an Integrator, I was continually amazed at the relative disregard and disdain that many technology vendors demonstrated toward services. Part of these views stem from costs, resources and scalability concerns, but ultimately, these views also reflect something of a disconnect between standard technology vendors and their customers.

Technology, Process and People

Many technology vendors do not acknowledge the full scope of the challenges customers face on a daily basis, which is to say customers have challenges not only in Technology but also People and Process. In point of fact, with 3500+ vendors in the information security space today, Technology may be the one area in which customers have a comfort zone. How to fit Technology into holistic security programs, taking into account increasingly regulated environments (Process) as well as who will manage the Technology (People) often represent larger issues. Concerning Process, as Paul Watts, CISO for Domino’s Pizza, UK and England told Infosecurity Europe 2018,

“All the compliance and certification in the world is no substitute for a solid foundation for cyber defenses, and I know of organizations that have been breached by pen testers, even though the CISO had a string of certifications and he had implemented a host of high-grade security controls.”

With regard to People, according to Oliver Rochford,

“Cybersecurity technology can act as a force multiplier, automating menial and trivial tasks, but this still requires a force to multiply. And while technology can make challenging tasks easier to accomplish, it doesn’t accomplish them for you. That still requires people, and will for some time to come.”

Why Technology Vendors Must Understand These Elements Together

Shortsighted technology vendors that fail to recognize these issues often struggle with managing customer sales cycles as previous sales engagements stagnate and customers struggle to address these issues. It’s fair to say that if these vendors could address these issues, they could reduce or eliminate inconsistency in their sales cycles altogether. Outside of Process and People concerns, technology vendors will often take completely different approaches from on premise to the Cloud, which, in an environment where most customers manage both on premise AND Cloud environments, can lead to security gaps, unanticipated costs and project timeline delays. The vendors that are forced to take different approaches are typically those who have not adopted a Console format for their on premise deployments. (Consoles, of course, are critical to successful Cloud deployments.) As Adrian Sanabria argues on The State of Security blog,

“Since everything in the cloud is virtualized, it’s possible to access almost everything through a console. Failing to secure everything from the console’s perspective is a common (and BIG) mistake."

Finally, most technology vendors have been slow to offer SaaS solutions, which offer maximum flexibility for their customers. Howie Xu, VP of Machine Learning and Artificial Intelligence at ZScaler, argues that “with a SaaS form factor, you can take a little more risk. Innovation and risk-taking are correlated. With shrink-wrapped software, you traditionally have one shot, and if that software is not good, then you are toast.”

Who Are the Best Vendor Partners?

The best vendor partners view Technology as just one piece of the triumvirate of customer issues that is People, Process and Technology. They will not sell a customer technology without understanding how their technology will interact with customers’ processes and compliance environment and who will manage it. Ideally, the best vendor partners will have SaaS and Managed Service alternatives, but if they do not, they will have certified programs with experienced partners. Under the auspices of solving multiple solutions instead of solutions in isolation, the best vendor partners will provide integrations and support capabilities that will go above and beyond the typical vendor options that are offered. Finally, the best vendor partners will offer similar if not identical approaches to on premise and cloud deployments (via Consoles) so that, in the likely scenario of hybrid environments, projects will be proceed seamlessly and without cost overruns.

What’s a good strategy in identifying a good vendor partner?

• Identify a vendor that either can provide SaaS options and managed services in-house or has a certified MSSP program.
• Work with a vendor that is well-versed in compliance as well as network architectures.
• Ensure that the vendor has not only API’s to your platforms but also integrations for your mission critical platforms such as your Help Desk.
• Compare/contrast On-premise/Cloud approaches.
• Select a vendor that allows for varying levels of support depending upon your budget.

The good news? Tripwire can help…

Tripwire provides managed service options for its Compliance (Tripwire Enterprise) and Vulnerability Management (IP360) platforms. Tripwire also provides SaaS, cloud-based, hosted solutions around both of these solutions for those customers looking for operational expense flexibility. Additionally, Tripwire has a wealth of knowledge and experience about existing and emerging compliance mandates, as well as all major network architectures and cybersecurity frameworks. In terms of interconnectivity, Tripwire offers not only API’s to hundreds of vendor platforms, but also integrations to all major Help Desk platforms. Finally, Tripwire has console-based, identical deployment options for on-premise and in the Cloud, and offers tiered levels of support in correspondence with customers’ appetites for managed services and budgets. Learn more about Tripwire’s solutions here.