With information security threats on the rise, vendors release a slew of data protection solutions. Sergio Bertoni, Lead Analyst at SearchInform suggests following 4 steps to choose the one easily and avoid mistake.
The proportion of information security (IS) incidents when data is exfiltrated increases year by year – from 40% of cases in 2019 to more than 77% of cases in 2023, the Allianz risk barometer showed.
As threats grow, so does the supply of IS software and services on the market. However, choosing the right solution that would fully meet the company’s needs is quite a difficult task, especially if you are not a CISO or IS specialist. The main reason for that is the lack of detailed description of solutions’ features in the public domain. Moreover, their prices are also not published on websites. All the CEO or top manager sees on the Internet is marketing. But it is reckless to choose a security solution just by beautiful wrapper.
So, how to distinguish quality solutions from those that gain notoriety through effective marketing for choosing the right one? Here is the guideline to tackle this challenge.
1. DEFINE YOUR WEAK POINTS
Budgetary obstacles aside, the first step is to identify what information security issues need to be addressed. To find the software or service that would meet your business or organization’s needs, you should make a list of problems and gaps in your security system that the chosen solution would target.
For example, your main challenge is data protection from external threats like hacker attacks and phishing. But maybe the most acute issue for your company is employees’ discipline and low productivity, or suspicions that someone might be involved in corporate fraud or leaking data to competitors.
When you have a list of problems and challenges, it's easier to understand which class of solutions is right for your enterprise data protection.
2. DO A QUICK RESEARCH AND SHORTLIST PRODUCTS
As our experience shows, it is useful to refer to all sorts of comparison reports of security solutions and rankings that are available in the public domain like Gartner Magic Quadrant.
Explore what solutions are available on the market, why they are divided into classes, what their main features and what tasks they are oriented towards.
Pay attention to the fact that protective solutions are provided by vendors in two ways: software and service. The first one is for in-house model of information security. It means that a company purchase a software along with hardware and hires IS specialist to manage it.
The service model is about delegating information security to a vendor, which will take care of all aspects related to the system: from deploying the solution on corporate PCs to data monitoring, preventing incidents and providing analytical reports. This way, the company does not have to incur additional costs to purchase the equipment.
After analyzing solutions and their features, shortlist 5 that seem most suitable to your company’s needs. Then, enter these solutions in the table, wherein the vertical column will be the shortlisted products, but in the horizontal one your requirements. After that, put pluses and minuses against each solution, depending on whether it meets certain needs or not.
Note that publicly available comparison reports should not be trusted 100%, because they may not have been compiled by an independent source. But, if the source is independent, its analysts could not have tested all the products physically. However, this shortlisting helps to identify 2 out of 5 products that suit your corporate network most for further testing.
Compiling such a table with pros and cons clearly shows which solution is suitable for your business or organization. For example, you may have a particular operational system or mail server. You look to see if the software or service you're considering supports them and give them a plus or minus.
3. TESTING SOLUTION OR SERVICE
The next stage is to test the selected solutions in practice. It will help to assess whether the product solves your tasks, how convenient it is to use the solution, and how the software works in general. You will also find out the solutions’ strengths and weaknesses.
A significant advantage that should be taken into account while selecting the data security software or service is the opportunity to test it for free. Why so? The vendor which is confident in the product’s quality assumes that after the free trial, the end-user will purchase it.
3.1. Use the solution to its fullest capacity
A strong recommendation while testing the solution is to make the most of it. For example, install the system on 1000 computers, even if you only need it on 50. There is always an opportunity to deploy the solution to a smaller number of PCs after the free trial ends.
This step is necessary to follow because systems work quite differently depending on the load. According to our experience, most DLPs, for example, work great when installed on 10 computers, some work well on a thousand or more computers, and only a few work fine when installed on 50,000 or more computers.
3.2. Operation of technical support
When considering solutions for data protection you should also pay attention to how tech support is provided and how the work with the client is organized. This is one of the key points because you cannot buy the solution or service without support from its developers.
First, all data security solutions need to be updated from time to time, because new technologies including channels of communication are emerging. Besides, already existing ones especially messengers are get amended often.
So, a company that purchased a security solution needs to be provided with technical support from the vendor to deal with these issues.
For example, Zoom was not so widely used till the pandemic of Covid-19 hit the world, but then it became one of the main means of remote conferencing. Consequently, the security system needed to be supplemented for managing data transmitted through the new platform.
3.3 Software compatibility
During the free trial, you need to make sure that the data security solution does not affect the functioning of other programs and corporate networks in general.
This step is crucial to make for avoiding such cases as for our service end-user who previously deployed security software by of one the vendors: after the solution was implemented, the key program for the company’s operations AutoCAD became almost impossible to use.
Another client told us that the data protection system that he used previously caused severe slowdowns on all computers on which it was installed.
4. ESTIMATE THE FULL COSTS OF INFORMATION SECURITY PROTECTION
The final step is to evaluate how much business will spend on establishing an information security system using one certain solution.
Note that building an IS system according to the in-house model is always more expensive than using the service because it assumes purchasing the software, licenses for deploying it on each computer, hardware, and employing highly-paid IS.
If a software purchase and related costs are beyond a company's capabilities, it may be worth considering a managed security service (MSS). We at SearchInform, for example, provide the service for internal threat protection that, as our experience shows, causes the most severe financial and reputational damage to businesses. Our IS specialists take on their shoulders service implementation, management, incident prevention, and providing reports regularly.
Then, compare your potential costs to the benefits that your company will get after implementing the chosen security solution. Take in mind that a purchasing data protection solution means investing in a secure future for your company. Security solutions empower businesses to avoid not only data breaches, but also legal requirements violations, and therefore fines. If the solution you have chosen provides the feature of monitoring employee activity it will allow to increase staff productivity and improve discipline at work.
Thus, the money invested in information security will pay off. However, this will only happen if the solution is chosen correctly and it fully meets the needs of a business.
OUTCOME
Following these four steps will help you choose the right solution and not fall for marketing tricks.
Nevertheless, if you decide to implement software or use the service, it must help you to tackle the real issues, not fictitious ones. Remember that such a solution that suits your business and eliminates the gaps in the IS system will certainly bring economic benefits.
The effect of the IS solution should be synergetic: you avoid financial and reputational damage due to the prevention of data misuse, but at the same time the employee performance improves.
I hope that this guideline will be useful for you on your way towards a comprehensive information security system. The fact that you have pondered about improving the level of data protection, it's already a success.
Comments