SlideShare ist ein Scribd-Unternehmen logo

2019 Infosec Buyers Guide for Evaluating Solutions

Adrian Sanabria
Adrian Sanabria

You've got security issues to solve. Should you build a solution or buy something pre-built? If you choose to buy, what should your selection criteria be? What questions should you ask the vendor? How should you run a POC? How do you put a security product through it's paces? You can view a recording of this presentation here: https://www.youtube.com/watch?v=SPFam1FtPRY

Technologie
1 von 31
Downloaden Sie, um offline zu lesen
2019 Infosec Buyers Guide Adrian Sanabria, VP of Strategy and Product Marketing at NopSec Paul Asadoorian, Founder & CTO at Security Weekly
Who are these guys? Paul Asadoorian Practitioner Instructor Entrepreneur Product Strategy Owner, host of the Security Weekly Podcast Cigar smoker, whiskey drinker Adrian Sanabria Practitioner Consultant Industry Analyst Entrepreneur; Product Strategy Has SEEN things, you know? Cigar smoker, whiskey drinker
Agenda - Buckle up! Part 0: Problems and Goals Part 1: Shopping Part 2: Evaluation Part 3: Ownership
Quick Note about Handouts and Prizes This ICON means there’s a related handout in the SlideZip or at the end! Scan the QR code to the right, or email sawaba@zip.sh with infosecworld2019 as the subject.
Questions To Ask Yourself ● Can I describe the problem I’m having? ● What are my goals and requirements related to this problem?
Questions To Ask Yourself Is there a chance I already own a workable solution?
Questions To Ask Yourself ● Build vs buy: could I roll with FOSS or build it myself? ● Would it be more or less labor and cost than going with a COTS (Commercial Off-The-Shelf) offering?
Build vs Buy: Prioritizing least expense/effort 1. Solve with existing resources 2. Build with existing resources 3. Buy solution; implement/use with existing resources 4. Acquire service (outsource solution) 5. Buy solution; add/train people with existing resources 6. Request more resources & do one of the previous five Resources = People, Software, Assets and/or Budget
Build vs Buy in one simple flowchart* *Sorry, maybe not that simple, but there’s a copy in the handouts for you to look at more closely later! This came from: https://medium.com/@sawaba/when-to-purchase-a-solution-to-your-cybersecurity-problem-86de1fa203ba
Questions To Ask Yourself Defining a few metrics: 1. Time-to-Value: The effort necessary to get a product implemented and doing something useful. 2. Labor-to-Value Ratio: The effort necessary to keep a product maintained and continuing to be useful 3. True Cost: CapEx + OpEx + Direct Labor costs + Indirect Labor costs Examples: Anti-Virus? SIEM? Others?
Who Are We Dealing With? ● Dealing with startups - More like a partnership ● Dealing with established companies who are frequently acquiring or being acquired
Agenda - Buckle up! Part 0: Problems and Goals Part 1: Shopping Part 2: Evaluation Part 3: Ownership
Shopping! ● Cutting through vendor marketing ● Understanding the pitch ● “It’s on the roadmap” ● Asking the right questions ● Asking the right people
Anatomy of a Pitch The WebEx Tax (5 minutes sorry Cisco) Introductions (5 minutes) About the Company (5 minutes) The Problem Statement (10 minutes or more) The Product (10 minutes or more) Demo (maybe?) Roadmap, Competition, The Future (remainder) Next Steps Discussion (Last 5 minutes)
Understand the sale by understanding the seller ● Pricing models ○ By endpoint ○ By device ○ Per employee ○ Base + modules ● Sales models ● Compensation ● Channel sales
Storytime! “FireEye Buyer’s Remorse” 1. Aggressive sales/marketing 2. Poorly understood value prop 3. Customers bought for the wrong reasons 4. Customer Regret 5. High churn, low renewals
Ten Eleven questions to ask and why you should ask them 1. What problems and/or challenges do you solve? 2. How is the solution implemented (architecture)? 3. How does your product work? 4. What is the value proposition? 5. Does the product have a ‘killer feature’? 6. On average, how long is the typical deployment? 7. How much effort does the product take to maintain? 8. Who is your competition? 9. What is the one feature that differentiates you? 10. How do you measure the success of the product? 11. What is your ideal customer? Actual software product manager hard at work...
