Buying Cyber Security: A CyberWire Special Edition
Dave Bittner: [00:00:03] Every day, there seems to be a new security product on the market, with many of them claiming they provide something that you simply can't live without. Companies appear and disappear, and businesses are faced with difficult, confusing and often expensive choices. In this CyberWire Special Edition, we explore how businesses are navigating the process of choosing products and technologies in a crowded marketplace. We talked to some key stakeholders to find out what drives their purchasing decisions and what they wish their vendors knew before they came knocking on their doors. Stay with us.
Dave Bittner: [00:00:41] Time to take a moment to thank our sponsor Cylance. Are you looking for something beyond legacy security approaches? Of course you are. So you're probably interested in something that protects you at machine speed and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA. Their solution scales easily, and it protects your network with minimal updates, less burden on your system resources and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning. It may be artificial intelligence, but it's real protection. Visit cylance.com to learn more about the next generation of anti-malware. Cylance - artificial intelligence, real threat prevention. And we thank Cylance for sponsoring our show.
Emily Mossburg: [00:01:35] Well, I think that we've seen a lot of change in terms of the process for buying solutions around security.
Dave Bittner: [00:01:43] Emily Mossburg is a principal at Deloitte in their Cyber Risk Services practice, and she leads their secure portfolio of offerings. In their role as consultants, her team provides expert advice to their clients on choosing cybersecurity solutions from a variety of vendors.
Emily Mossburg: [00:01:59] And I think that if you were to look back five to seven years ago, a lot of the focus was on making sure that you had the newest bells and whistles. And there was a whole lot of focus on new functionality and new ways - really, focus on monitoring and getting more intelligence into the organization. And I think that that's still something that's very important - is getting more intelligence. But I think that people are really focused more now on, how are all of the different solutions that I have going to fit together? And how am I going to integrate together these solutions to get the most intelligence, the most information, the most value and the most efficiency for my organization in the whole patchwork of different solutions that I have?
Emily Mossburg: [00:02:52] So I think that there's just much more of a focus on the way in which solutions will integrate and work together versus just standalone functionality.
Michael Singer: [00:03:02] There has been a shift in the industry from buying devices and boxes - appliance is usually what we call them in cyber - to being able to get software-only, virtual types of security services to work on our own infrastructure.
Dave Bittner: [00:03:21] That's Michael Singer. He's executive director for technology security at AT&T, the largest telecommunications company in the world.
Michael Singer: [00:03:29] You face a challenge of, what is it that you're trying to solve? And then if there's already someone who has solved that problem, it just doesn't make sense to construct it, to build it, to have the development cycle and to have your people doing it because it's already been solved. That's probably the most important place to start in your process - is, you know, what's out there - that awareness that you have.
Vilas Naralakattu: [00:03:56] We generally tend to look at the 800-pound gorillas in the market and try to see how they fit within a firm our size.
Dave Bittner: [00:04:03] Vilas Naralakattu is the technology manager for Pinnacle Advisory Group, a private wealth management firm with about 50 employees and offices in Maryland and Florida. They're an established, successful small business with substantial cybersecurity needs.
Vilas Naralakattu: [00:04:18] Encryption is a pretty big significant in terms of how we are choosing the software that we use. And the SCC, the Sarbanes-Oxley - they all have security measures all built in. If you're not adding some of that security pieces, you're out of compliance with the SCC, right? So in terms of how we transmit data between our clients and ourselves, how we store it on our systems, how people access those systems and what are the permissions around that - all of that is part of the regulation.
Emma Garrison-alexander: [00:04:47] One of the things that was important to my role at TSA was for the security posture of the organization. I had the core responsibility for the cybersecurity posture in the organization.
Dave Bittner: [00:05:01] That's Dr. Emma Garrison-Alexander. She's currently vice dean of cybersecurity and information assurance at University of Maryland University College. And prior to that, she served as chief information officer and assistant administrator for information technology for the TSA under the Department of Homeland Security.
