CIO Insider

CIOInsider India Magazine


CISO's Look Before You Book!

Sanil Nadkarni, CISO & DPO, SLK Global Solutions

SLK Global Solutions focuses on delivering comprehensive products and solutions driven by technology for the mortgage, banking and title industry. Backed by a team of 3000+ experienced professional, the organization has established its footprint in USA, Philippines and India.

CISO Guide to Procuring Security Products and Services
In present day the perils of third party vendors or products bringing it to your organization is on the rise. According to the recent surveys more than 45 percent of the products and services do not undergo a through risk assessment prior to procurement of the products.

As CISO you have been bestowed with responsibility of procuring the right security product or services for your organization. With torrent of technology products and slew of vendors and services to choose from, often leads to pandemonium situation. Buying a product solution is in reality akin to haggling in a fish market. There is no silver bullet to buy a right cyber product or services however below pointers may point you in making a right choice and take a right decision.

1. Align it to Organizational Objective– Procuring and choosing the final product should align to the overall business objective of the organization. Cyber security products should have longevity and should be scalable, interoptable while bringing more value and return on investment to the organization.

2. Vendor Review and Comparison- Evaluating your needs and doing research often is prudent before making the final choice. Peer review is such lucrative way of reviewing the product which will give you more real and honest feedback of the product. In addition Online Services Company can

assist with online comparing the products. They analyse the products and gives more granular review of the product combined with more legitimate user review.

3. Vendor Due Diligence – How often you land up in reviewing the fancy presentation with fluffy talks from the sales team. Behind the flashy presentation there could be an ostentatious trapping. Hence prior to zeroing the vendors a through vendor due diligence should be performed. The reputation of the third party should be validated and independently reviewed. For all critical vendors a through onsite assessment should also be carried out and score card of the vendors should be reviewed and validated through various market sources.

Comprehensive Integration Testing And Interoperability Testing Should Be Carried Out Prior To Stitching The Product Into Your Eco-System

4. Air Tight Contract - A length sheaf of contract is always scares most of us which tempts us to perfunctorily turn the last page and sign the contract. However before the ink touches the paper, we must ensure that the contract is meticulously reviewed for hidden caveat. NDA and basic hygiene should be eloquently articulated in the contract. SLA should be mutually agreed and should be agreed with the vendor, Penalty clauses should also find place in the contract to keep the vendors on their feet.

5. Integration – With infusion of cloud and mobility platforms, product integration is all the more complex. Comprehensive integration testing and interoperability testing should be carried out prior to stitching the product into your eco-system. For example, you may need to see your logs data alongside your anti-virus report data. If these systems can’t ‘talk’ to each other, your ability to gain valuable insight on your company’s operations is compromised. Systems should have open API and should be able to seamlessly integrate with all other products.

a. Testing –Products may not behave the same as you saw in the board room during your sale’s presentation. Therefore it is important to carry out POC and subsequent user testing of the product / services along with its entire feature. Component testing of the product should also be performed diligently.

b. You may need cross-eyes to identify the sea of features which you need for your business. It’s productive to determine all your need’s first. For large scale deployment it is advisable to take phase wise approach.

6. Training and Delivery – Good product training helps companies increase revenues by at least 69 percent – A study conducted by Experticity.

Enterprise software and solutions are often complex and intricate having many touch points. A formal training plan can have lasting impact and solve teething issues and can have long term benefits. It’s always advisable to check the talent and competency available in the market skill sets that can use operate the products.

Current Issue
63SATS : Redefining Cyber Security For A Safer World