Andrew Hay, CISO at DataGravity, said cloud architecture may also be a factor, “specifically SaaS (software as a service) delivery models, lowering the barrier to entry,” leading to an exponential increase in security startups that are all, “promising to solve the same problems, or invent a new problem to solve.”
Whatever the reasons, Zilberman said there is now, “a sea of vendors with similar products. At one point, Gartner was tracking 23 endpoint protection vendors. I speak to CISOs all the time regarding doing their day job vs. vendor evaluation. They just don’t have the bandwidth to do it.”
Andrew Hay, CISO, DataGravity
The imbalance is exacerbated even more by some CISOs deciding to, “move on and try to sell their own products,” Zilberman said. “They’ve joined the vendor ecosystem.”
It is not just that there are hundreds of products on the market. It is also that CISOs are solicited as “testers” for “minimum viable products” – the first, rudimentary version of a tool that needs feedback from early users so developers can refine it, eliminate bugs and add features before pitching it to the mass market.
That label, “does not mean it’s a bad product,” Rifai said, noting that Techopedia defines it as, “a development technique in which a new product or website is developed with sufficient features to satisfy early adopters. The final, complete set of features is only designed and developed after considering feedback from the product's initial users.”
That model has worked, he said, but, “due to the sheer volume of security vendors today, CISOs have less time to be a vendor’s guinea pig.”
In an ideal world, Hay said, the CISO, “would have a technical staff to evaluate the tools,” which would allow him to focus on the “strategic vision” of the security program – “policies, procedures, guidelines and standards that must be defined, maintained and measured,” he said.
The CISO would then be brought in when a purchase decision needs to be made, “to validate that the products in question align with the organization’s security goals,” he said.
Of course, the ideal is not always reality. So experts generally agree that the overwhelmed CISO should focus not on what vendors are selling, but on what the organization needs.
Dan Waddell, managing director, North America region and director of U.S. Government Affairs for ISC2, said CISOs should understand the environment of their organizations, and then when presented with a product pitch, “ask all stakeholders to be present to provide input – not just the security team, but personnel from procurement/acquisition, finance, enterprise architects, etc.
Dan Waddell, managing director, North America region and director of U.S. Government Affairs, ISC2
Sign up for CIO Asia eNewsletters.