Who Should You Ask? “It Depends”, however typically these are some of the better roles to handle product questions (in order): 1. Founder & CEO/CTO 2. Product Management 3. VP of Marketing or Product Marketing For technical questions the VP/Head of Research and Development is typically the best source.
Agenda - Buckle up! Part 0: Problems and Goals Part 1: Shopping Part 2: Evaluation Part 3: Ownership
Evaluation Checklist 1. Define goals and objectives (success metrics) 2. Setup the correct test data and/or environment (its okay to cheat, ala downloading bad domains vs. looking for them) 3. Testing in the lab, but perhaps with real data from the network or log sources 4. Continually testing various scenarios based on real-world experiences 5. Does it actually work? 6. How much effort will it take to make it work (value:labor ratio)? 7. How long will it take to implement (time-to-value)? 18 hours, days, weeks or months? 8. How easy (or difficult) will it be to operationalize it?
Types Of Evaluations ● Hands-Off - You’ve spoken to the company at a high level and saw a technical demo. You’ve talked to analysts and companies using the product and received feedback. ● Open-Source / Free Trial - Typically limited in features, but allows you to conduct a very scaled down test. May only involve you, the security person, and if you find something good, you tell others.. ● Pre-Configured Testing - The vendor sets up a test, using fake data (or data that does not come from your environment). Allows you to explore all of the functionality (typically only involves you).
Types Of Evaluations (2) ● Evaluating in your own lab - You’ve setup your own virtual/cloud environment, that does not mirror your production systems, but allows you to test solutions on your own. This may involve other people in your organization. ● Evaluating in a mirror - Mirror your production/test/qa/other environment, do the testing, likely with some others in your organization. ● Evaluating in production, limited implementation - In collaboration with other groups, implement the solution in a small sample of your network/systems. Typically this will include vendor support, at varying levels.
Agenda - Buckle up! Part 0: Problems and Goals Part 1: Shopping Part 2: Evaluation Part 3: Ownership
Long-term Ownership Consider: ● The True Cost metric ● The post-purchase relationship ○ Second-class citizen? ○ Did you “plan to ditch before you hitched?” ● Is there still technical value? ○ Overlap with other products? ○ Shift in threats? ● Does it still make financial sense? ○ Can you do it cheaper? ○ Hand off to MSSP? ○ Run in the cloud?
Avoiding “Shelfware” The solution has to be practical, meaning it is: ● Aligned with business goals and objectives ● Solves actual problem(s) ● Makes jobs easier, not more difficult Really cool != practical (but I still want one)
Storytime!
Storytime!
1. Staff was oblivious 2. Symantec 3. FireEye 4. Phone Calls 1. Staff was very aware 2. Web Scanner (DAST) 3. Network Scanner 4. SAST tool 5. SSLV Malfunction 6. Custom Snort rule Storytime!
Storytime! Every company breached had security products What went wrong? 1. Understand the product’s coverage and limitations 2. Understand your staff’s coverage and limitations 3. Learn to use tools effectively 4. Test systems, tools and staff
Resources Product Evaluation Form (Google Doc) Incident Cost Calculator (Google Sheet) When to purchase a ‘solution’ to your cybersecurity problem (Blog Post) What is your product and what does it do? (Blog Post) In the SlideZip: ● From the CISO’s Guide to Startups ○ Slides ○ Handout and Appendicies ○ Vendor Expo Challenge ● Some of the blogs from the left ● Product/Vendor Evaluation Form
For the handouts, email sawaba@zip.sh with infosecworld2019 in the subject or scan this QR code → Twitter: @sawaba Blog: https://medium.com/@sawaba Twitter: @securityweekly Email: paul@securityweekly.com Podcasts: https://securityweekly.com/subscribe THANK YOU Please Fill Out Your Evaluations