Emma Garrison-alexander: [00:05:18] We used the defense in depth strategy. So it's not a one-size-fit-all, but there were a multitude of products and services necessary to provide the level of security that would be needed for a federal organization.
Dave Bittner: [00:05:32] So we've got a spectrum of perspectives - a small business, a major telecom provider, a large government organization and a consulting firm that helps connect buyers and sellers.
Vilas Naralakattu: [00:05:46] A lot of the decision was around, how is a point-to-point encryption - how do they maintain their usernames and passwords? And how do we transfer that information around?
Dave Bittner: [00:05:55] That's Vilas Naralakattu from Pinnacle Advisory Group.
Vilas Naralakattu: [00:05:58] We wanted to go down the path of choosing a dual-authentication system. I had talked to other firms and also a firm that does cybersecurity for RIAs - for independent advisers. I had a conversation with them, and they said, this is the software that we use for our own employees. And so the dual authentication came that way, where I - we tested them, we had a internal meeting with them where they demo'd their system. They showed us how we can get a good report suite in terms of who's connecting to the system - how are they connecting to it? Are they out of compliance? And what are the steps that we can take once - if somebody is out of compliance that is using the software? How do we mitigate those risks?
Dave Bittner: [00:06:46] That's a pretty common way to get started with any purchasing decision - asking around to people you trust, gathering opinions from colleagues who've already been down the path you're travelling. But for Naralakattu, that's just the first step.
Vilas Naralakattu: [00:06:57] There's a trust and verify - right? - especially security related. You want to trust what they're saying, but you also want to really put them through the wringer as much as possible. And so before buying anything, any company should be willing to give you a trial or test out their software to make sure that it is viable and really what you're expecting.
Emily Mossburg: [00:07:16] I think that doing some level of proof of concept - pilot, bake-off, whatever you might want to call it - I think is exceptionally important...
Dave Bittner: [00:07:26] That's Emily Mossburg from Deloitte.
Emily Mossburg: [00:07:28] ...Because I do think that there are a lot of small details that often play into how well a solution actually works in an environment. And I think, in some cases, you don't really understand some of the complications until you see them up close and personal. And that can be things like, can the product actually handle the volumes that are going to be created from - you know, maybe, it's a log perspective. Maybe it's an alert perspective. Maybe it's the flow of data and how fast the data is flowing through, depending upon the type of solution. And you want to be able to see firsthand, can this solution actually handle the volumes that I have within my organization? Can it handle the speed at which my organization needs to operate? Is it really going to interoperate with this - whatever it needs to interoperate with the way that it states that it will in, you know, the product's FLIX (ph) and the product's specification?
Dave Bittner: [00:08:34] That's the experience they had at Pinnacle Advisory Group with a security product they were ready to buy, the one that looked great on paper and in the demo.
Vilas Naralakattu: [00:08:41] It sounded great on paper. But when - then when you really put it in, either in production or in a trial period, we realized that it wasn't exactly what we wanted. And so we ended up going a different way for it, especially for the dual authentication pieces.
Dave Bittner: [00:08:56] Mossburg says that kind of outcome isn't that unusual.
Emily Mossburg: [00:08:59] We've seen clients go in to a bake-off-type situation thinking, you know, there was a very clear leader, a solution they really thought was the one that they were going to go with - through the course of the actual test cases and the use cases that they need to take that product through, realize that while there are certain components of the functionality of that product that are exactly what they need, some of the ways in which that product operate led them down the path of, we actually need to go another direction here.
Dave Bittner: [00:09:35] Since they're in the financial services industry, any product up for consideration at Pinnacle Advisory Group has to satisfy regulators, too.
Vilas Naralakattu: [00:09:43] Not only do - does the SCC come to us and say, you know, what are you doing to protect yourself, but how do you know that the people that you're working with are protected, right? So a company coming to us - it should be able to prove to us how they are protecting their data. And what audits do they have in place to make sure that they continue to be secure?
