Why do we need a common security technology evaluation framework?
Floating an RFP (Request for Proposal) or evaluating a new technology for a CISO is a substantial effort. Going through the sea of data and marketing buzz to judge a vendor and its product is definitely not an easy task. We started creating frameworks for various security technologies to solve the following problems:
- Creating a framework to evaluate a technology is a substantial effort.
- There is tremendous effort duplication in the industry since everybody invents their own framework. There is scope for reuse and collaboration for the basic structure (at least).
- Going through the sea of product information and marketing buzz is a massive effort.
- There are too many "buyer's guide" in the market. It is time to have an open community based unbiased framework where anybody can provide their feedback and incorporate their learning.
(Read more: 5 Best Practices to secure your Big Data Implementation)
What will be the process of building the framework?
As a part of our initiative, we have create a common framework and then 20 specific frameworks for specific technologies. As an example, if you want to evaluate a DLP solution, you may use the framework and then work on top of it for your custom requirements. We at least intent to save some of your effort.
Step 1: Release of the generic framework for community feedback. We shall finalize the overall structure in next 15 days.
Step 2: Release of technology specific frameworks (e.g. Web Application Firewall, DLP etc) for community feedback and extensive community sessions during CISO Platform Annual Summit.
Step 3: Release of final technology frameworks for the members.
Community Feedback Process and Documentation Trail: Any member can provide their comment on the framework using the commenting feature. Our analyst and advisory team shall take the final decision on incorporating such feedback. In any case, all feedback (whether accepted or not) shall remain published in the comment section for other members to use it based on their own judgment/discretion.
(Read more: How Should a CISO choose the right Anti-Malware Technology?)
Common Framework structure
In this article we are introducing the structure of Evaluation Framework. This is a generic framework and for each specific technology we shall add specific questions for evaluation. It takes a top down approach where the high level categories are the Major areas of security product evaluation namely Functionality, Commercial, Management and Support, Organization and Reference. Further each category is sub-divided into the sub-categories.
Important Note: The following is just a structure. We will soon release 20 specific frameworks with specific checklist and questionnaire for each "sub category".
>> Formal launch of the frameworks @ Annual Summit
The final draft above framework will be launched at Annual Summit 2014 (20-21st Nov) where active discussions with CISOs and technology vendors shall take place. Post such feedback, we will release the final checklists for the community.
We invite your review/feedback as comments below or via mail directly to 'pritha.aash@cisoplatform.com' .
(Read more: 7 Key Lessons from the LinkedIn Breach)
Comments