Empfohlen

5 Lessons Learned in Product Management by Twitch Senior PM
5 Lessons Learned in Product Management by Twitch Senior PM5 Lessons Learned in Product Management by Twitch Senior PM
5 Lessons Learned in Product Management by Twitch Senior PMProduct School
 
Dmytro Breslavets: Test fast, die cheap. Як закривати гештальти швидко та не ...
Dmytro Breslavets: Test fast, die cheap. Як закривати гештальти швидко та не ...Dmytro Breslavets: Test fast, die cheap. Як закривати гештальти швидко та не ...
Dmytro Breslavets: Test fast, die cheap. Як закривати гештальти швидко та не ...Lviv Startup Club
 
Hellomeets - 15th November
Hellomeets - 15th NovemberHellomeets - 15th November
Hellomeets - 15th NovemberAbhijeet Gaur
 
RSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to StartupsRSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to StartupsAdrian Sanabria
 
How to avoid 6 deadly mistakes when building a digital product 2018
How to avoid 6 deadly mistakes when building a digital product 2018How to avoid 6 deadly mistakes when building a digital product 2018
How to avoid 6 deadly mistakes when building a digital product 2018inFullMobile
 
From a concept to viable business — How do we know if we are building the rig...
From a concept to viable business — How do we know if we are building the rig...From a concept to viable business — How do we know if we are building the rig...
From a concept to viable business — How do we know if we are building the rig...Marko Taipale
 
From a concept to viable business — How do we know if we are building the rig...
From a concept to viable business — How do we know if we are building the rig...From a concept to viable business — How do we know if we are building the rig...
From a concept to viable business — How do we know if we are building the rig...Gosei Oy
 
Think like a Product Manager II
Think like a Product Manager IIThink like a Product Manager II
Think like a Product Manager IINizorPreciousOgbezuo
 

Empfohlen

5 Lessons Learned in Product Management by Twitch Senior PM
5 Lessons Learned in Product Management by Twitch Senior PM5 Lessons Learned in Product Management by Twitch Senior PM
5 Lessons Learned in Product Management by Twitch Senior PMProduct School
 
Dmytro Breslavets: Test fast, die cheap. Як закривати гештальти швидко та не ...
Dmytro Breslavets: Test fast, die cheap. Як закривати гештальти швидко та не ...Dmytro Breslavets: Test fast, die cheap. Як закривати гештальти швидко та не ...
Dmytro Breslavets: Test fast, die cheap. Як закривати гештальти швидко та не ...Lviv Startup Club
 
Hellomeets - 15th November
Hellomeets - 15th NovemberHellomeets - 15th November
Hellomeets - 15th NovemberAbhijeet Gaur
 
RSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to StartupsRSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to StartupsAdrian Sanabria
 
How to avoid 6 deadly mistakes when building a digital product 2018
How to avoid 6 deadly mistakes when building a digital product 2018How to avoid 6 deadly mistakes when building a digital product 2018
How to avoid 6 deadly mistakes when building a digital product 2018inFullMobile
 
From a concept to viable business — How do we know if we are building the rig...
From a concept to viable business — How do we know if we are building the rig...From a concept to viable business — How do we know if we are building the rig...
From a concept to viable business — How do we know if we are building the rig...Marko Taipale
 
From a concept to viable business — How do we know if we are building the rig...
From a concept to viable business — How do we know if we are building the rig...From a concept to viable business — How do we know if we are building the rig...
From a concept to viable business — How do we know if we are building the rig...Gosei Oy
 
Think like a Product Manager II
Think like a Product Manager IIThink like a Product Manager II
Think like a Product Manager IINizorPreciousOgbezuo
 
Using Customer Research to Build Your Product
Using Customer Research to Build Your ProductUsing Customer Research to Build Your Product
Using Customer Research to Build Your ProductArpit Rai
 
Intro to Lean Startup and Customer Discovery for Agilists
Intro to Lean Startup and Customer Discovery for AgilistsIntro to Lean Startup and Customer Discovery for Agilists
Intro to Lean Startup and Customer Discovery for AgilistsShashi Jain
 
Practical Tips for Building PM Skills by Reddit Sr PM
Practical Tips for Building PM Skills by Reddit Sr PMPractical Tips for Building PM Skills by Reddit Sr PM
Practical Tips for Building PM Skills by Reddit Sr PMProduct School
 
ITNetwork BACon agile spring. Андрей Таганский - Product Manager - профессия...
ITNetwork BACon agile spring. Андрей Таганский - Product Manager - профессия... ITNetwork BACon agile spring. Андрей Таганский - Product Manager - профессия...
ITNetwork BACon agile spring. Андрей Таганский - Product Manager - профессия...it-network
 
Road to product / market fit
Road to product / market fitRoad to product / market fit
Road to product / market fitMikko Seppä
 
Building new products - sundar rajan - introduction (part 1)
Building new products - sundar rajan - introduction (part 1)Building new products - sundar rajan - introduction (part 1)
Building new products - sundar rajan - introduction (part 1)Sundar Rajan
 
Prototyping and MVPs for startups
Prototyping and MVPs for startupsPrototyping and MVPs for startups
Prototyping and MVPs for startupsGeorge Krasadakis
 
Poka-yoke your Marketing
Poka-yoke your MarketingPoka-yoke your Marketing
Poka-yoke your MarketingBusiness901
 