Michael Singer: [00:10:08] We've probably bought one of everything along the way. We have a group that tests everything in a lab. I would say that they probably have one of each item that we've seen, you know, over the last two, three decades. And they still have some of that stuff up and running.
Dave Bittner: [00:10:22] Moving from a small business to big business - really big - AT&T's Michael Singer says vendors need to consider the size of his organization when they come knocking on his door.
Michael Singer: [00:10:32] I've seen a lot of cases where the ability to scale is just obvious up front. But we - there is something that will work, but not at scale. And it wouldn't work for a medium or large business, and it wouldn't work for a carrier - that kind of thing. So you have to always be thinking about taking something times 10 and times a million or times a billion. You don't tell us that we were going to run this on a small machine, and it's going to be in, you know, a single instance.
Michael Singer: [00:11:05] I also think that they should know by now that it is important to have separated the hardware and the software - that we want to be able to run a lot of instances on the hardware that we select, as opposed to having that - the coupling back to an appliance. That's a really big one.
Dave Bittner: [00:11:26] And when you knock on a big company like AT&T's door, it's important to knock on the right one.
Michael Singer: [00:11:31] We have what we call the AT&T Foundries, where we are intentionally trying to outreach, and there is an opportunity to do fast pitches through the AT&T Foundry. So that's the right way - a good way to start to share with the people who are really bright at AT&T. And it's much more effective than just sending email over and over.
Michael Singer: [00:11:58] And I will add that, you know, at AT&T, we have John Donovan who leads us. He deliberately asks us to take a look at small, innovative players and what they're doing, what they're doing differently. Is there something we're trying to do that it can do faster in a different way, you know, save you costs and put you in a better position, too? - 'cause it's more effective than some of the things that we've used in the past. So it's part of our strategy to always be looking at those kind of smaller solutions, the most innovative solutions and look at those alongside the stuff that you would see on your usual, you know, industry chart.
Dave Bittner: [00:12:41] In terms of preparation, Michael Singer has this advice.
Michael Singer: [00:12:45] There's nothing as good as actually doing it. So you can run tests, and you can have the ability to generate traffic and to show things at scale. But the best, you know, way to learn, really, is to have real data, real traffic. So, you know, as - I guess, as they're making their business plans and picking their partners, they need to be thinking with an eye toward just a lot of data - a lot of diverse data, a lot of volume and maybe even, you know, different types of customers and segments so that when they come to you with their solution, they have already kind of seen everything, and they're not learning for the first time as you experience different types of traffic or you hit new thresholds in volumes.
Emma Garrison-alexander: [00:13:42] So as with any acquisition within the federal government, TSA was operating under the Federal Acquisition Regulation.
Dave Bittner: [00:13:49] That's Dr. Emily Garrison-Alexander, former CIO of the TSA.
Emma Garrison-alexander: [00:13:53] And we also have this Competition in Contracting Act, you know, where we have to make sure that we were using full and open competition, as well as making sure we were following the FAR in terms of the legal responsibilities and also the policies surrounding acquisition. So TSA was under the same rules and policies and laws as any other civilian agency.
Dave Bittner: [00:14:18] Federal organizations like the Transportation Security Administration, the TSA, have a lot of regulations to follow. They also have a lot of money to spend.
Emma Garrison-alexander: [00:14:26] My budget that I managed and oversaw was $450 million annually, and then I had a oversight for IT that was outside of the direct purview of the CIO of about $278 million. So those acquisitions had to come across my desk for approval, as well. So because of that level of budget, there were many, many different companies with an interest in coming into the agency and doing business with the agency. And so I actually had a strategic engagement organization that actually looked at the various companies that were interested in coming in, looked at their products and services and also how they might fit into the organization.
