The selection of a security solution is a critical decision for an information security program. With the plethora of security solutions available, finding the best fit for an enterprise and its security needs can be a challenging and time-consuming task. When cost constraints are added to the picture, the selection process becomes even more problematic. There is a temptation to go with what is already familiar or select a solution that is already in use at a similar organization. But the best place to begin is by identifying critical functional requirements and restrictions for a security solution. The goal is to define, in a vendor-neutral fashion, a generic prototype of the security solution being sought. This should be done before doing any vendor research. This process should also spot potential attributes of a solution that may clash with the organizational environment.
While security staff should consider a wide range of security solution options, it is generally more cost effective and better time management to narrow the field. In absence of clear criteria, staff may feel obligated to include the whole universe of security solutions resulting in analysis paralysis. Established criteria narrows the focus to what the organization actually needs to eliminate gaps in its security perimeter, complement existing security technologies and processes, and achieve regulatory compliance.
The best way to assure that this occurs is to establish a defined and repeatable process to identify and select security solutions. A security solution needs to fit an organization like a great business suit. It needs to be custom-tailored to look and feel right and optimize the expenditure. It is critical to identify and evaluate security technology solutions to maximize the potential for a successful implementation.
Read Kerry Anderson’s recent Journal article:“Evaluating Information Security Systems,” ISACA Journal, volume 2, 2015.