How to leverage your work with a Product Mindset - Mark Opanasiuk.pdf
How to leverage your work with a Product Mindset - Mark Opanasiuk.pdfHow to leverage your work with a Product Mindset - Mark Opanasiuk.pdf
How to leverage your work with a Product Mindset - Mark Opanasiuk.pdfMark Opanasiuk
 
Embracing Failures & Bouncing Back by fmr PayPal Principal PM
Embracing Failures & Bouncing Back by fmr PayPal Principal PM Embracing Failures & Bouncing Back by fmr PayPal Principal PM
Embracing Failures & Bouncing Back by fmr PayPal Principal PMProduct School
 
Presented at Ford's 2017 Global IT Learning Summit (GLITS)
Presented at Ford's 2017 Global IT Learning Summit (GLITS)Presented at Ford's 2017 Global IT Learning Summit (GLITS)
Presented at Ford's 2017 Global IT Learning Summit (GLITS)Ron Lazaro
 
PMI france lean startup for project management
PMI france lean startup for project managementPMI france lean startup for project management
PMI france lean startup for project managementFranck Debane
 
Speed Wins: Launching new products and services. pptx
Speed Wins: Launching new products and services. pptxSpeed Wins: Launching new products and services. pptx
Speed Wins: Launching new products and services. pptxPeter Eales
 
From Product Vision to Story Map - Lean / Agile Product shaping
From Product Vision to Story Map - Lean / Agile Product shapingFrom Product Vision to Story Map - Lean / Agile Product shaping
From Product Vision to Story Map - Lean / Agile Product shapingJérôme Kehrli
 
Business strategy
Business strategy Business strategy
Business strategy Vijayananda Mohire
 
Highest quality code in your SaaS project. Why should you care about it as a ...
Highest quality code in your SaaS project. Why should you care about it as a ...Highest quality code in your SaaS project. Why should you care about it as a ...
Highest quality code in your SaaS project. Why should you care about it as a ...The Codest
 
2 Tips on Every Sales Stage: Learning from Our Top Wins and Losses, by Sean C...
2 Tips on Every Sales Stage: Learning from Our Top Wins and Losses, by Sean C...2 Tips on Every Sales Stage: Learning from Our Top Wins and Losses, by Sean C...
2 Tips on Every Sales Stage: Learning from Our Top Wins and Losses, by Sean C...Acumatica Cloud ERP
 
From an idea to an MVP: a guide for startups
From an idea to an MVP: a guide for startupsFrom an idea to an MVP: a guide for startups
From an idea to an MVP: a guide for startupsGeorge Krasadakis
 
2010 04 28 The Lean Startup webinar for the Lean Enterprise Institute
2010 04 28 The Lean Startup webinar for the Lean Enterprise Institute2010 04 28 The Lean Startup webinar for the Lean Enterprise Institute
2010 04 28 The Lean Startup webinar for the Lean Enterprise InstituteEric Ries
 
Agile for Startups
Agile for StartupsAgile for Startups
Agile for StartupsJim Murphy
 
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Adrian Sanabria
 
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...Adrian Sanabria
 

Weitere ähnliche Inhalte

Ähnlich wie 2019 Infosec Buyers Guide for Evaluating Solutions

Using Customer Research to Build Your Product
Using Customer Research to Build Your ProductUsing Customer Research to Build Your Product
Using Customer Research to Build Your ProductArpit Rai
 
Intro to Lean Startup and Customer Discovery for Agilists
Intro to Lean Startup and Customer Discovery for AgilistsIntro to Lean Startup and Customer Discovery for Agilists
Intro to Lean Startup and Customer Discovery for AgilistsShashi Jain
 
Practical Tips for Building PM Skills by Reddit Sr PM
Practical Tips for Building PM Skills by Reddit Sr PMPractical Tips for Building PM Skills by Reddit Sr PM
Practical Tips for Building PM Skills by Reddit Sr PMProduct School
 
ITNetwork BACon agile spring. Андрей Таганский - Product Manager - профессия...
ITNetwork BACon agile spring. Андрей Таганский - Product Manager - профессия... ITNetwork BACon agile spring. Андрей Таганский - Product Manager - профессия...
ITNetwork BACon agile spring. Андрей Таганский - Product Manager - профессия...it-network
 
Road to product / market fit
Road to product / market fitRoad to product / market fit
Road to product / market fitMikko Seppä
 
Building new products - sundar rajan - introduction (part 1)
Building new products - sundar rajan - introduction (part 1)Building new products - sundar rajan - introduction (part 1)
Building new products - sundar rajan - introduction (part 1)Sundar Rajan
 