Emma Garrison-alexander: [00:15:11] We also had a small business requirement, you know, to do business with small businesses. So we were always looking for small businesses that might be able to support us, as well, and to learn more about them. It's important for them to know the organization. And part of what we get through that strategic engagement part of the organization was kind of getting to know them because at the end of the day, we still have to adhere to the Competition in Contracting Act, which is a law that's really about creating competition so that the government can get the best bang for their buck, the best value for their dollar and to try to lower prices and to have more competitive pricing.
Emma Garrison-alexander: [00:15:53] So we would still end up there, but what engaging with the various companies would do for us - it really was an education process for us. It helped us to understand what was possible within the marketplace. It also helped us to understand where the gaps were. You know, the government in general does not move fast, but there are ways to be creative, stay within the regulations and the laws, look at more innovative approaches so that things can move along faster by being slowed down. But that is a challenge. It's a challenge, I will say, for anyone within government that's working within the acquisition process. It is definitely a challenge.
Dave Bittner: [00:16:34] She also emphasizes the importance of doing your homework.
Emma Garrison-alexander: [00:16:38] Make sure you know the organization. Make sure you understand the mission, understand their requirements. And that does not mean requirements from a contractual standpoint, but the kinds of need that the organization might have. The other things - organizations are allowed to submit white papers to the government with ideas - innovative ideas, in particular. And that sometimes is a way to get your foot in the door for a meeting. Like, you have some conversation.
Emma Garrison-alexander: [00:17:06] Also, it's important to understand government processes - how the contracting process actually works. I think it's also important for companies to know, who or what organization is this particular agency working with now? What companies are they doing business with now? Find out something about those companies so that you can kind of get a sense of the culture, of the environment. I would say, also spend some time, you know, maybe talking to previous employees or previous companies.
Emma Garrison-alexander: [00:17:34] So there is this information gathering piece, I think, that's really, really important for those individuals who want to have an opportunity to come into an agency to talk about their products and services or if they're going to respond to an RFP - request for proposal - on a particular need of an organization. People would be amazed at how companies who really know the process don't even follow them well. And they don't necessarily respond to the RFP appropriately, and so it's really important to pay attention to detail. We all would just assume that all of these companies do those things. They do not, and it always surprised me.
Emma Garrison-alexander: [00:18:18] So really following the rules, understanding the procedures, answering the questions that are asked in the RFP is really important. You will have an advantage if you really do that. And then always look for innovative ways to help the government in their mission and their ability to carry out that mission.
Dave Bittner: [00:18:42] What about service after the sale? Our experts agree that the ongoing relationship with a vendor after the contract has been signed is a critical part of the equation.
Vilas Naralakattu: [00:18:51] Solid communication - really, that's it. I mean, I want communication as to what is going on in the industry. I want to know if they're having any problems. I want to know about it versus telling them about it. I want them to be telling us, hey, we found this. There's a lot more confidence when you're being told that there is an issue and they're working on it, as opposed to us finding it and they're like, oh, I got to fix this now, right? So communication is really the key on that one - is I want to know what they're working on. I want to know how it's going to affect us. And I want to know - if anything has happened, what are they doing to address it?
Emma Garrison-alexander: [00:19:27] We have something that we would often refer to as incumbent-itis. And that's where you have a company that has been inside of a government agency for a period of time, and they become somewhat lackadaisical, you know, because they have the business. They can get comfortable. And so my goal was always to ensure that they never get comfortable, that they always understood that we are paying good money - it's taxpayers' dollars - for your goods and services. And you have to deliver, and you have to do it at a level that is acceptable to the government and to ensure that the government is really getting the right value for the money that they are putting into their product or services.
Emma Garrison-alexander: [00:20:09] I think that the expectations for the vendors really come back to accessibility - making sure that as there are questions or potential concerns related to the way in which a solution is operating, that there is that ability to have a back and forth communication around how things are going, what the issues might be, how quickly, if there is an issue, it can be resolved. And I think that in many cases, we see it over and over. You know, our clients just have a lot of expectation that they are heard, and they feel like their concerns are being acted upon once they have a product in the production environment.
