“The various perspectives will ensure that the solution aligns with the organization’s policy, governance and staffing goals,” he said.
Irfan Saif, a partner in Deloitte Advisory Cyber Risk Services, said the need to understand the organization’s needs and business requirements is “paramount,” and the failure to do that can lead to the use, or overuse, of, “overlapping or redundant tools that aren’t integrated or aren’t working in unison towards mitigating and managing key risks to the organization.”
That, he said, “can distract from the more important task of truly understanding the risks and threats and designing the right solutions, which may include one or more technologies working in tandem.”
Hutchinson agreed. “Focus on what your business needs, not what tools are available,” she said, adding that it is also important to make sure security measures enable the business, and don’t restrict what workers need to do.
“As a friend of mine says, ‘the purpose of a door is to control the flow of people to and from the house.’ If I put 50 locks on the door, it is most definitely secure but it no longer functions well as a door,” she said.
And when it comes to cutting through the hype, Hay said sharing information with colleagues can help. “If your product or solution can solve an actual problem, and not just a marketing-derived problem, the ‘hype fog’ can be cleared away from the product pretty easily,” he said.
“When your product or service is built on hype and not value, the industry that it aims to serve will quickly pick it apart and surface its actual value.”
Zilberman agreed. Especially smaller organizations, he said, “can look for tools that have had success in the industry. They can evaluate it through ‘referenceable’ customers. You don’t want to be the guinea pig.”
Saif agreed, adding that CISOs aren’t the only ones dealing with a marketing blitz.
“The challenge of separating fact from fiction and not being lured by slick marketing is not a challenge unique to CISOs,” he said.
Zilberman said he thinks the market is sorting itself out somewhat based on Gartner’s so-called “hype cycle,” in which an emerging technology reaches a peak of “inflated expectation,” then slides into a “trough of disillusionment and then moves back into a more sustainable growth curve called the “slope of enlightenment.”
“The security industry is very much following that curve,” he said. “We were at the front end 12 months ago with huge amounts of capital pouring into it. Now, some companies are not growing as fast as expected, so we’re more in the trough of disillusionment.
“But bad guys are not going away,” he said. “I think there will be a slight correction, and in the not-too-distant future, the market will rebound.”
Sign up for CIO Asia eNewsletters.