Prototyping and MVPs for startups
Prototyping and MVPs for startupsPrototyping and MVPs for startups
Prototyping and MVPs for startupsGeorge Krasadakis
 
Poka-yoke your Marketing
Poka-yoke your MarketingPoka-yoke your Marketing
Poka-yoke your MarketingBusiness901
 
How to leverage your work with a Product Mindset - Mark Opanasiuk.pdf
How to leverage your work with a Product Mindset - Mark Opanasiuk.pdfHow to leverage your work with a Product Mindset - Mark Opanasiuk.pdf
How to leverage your work with a Product Mindset - Mark Opanasiuk.pdfMark Opanasiuk
 
Embracing Failures & Bouncing Back by fmr PayPal Principal PM
Embracing Failures & Bouncing Back by fmr PayPal Principal PM Embracing Failures & Bouncing Back by fmr PayPal Principal PM
Embracing Failures & Bouncing Back by fmr PayPal Principal PMProduct School
 
Presented at Ford's 2017 Global IT Learning Summit (GLITS)
Presented at Ford's 2017 Global IT Learning Summit (GLITS)Presented at Ford's 2017 Global IT Learning Summit (GLITS)
Presented at Ford's 2017 Global IT Learning Summit (GLITS)Ron Lazaro
 
PMI france lean startup for project management
PMI france lean startup for project managementPMI france lean startup for project management
PMI france lean startup for project managementFranck Debane
 
Speed Wins: Launching new products and services. pptx
Speed Wins: Launching new products and services. pptxSpeed Wins: Launching new products and services. pptx
Speed Wins: Launching new products and services. pptxPeter Eales
 
From Product Vision to Story Map - Lean / Agile Product shaping
From Product Vision to Story Map - Lean / Agile Product shapingFrom Product Vision to Story Map - Lean / Agile Product shaping
From Product Vision to Story Map - Lean / Agile Product shapingJérôme Kehrli
 
Highest quality code in your SaaS project. Why should you care about it as a ...
Highest quality code in your SaaS project. Why should you care about it as a ...Highest quality code in your SaaS project. Why should you care about it as a ...
Highest quality code in your SaaS project. Why should you care about it as a ...The Codest
 
2 Tips on Every Sales Stage: Learning from Our Top Wins and Losses, by Sean C...
2 Tips on Every Sales Stage: Learning from Our Top Wins and Losses, by Sean C...2 Tips on Every Sales Stage: Learning from Our Top Wins and Losses, by Sean C...
2 Tips on Every Sales Stage: Learning from Our Top Wins and Losses, by Sean C...Acumatica Cloud ERP
 
From an idea to an MVP: a guide for startups
From an idea to an MVP: a guide for startupsFrom an idea to an MVP: a guide for startups
From an idea to an MVP: a guide for startupsGeorge Krasadakis
 
2010 04 28 The Lean Startup webinar for the Lean Enterprise Institute
2010 04 28 The Lean Startup webinar for the Lean Enterprise Institute2010 04 28 The Lean Startup webinar for the Lean Enterprise Institute
2010 04 28 The Lean Startup webinar for the Lean Enterprise InstituteEric Ries
 
Agile for Startups
Agile for StartupsAgile for Startups
Agile for StartupsJim Murphy
 

Ähnlich wie 2019 Infosec Buyers Guide for Evaluating Solutions (20)

Using Customer Research to Build Your Product
Using Customer Research to Build Your ProductUsing Customer Research to Build Your Product
Using Customer Research to Build Your Product
 
Intro to Lean Startup and Customer Discovery for Agilists
Intro to Lean Startup and Customer Discovery for AgilistsIntro to Lean Startup and Customer Discovery for Agilists
Intro to Lean Startup and Customer Discovery for Agilists
 
Practical Tips for Building PM Skills by Reddit Sr PM
Practical Tips for Building PM Skills by Reddit Sr PMPractical Tips for Building PM Skills by Reddit Sr PM
Practical Tips for Building PM Skills by Reddit Sr PM
 
ITNetwork BACon agile spring. Андрей Таганский - Product Manager - профессия...
ITNetwork BACon agile spring. Андрей Таганский - Product Manager - профессия... ITNetwork BACon agile spring. Андрей Таганский - Product Manager - профессия...
ITNetwork BACon agile spring. Андрей Таганский - Product Manager - профессия...
 
