Short on security expertise? You can still choose the right solutions

Finding the right security solution can be challenging for a small- or medium-sized business (SMB), not only because of their size, but because they often make mistakes when choosing vendors. With the application of some best practices, though, the process can be less fraught with stress.

SMBs have three disadvantages when dealing with security vendors, observed John Pescatore, director of emerging trends at the SANS Institute, an information security training, cybersecurity certifications and research company. “Since they’re small, they have less leverage over a vendor compared to a larger company that’s going to spend millions,” he says.

“They usually have smaller staffs so they can’t use the products that bigger companies use,” he continues. “So, if they try to copy the big companies, they end buying the wrong products.”

What’s more, he added, “They typically don’t have a dedicated security person that can go to shows and meet with security vendors during the year and keep up with the latest trends.”

Common purchasing missteps

Common mistakes made during the search and purchase process can compound obstacles related to size and available resources. For example, an SMB might buy a solution after superficial research. “The problem there is that they are starting from the wrong place,” maintains George Anderson, director of product marketing for Webroot, an internet security company.

“They need to invest in getting an independent security audit done so they can understand the risks and the security technology or services they really need,” he says.

Pescatore adds that SMBs often take the path of least resistance when shopping for security solutions. “That can lead to the cheapest solution or the easiest to buy, which often works out to not be the cheapest or the best solution,” he notes.

Initial pricing isn’t as important as the time costs of a solution, adds Anderson. “What matters are the costs involved in deploying the solutions, optimizing their operation on a day to day basis, and the training and support provided by the vendor,” he says.

Integration is another area where SMBs can make missteps. “They fail to consider the importance of integration of their security tools so they end up with several disparate, standalone point solutions that make it difficult to get full visibility across their business,” says Aaron Sherrill, a senior analyst with 451 Research, a research and advisory company.

He adds that SMBs also make the mistake of having too much faith in technology. “They assume the technology itself is going to fix all their security problems,” he explains. “They fail to consider the services that are needed to go along with that technology, which is not just plug and play and forget it.”

And SMBs also fall victim to one of the biggest mistakes of all: believing what vendors tell you. “One of the most common mistakes that SMBs make is falling for the marketing hype that drives the security space,” says Alex Peay, a senior vice president at SaltStack, a provider of intelligent IT automation software. “That includes general fear mongering as well as over-selling of the capabilities of the product set,” he adds.  

Gather knowledge first

When starting the search for a security solution, it’s a good idea to take an inventory of your existing resources. “SMBs need to start the evaluation process by considering what security expertise they have in-house so they know whether they will be looking for solutions managed internally or those that can be managed by a third party,” recommends Terry Ray, a senior vice president and fellow at Imperva, a web application firewall maker.

Since most SMBs don’t have a lot of expertise in-house, they will likely need to look for some outside help. One source of good information is Information Sharing and Analysis Centers (ISAC), which are forums for sharing cyber and physical threats and mitigation strategies organized along industry lines. “SMBs participating in those can take advantage of the expertise of the biggest companies and, if nothing else, they get a chance to network with other smaller players in their industry that have the same problems that they do,” SANS’s Pescatore explains.

Hiring an outside expert can be valuable, too. They can help you identify what defenses are really needed and determine what risk levels you should be prepared to accept. “An SMB can’t spend unlimited dollars on security,” says Jason LaPorte, CTO and CISO of the Power Consulting Group, a provider of professional technology solutions, support and management services for small businesses. “They have to be smart with their money,” he continues, “and put their dollars where their best bets are, where they get the most bang for their buck.”

“You have to do a gap analysis of your company’s environment,” LaPorte says. “Look at your compliance needs and what your threat landscape is. From there you decide what you need, as opposed to asking, ‘What’s the best security product out there for me?'”

Find a security framework

Vendors being vendors, they’re going to push their solution into your mind. “You have to be careful not to get into a tail wagging the dog scenario where the vendor is presenting a solution to a problem that may not be a problem you’re focusing on,” says Doug Graham, chief security and privacy officer at Lionbridge, a provider of language translation and testing services.

One way to avoid that is by adopting a control framework and requiring vendors to describe their products in terms of that framework. Frameworks available include the Center for Internet Security (CIS) Controls and the NIST Cybersecurity Framework. NIST also makes a special framework for SMBs. “If you put the onus on the vendors to describe what their product actually does within a specific control framework, you can normalize what the products do,” Graham explains.

“Some of the savvy vendors are already doing that,” he adds. “If you look at their web pages, you’ll see their products mapped against particular control frameworks.”

With a framework, an SMB can do a quick gap analysis and identify the areas where it needs to strengthen its security posture. “Once you know what those gaps are, you then need to prioritize them, and that will dictate the technology that you’re going to bring in,” says Paul Furtado, senior director for midsize enterprise security at Gartner, a research and advisory company.

He cautioned that it’s important that a vendor explain how its product works in a framework. “A vendor can easily check off ‘yes, we do that,’ but their mechanism to do that may be cumbersome and may create work rather than reduce it, or it may not integrate well with other tools,” he observes.

PCG’s LaPorte warned that frameworks are not simple-to-use tools. “It’s a best practices tool, but not every best practice applies to every company,” he explains. “Things might be missing from the framework for a specific industry or company, and there might be things that don’t make sense for an industry or company.”

“There can be so many checklists in some of the frameworks that they can be daunting to an SMB,” adds Akshay Bhargava, chief procurement officer with Malwarebytes, a cybersecurity solutions provider.

Don’t forget people

An aspect of vendor selection that’s often overlooked is the talent cost of new technology. “As you select vendors, you have to find solutions that help automate and simplify the administration of the infrastructure you are using,” SaltStack’s Peay observes. “If you don’t, you will find yourself looking for security experts.”

That can be problematic in the current job market. “There’s a major talent shortage,” Bhargava says. “SMBs are facing the brunt of that in many ways. It’s hard for them to hire specialized talent, and it’s expensive. The more you can automate tasks, the fewer people you need to spend time on them and the less specialized talent is required.”

SMBs should look for technologies that automate manual processes, such as reviewing alert and traffic information, adds Imperva’s Ray. “These types of systems decrease the workload on a security team rather than adding to it, and most importantly they decrease the expertise traditionally required of a security professional,” he says.

“With these modern systems,” Ray adds, “security teams can remain small, yet get more attack context and immediate notification when bad actors are present.”