Michael Singer: [00:20:53] The other thing that can happen in the industry as things change - you have a lot of your supplier partners getting acquired or merging. And it does happen that the new owner may make changes and may even decide to declare end-of-life support and then maybe even - they're not even going to let you run a particular solution anymore. So you have - out of necessity, you have to either find some other way to support it, work with another supplier partner or do it yourself when those situations occurred. And I think whenever you have stuff that works really well, sometimes you run it for a long time, and it - as quickly as things are changing, once you get past three years, five years, you know, you're definitely going to look at those type of situations to protect you from situations where you'll have something go unsupported.
Emily Mossburg: [00:21:52] The last thing that any client or the vendor wants, for that matter, is for something to be deployed, for it not to work as well as expected and for it to become shelfware. And one of the key roles, I think, that we play in making sure that solutions are deployed and used is to make sure that the deployment is sound; that the product and the solution and the processes and the people at the client site have enough understanding of the solution that it operates well; and that then it continues to evolve with the client's environment so that it stays relevant, and the configuration is updated as needed. So it's really just, how can we keep that solution going and alive and providing the most value to the client? And that's what's the most helpful to both the client and the vendor.
Dave Bittner: [00:22:49] Both Emily Mossberg and Emma Garrison-Alexander have some insights for sellers to make it easier for those doing the buying.
Emily Mossburg: [00:22:56] So much of the emphasis and focus is on the actual technology itself and the way the technology works, and that's very important. But there's not as much emphasis as I think there should be in terms of, what is the true business purpose that a client needs this solution for? What is the challenge that they're facing? And how is this piece of software or this solution or this product going to help deal with that business issue? And I think that we're seeing more and more a demand from our clients that - you know, don't just talk to me about the technical functionality and the bits and bytes associated with the solution, but help me understand how this is going to help solve my business problems.
Emily Mossburg: [00:23:44] And so I think we're also seeing with that more of a focus on having an industry lens associated with understanding how a solution fits in because the fact that, you know, what data you're trying to protect - it becomes more important because of the fact that the type of adversary and the motivations of those adversary is so targeted based on industry. Being able to talk about how the solution assists as it relates to that particular enterprise and that particular industry that the enterprise is in is something I think we're seeing a lot more demand for today.
Emma Garrison-alexander: [00:24:24] So I think some of the challenges have been around integration of the various products to ensure that you have the best solution and you have the best security posture within your organization because, you know, businesses are in business to make money. If they're not making money, they're not in business. And so trying to manage the integration across products and services and ensuring that those things go well - that is one area I think that the industry still needs to do a better job of. You know, doing more across compatibility, doing more with common standards, more with testing to ensure the various products work well together - that's a very important area that needs much work, I believe.
Emily Mossburg: [00:25:10] One of the most interesting things that I've found in some of the conversations that we've had with some of the VCs and the startups - and many of these are in their infancy. But they talk to us, and they tell us so much about the cool functionality of their solution. And it is really cool. In many cases, they talked about some pretty interesting things. But when we start to ask questions like - we'll talk about in what case a client would want to deploy this, talk about the use cases of why a client would need this, talk about who the buyer is. They're more focused on the cool technology than the applicability, right? And so I think that making sure that you understand the applicability of your solution is so important, especially as you want to start to make a more senior-level, impactful, larger sale. The applicability cannot be underestimated.
Dave Bittner: [00:26:21] And that's our CyberWire Special Edition. Our thanks to Vilas Naralakattu, Michael Singer, Dr. Emma Garrison-Alexander and Emily Mossberg for sharing their views on buying security.
Dave Bittner: [00:26:32] And thanks to Cylance for sponsoring this Special Edition. You can learn more about the CyberWire and subscribe to our daily news brief and podcast at thecyberwire.com. The CyberWire Podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben. And our technical editor is Chris Russell. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.