Road to product / market fit
Road to product / market fitRoad to product / market fit
Road to product / market fit
 
Building new products - sundar rajan - introduction (part 1)
Building new products - sundar rajan - introduction (part 1)Building new products - sundar rajan - introduction (part 1)
Building new products - sundar rajan - introduction (part 1)
 
Prototyping and MVPs for startups
Prototyping and MVPs for startupsPrototyping and MVPs for startups
Prototyping and MVPs for startups
 
Poka-yoke your Marketing
Poka-yoke your MarketingPoka-yoke your Marketing
Poka-yoke your Marketing
 
How to leverage your work with a Product Mindset - Mark Opanasiuk.pdf
How to leverage your work with a Product Mindset - Mark Opanasiuk.pdfHow to leverage your work with a Product Mindset - Mark Opanasiuk.pdf
How to leverage your work with a Product Mindset - Mark Opanasiuk.pdf
 
Embracing Failures & Bouncing Back by fmr PayPal Principal PM
Embracing Failures & Bouncing Back by fmr PayPal Principal PM Embracing Failures & Bouncing Back by fmr PayPal Principal PM
Embracing Failures & Bouncing Back by fmr PayPal Principal PM
 
Presented at Ford's 2017 Global IT Learning Summit (GLITS)
Presented at Ford's 2017 Global IT Learning Summit (GLITS)Presented at Ford's 2017 Global IT Learning Summit (GLITS)
Presented at Ford's 2017 Global IT Learning Summit (GLITS)
 
PMI france lean startup for project management
PMI france lean startup for project managementPMI france lean startup for project management
PMI france lean startup for project management
 
Speed Wins: Launching new products and services. pptx
Speed Wins: Launching new products and services. pptxSpeed Wins: Launching new products and services. pptx
Speed Wins: Launching new products and services. pptx
 
From Product Vision to Story Map - Lean / Agile Product shaping
From Product Vision to Story Map - Lean / Agile Product shapingFrom Product Vision to Story Map - Lean / Agile Product shaping
From Product Vision to Story Map - Lean / Agile Product shaping
 
Business strategy
Business strategy Business strategy
Business strategy
 
Highest quality code in your SaaS project. Why should you care about it as a ...
Highest quality code in your SaaS project. Why should you care about it as a ...Highest quality code in your SaaS project. Why should you care about it as a ...
Highest quality code in your SaaS project. Why should you care about it as a ...
 
2 Tips on Every Sales Stage: Learning from Our Top Wins and Losses, by Sean C...
2 Tips on Every Sales Stage: Learning from Our Top Wins and Losses, by Sean C...2 Tips on Every Sales Stage: Learning from Our Top Wins and Losses, by Sean C...
2 Tips on Every Sales Stage: Learning from Our Top Wins and Losses, by Sean C...
 
From an idea to an MVP: a guide for startups
From an idea to an MVP: a guide for startupsFrom an idea to an MVP: a guide for startups
From an idea to an MVP: a guide for startups
 
2010 04 28 The Lean Startup webinar for the Lean Enterprise Institute
2010 04 28 The Lean Startup webinar for the Lean Enterprise Institute2010 04 28 The Lean Startup webinar for the Lean Enterprise Institute
2010 04 28 The Lean Startup webinar for the Lean Enterprise Institute
 
Agile for Startups
Agile for StartupsAgile for Startups
Agile for Startups
 

Mehr von Adrian Sanabria

Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Adrian Sanabria
 
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...Adrian Sanabria
 
Lies and Myths in InfoSec - 2023 Usenix Enigma
Lies and Myths in InfoSec - 2023 Usenix EnigmaLies and Myths in InfoSec - 2023 Usenix Enigma
Lies and Myths in InfoSec - 2023 Usenix EnigmaAdrian Sanabria
 
Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...
Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...
Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...Adrian Sanabria
 
Equifax Breach Postmortem
Equifax Breach PostmortemEquifax Breach Postmortem
Equifax Breach PostmortemAdrian Sanabria
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security PractitionerAdrian Sanabria
 
The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021Adrian Sanabria
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsAdrian Sanabria
 
From due diligence to IoT disaster
From due diligence to IoT disasterFrom due diligence to IoT disaster
From due diligence to IoT disasterAdrian Sanabria
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Adrian Sanabria
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Adrian Sanabria
 
451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?Adrian Sanabria
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...Adrian Sanabria
 
451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint SecurityAdrian Sanabria
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps OverviewAdrian Sanabria
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerAdrian Sanabria
 
Ten Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard OfTen Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard OfAdrian Sanabria
 

Mehr von Adrian Sanabria (20)

Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
 
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
 
Lies and Myths in InfoSec - 2023 Usenix Enigma
Lies and Myths in InfoSec - 2023 Usenix EnigmaLies and Myths in InfoSec - 2023 Usenix Enigma
Lies and Myths in InfoSec - 2023 Usenix Enigma
 
Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...
Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...
Indistinguishable from Magic: How the Cybersecurity Market Reached a Trillion...
 
Equifax Breach Postmortem
Equifax Breach PostmortemEquifax Breach Postmortem
Equifax Breach Postmortem
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
 
The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021
 
The Products We Deserve
The Products We DeserveThe Products We Deserve
The Products We Deserve
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These Years
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 
From due diligence to IoT disaster
From due diligence to IoT disasterFrom due diligence to IoT disaster
From due diligence to IoT disaster
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017
 
451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
 
451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security451 and Cylance - The Roadmap To Better Endpoint Security
451 and Cylance - The Roadmap To Better Endpoint Security
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps Overview
 
2016 virus bulletin
2016 virus bulletin2016 virus bulletin
2016 virus bulletin
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security Practitioner
 
Ten Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard OfTen Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard Of
 

Kürzlich hochgeladen

Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 

Kürzlich hochgeladen (20)

Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

2019 Infosec Buyers Guide for Evaluating Solutions

  • 1. 2019 Infosec Buyers Guide Adrian Sanabria, VP of Strategy and Product Marketing at NopSec Paul Asadoorian, Founder & CTO at Security Weekly
  • 2. Who are these guys? Paul Asadoorian Practitioner Instructor Entrepreneur Product Strategy Owner, host of the Security Weekly Podcast Cigar smoker, whiskey drinker Adrian Sanabria Practitioner Consultant Industry Analyst Entrepreneur; Product Strategy Has SEEN things, you know? Cigar smoker, whiskey drinker
  • 3. Agenda - Buckle up! Part 0: Problems and Goals Part 1: Shopping Part 2: Evaluation Part 3: Ownership
  • 4. Quick Note about Handouts and Prizes This ICON means there’s a related handout in the SlideZip or at the end! Scan the QR code to the right, or email sawaba@zip.sh with infosecworld2019 as the subject.
  • 5. Questions To Ask Yourself ● Can I describe the problem I’m having? ● What are my goals and requirements related to this problem?
  • 6. Questions To Ask Yourself Is there a chance I already own a workable solution?
  • 7. Questions To Ask Yourself ● Build vs buy: could I roll with FOSS or build it myself? ● Would it be more or less labor and cost than going with a COTS (Commercial Off-The-Shelf) offering?
  • 8. Build vs Buy: Prioritizing least expense/effort 1. Solve with existing resources 2. Build with existing resources 3. Buy solution; implement/use with existing resources 4. Acquire service (outsource solution) 5. Buy solution; add/train people with existing resources 6. Request more resources & do one of the previous five Resources = People, Software, Assets and/or Budget
  • 9. Build vs Buy in one simple flowchart* *Sorry, maybe not that simple, but there’s a copy in the handouts for you to look at more closely later! This came from: https://medium.com/@sawaba/when-to-purchase-a-solution-to-your-cybersecurity-problem-86de1fa203ba
  • 10. Questions To Ask Yourself Defining a few metrics: 1. Time-to-Value: The effort necessary to get a product implemented and doing something useful. 2. Labor-to-Value Ratio: The effort necessary to keep a product maintained and continuing to be useful 3. True Cost: CapEx + OpEx + Direct Labor costs + Indirect Labor costs Examples: Anti-Virus? SIEM? Others?
  • 11. Who Are We Dealing With? ● Dealing with startups - More like a partnership ● Dealing with established companies who are frequently acquiring or being acquired
  • 12. Agenda - Buckle up! Part 0: Problems and Goals Part 1: Shopping Part 2: Evaluation Part 3: Ownership
  • 13. Shopping! ● Cutting through vendor marketing ● Understanding the pitch ● “It’s on the roadmap” ● Asking the right questions ● Asking the right people
  • 14. Anatomy of a Pitch The WebEx Tax (5 minutes sorry Cisco) Introductions (5 minutes) About the Company (5 minutes) The Problem Statement (10 minutes or more) The Product (10 minutes or more) Demo (maybe?) Roadmap, Competition, The Future (remainder) Next Steps Discussion (Last 5 minutes)
  • 15. Understand the sale by understanding the seller ● Pricing models ○ By endpoint ○ By device ○ Per employee ○ Base + modules ● Sales models ● Compensation ● Channel sales
  • 16. Storytime! “FireEye Buyer’s Remorse” 1. Aggressive sales/marketing 2. Poorly understood value prop 3. Customers bought for the wrong reasons 4. Customer Regret 5. High churn, low renewals
  • 17. Ten Eleven questions to ask and why you should ask them 1. What problems and/or challenges do you solve? 2. How is the solution implemented (architecture)? 3. How does your product work? 4. What is the value proposition? 5. Does the product have a ‘killer feature’? 6. On average, how long is the typical deployment? 7. How much effort does the product take to maintain? 8. Who is your competition? 9. What is the one feature that differentiates you? 10. How do you measure the success of the product? 11. What is your ideal customer? Actual software product manager hard at work...
  • 18. Who Should You Ask? “It Depends”, however typically these are some of the better roles to handle product questions (in order): 1. Founder & CEO/CTO 2. Product Management 3. VP of Marketing or Product Marketing For technical questions the VP/Head of Research and Development is typically the best source.
  • 19. Agenda - Buckle up! Part 0: Problems and Goals Part 1: Shopping Part 2: Evaluation Part 3: Ownership
  • 20. Evaluation Checklist 1. Define goals and objectives (success metrics) 2. Setup the correct test data and/or environment (its okay to cheat, ala downloading bad domains vs. looking for them) 3. Testing in the lab, but perhaps with real data from the network or log sources 4. Continually testing various scenarios based on real-world experiences 5. Does it actually work? 6. How much effort will it take to make it work (value:labor ratio)? 7. How long will it take to implement (time-to-value)? 18 hours, days, weeks or months? 8. How easy (or difficult) will it be to operationalize it?
  • 21. Types Of Evaluations ● Hands-Off - You’ve spoken to the company at a high level and saw a technical demo. You’ve talked to analysts and companies using the product and received feedback. ● Open-Source / Free Trial - Typically limited in features, but allows you to conduct a very scaled down test. May only involve you, the security person, and if you find something good, you tell others.. ● Pre-Configured Testing - The vendor sets up a test, using fake data (or data that does not come from your environment). Allows you to explore all of the functionality (typically only involves you).
  • 22. Types Of Evaluations (2) ● Evaluating in your own lab - You’ve setup your own virtual/cloud environment, that does not mirror your production systems, but allows you to test solutions on your own. This may involve other people in your organization. ● Evaluating in a mirror - Mirror your production/test/qa/other environment, do the testing, likely with some others in your organization. ● Evaluating in production, limited implementation - In collaboration with other groups, implement the solution in a small sample of your network/systems. Typically this will include vendor support, at varying levels.
  • 23. Agenda - Buckle up! Part 0: Problems and Goals Part 1: Shopping Part 2: Evaluation Part 3: Ownership
  • 24. Long-term Ownership Consider: ● The True Cost metric ● The post-purchase relationship ○ Second-class citizen? ○ Did you “plan to ditch before you hitched?” ● Is there still technical value? ○ Overlap with other products? ○ Shift in threats? ● Does it still make financial sense? ○ Can you do it cheaper? ○ Hand off to MSSP? ○ Run in the cloud?
  • 25. Avoiding “Shelfware” The solution has to be practical, meaning it is: ● Aligned with business goals and objectives ● Solves actual problem(s) ● Makes jobs easier, not more difficult Really cool != practical (but I still want one)
  • 28. 1. Staff was oblivious 2. Symantec 3. FireEye 4. Phone Calls 1. Staff was very aware 2. Web Scanner (DAST) 3. Network Scanner 4. SAST tool 5. SSLV Malfunction 6. Custom Snort rule Storytime!
  • 29. Storytime! Every company breached had security products What went wrong? 1. Understand the product’s coverage and limitations 2. Understand your staff’s coverage and limitations 3. Learn to use tools effectively 4. Test systems, tools and staff
  • 30. Resources Product Evaluation Form (Google Doc) Incident Cost Calculator (Google Sheet) When to purchase a ‘solution’ to your cybersecurity problem (Blog Post) What is your product and what does it do? (Blog Post) In the SlideZip: ● From the CISO’s Guide to Startups ○ Slides ○ Handout and Appendicies ○ Vendor Expo Challenge ● Some of the blogs from the left ● Product/Vendor Evaluation Form
  • 31. For the handouts, email sawaba@zip.sh with infosecworld2019 in the subject or scan this QR code → Twitter: @sawaba Blog: https://medium.com/@sawaba Twitter: @securityweekly Email: paul@securityweekly.com Podcasts: https://securityweekly.com/subscribe THANK YOU Please Fill Out Your Evaluations